1 Chapter Overview Understanding Group Policies Implementing Group Policies Using Security Policies Troubleshooting Group Policy Problems
Jan 30, 2016
1
Chapter Overview
Understanding Group Policies Implementing Group Policies Using Security Policies Troubleshooting Group Policy Problems
2
Understanding Group Policies Before attempting to implement group
policies, you need to be familiar with concepts that affect group policy operations. Definition of group policies How to use the Group Policy snap-in Group policy settings How group policy affects startup and logon How group policy settings are processed How security settings can be used to filter
group policy
3
What Are Group Policies? Group policies are collections of user and computer
configuration settings that you can link to computers, sites, domains, and organizational units (OUs) to specify the behavior of users' desktops.
To create a specific desktop configuration for a group of users, you create group policy objects (GPOs), which are collections of group policy settings.
GPOs can be local or nonlocal. One local GPO is always stored on each computer running
Microsoft Windows 2000. Nonlocal GPOs are linked to Active Directory objects (sites,
domains, and OUs), and can be applied to either users or computers.
4
Using the Group Policy Snap-In Use the Group Policy snap-in to create,
modify, and manage GPOs. There are two primary methods to open
Group Policy: Create a new Microsoft Management
Console (MMC) console and select Group Policy as a stand-alone snap-in.
Select an object in an Active Directory management console, and access Group Policy as an extension snap-in.
5
The Group Policy Snap-In
6
Opening the Local Group Policy Snap-In
The local group policies are those stored on each Windows 2000 computer.
To open the Group Policy snap-in with a focus on local group policies:
1. Start a new MMC console.2. Add the Group Policy stand-alone snap-in. 3. Select Local Computer in the Select Group
Policy Object dialog box.
7
The Add Standalone Snap-In Dialog Box
8
The Select Group Policy Object Dialog Box
9
Opening the Group Policy Snap-In for Another Computer You can open the local GPO for another
computer on the network if you have administrative rights to that computer.
To open the Group Policy snap-in for another computer:
1. Start a new MMC console. 2. Add the Group Policy stand-alone snap-in. 3. Browse and select another computer in
the Select Group Policy Object dialog box.
10
Opening the Group Policy Snap-In from Active Directory Users And Computers To access the Group Policy snap-in by
using Active Directory Users and Computers:
1. Open Active Directory Users And Computers. 2. In the console tree, right-click the domain or OU you want to set group policy for, and then select
Properties. 3. Click the Group Policy tab, select an entry, and then click Edit.
11
Opening the Group Policy Snap-In from Active Directory Sites And Services To access the Group Policy snap-in by
using Active Directory Sites And Services: 1. Open Active Directory Sites And Services.
2. In the console tree, right-click the site you want to set group policy for, and then select Properties.
3. Click the Group Policy tab, select an entry, and then click Edit.
12
Group Policy Settings Group policy settings define the desktop
environments for network users. Group policy settings are contained in a
GPO. There are two types of group policy settings:
Use computer configuration settings to set group policies for computers, regardless of who logs on to them.
Use user configuration settings to set group policies that apply to specific users, regardless of which computer the user logs on to.
13
Software Settings Folder
In both Computer Configuration and User Configuration, the Software Settings folder contains only Software Installation settings, by default.
Use Software Installation settings to specify how applications are installed and maintained.
Applications can be managed in one of two modes: Assigned or Published.
14
Software Settings Folder (Cont.)
15
Windows Settings Folder
In both the Computer Configuration and User Configuration folders, the Windows Settings folder contains two items: Scripts and Security Settings.
Use Scripts to specify startup/shutdown scripts (for computers) and logon/logoff scripts (for users).
Use Security Settings to manually configure the security levels assigned to a GPO.
16
Windows Settings Folder (Cont.)
17
Windows Settings—User Configuration
For only the User Configuration folder, Windows Settings also contains Internet Explorer Maintenance: lets you
administer and customize Microsoft Internet Explorer
Remote Installation Services: controls the behavior of remote operating system installations
Folder Redirection: lets you redirect Windows 2000 special folders to an alternate location
18
Administrative Templates Folder
For both Computer Configuration and User Configuration, the Administrative Templates folder contains all registry-based group policy settings, including settings for Windows Components System Network
19
Administrative Templates Folder (Cont.)
20
Administrative Templates Policy Settings
More than 450 policy settings are available for configuring the user environment.
In the registry Computer configurations are saved in
HKEY_LOCAL_MACHINE (HKLM) User configurations are saved in
HKEY_CURRENT_USER (HKCU)
21
How Group Policy Affects Startup and Logon The sequence for Computer Configuration
and User Configuration settings when a computer starts and a user logs on is as follows:
1. The network starts.2. The computer obtains an ordered list of GPOs.3. The system processes the Computer
Configuration settings.4. Startup scripts run.5. The user presses CTRL+ALT+DELETE to log
on.
22
How Group Policy Affects Startup and Logon (Cont.)
6. After the user is authenticated, the computer loads the user profile.
7. The computer obtains an ordered list of GPOs for the user.
8. The system processes the User Configuration settings.
9. The computer runs the logon scripts.
10. The operating system interface prescribed by
group policies appears.
23
How Group Policy Is Processed
Group policy settings are processed in the following order:
1. Local GPO2. Site GPOs3. Domain GPOs4. OU GPOs
The GPO that is processed last overrides conflicting settings in all other GPOs that were processed earlier.
24
Group Policy Processing Order
25
Exceptions to the Default Processing Order Workgroup Membership: a computer that is a
member of a workgroup processes only the local GPO.
No Override: any GPO linked to a site, domain, or OU can be set so that none of its policy settings can be overridden.
Block Policy Inheritance: at any site, domain, or OU, group policy inheritance can be selectively marked as Block Policy Inheritance. However, No Override settings cannot be blocked.
Loopback: used to circumvent the normal order that GPOs are applied in.
26
Loopback Modes
Loopback can be set to Merge or Replace mode. Replace: the GPO list for the user is
replaced by the GPO list obtained for the computer at startup.
Merge: the GPO list obtained for the computer at startup is appended to the GPO list obtained for the user at logon.
27
Group Policy Inheritance Group policies are typically passed down from parent to child
containers in the Active Directory service. However, if you specify a group policy for a child container,
the child container's group policy settings override any conflicting settings inherited from the parent container.
If a parent OU has policy settings that are not configured, the child OU does not inherit them.
Policy settings that are disabled are inherited as disabled. If a parent policy and a child policy are compatible, the child
inherits the parent policy, and the child's setting is also applied.
If a policy setting configured for a parent OU is incompatible with the same policy setting configured for a child OU, the child does not inherit the policy setting from the parent—instead, the setting for the child is applied.
28
Using Security Groups to Filter Group Policy
Because you can link more than one GPO to a site, domain, or OU, you might need to link GPOs associated with other directory objects.
By setting the appropriate permissions for security groups, you can filter group policy to influence only the computers and users you specify.
29
Lesson Summary Group policies are collections of user and
computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops.
The Group Policy snap-in is used to manage group policies.
Windows 2000 applies GPOs in this order: local GPO, site GPOs, domain GPOs, and OU GPOs.
By default, Active Directory objects inherit group policy settings from parent containers.
30
Implementing Group Policies
You may have to modify the group policies in place on a network or create new GPOs.
31
Tasks for Implementing Group Policies
You may need to perform numerous tasks to implement group policies. A few of these tasks are Creating a GPO Delegating administrative control of a GPO Specifying group policy settings for a GPO Indicating GPO processing exceptions
32
Creating a GPO
The first step in implementing a group policy is creating a GPO.
You also need to determine the type of Active Directory object you want to create a GPO for.
33
Creating a GPO (Cont.) To create a GPO:
1. For a GPO linked to a domain or an OU, open Active Directory Users And Computers, or for a GPO linked to a site, open Active Directory Sites And Services.
2. Right-click the site, domain, or OU object you want to create a GPO for, and then select Properties.
3. Click the Group Policy tab.4. Click New and type the name you want to assign
to the GPO. By default, the new GPO is linked to the site, domain, or OU
that you selected, and the GPO settings apply to that site, domain, or OU.
5. Click Close.
34
The Group Policy Tab
35
Creating a GPO Console After you create a GPO, you can create
a custom MMC console containing the Group Policy snap-in and focused on that particular GPO.
To create a GPO console:1. Start a new MMC console, and then add
the Group Policy stand-alone snap-in to it.
2. In the Select Group Policy Object dialog box, browse and select the GPO on which you want to focus.
36
Default GPO Permissions
Security Group
Default Permissions
Authenticated Users
Read, Apply Group Policy, Special Permissions
Creator Owner Special Permissions
Domain Administrators
Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Administrators
Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
SYSTEM Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
37
Delegating Administrative Control of a GPO
To delegate administrative control of a GPO:1. Open the Group Policy snap-in for the GPO.2. Right-click the root node of the console, and then select Properties. 3. Click the Security tab.4. Select a group and configure permissions to either allow or deny administrative access to the GPO. (Repeat this step as necessary.)
5. Click OK.
38
The Security Tab of a GPO Properties Dialog Box
39
Specifying Group Policy Settings for a GPO
To specify group policy settings: 1. Open the Group Policy snap-in for the GPO. 2. Expand the console tree until the policy you
want to set appears in the details pane. 3. In the details pane, double-click the policy
you want to set. 4. In the policy's Properties dialog box, select
Enabled to apply the policy, and then click OK.
40
Expanding the Console Tree to View Policies
41
The Properties Dialog Box for a Typical Policy
42
Disabling Unused Group Policy Settings
If all Computer Configuration or User Configuration policies for a GPO are unconfigured and unused, you can disable them to speed up the startup and logon processes for computers affected by the GPO.
43
Disabling Unused Group Policy Settings (Cont.) To disable all Computer Configuration or
User Configuration policies for a GPO: 1. Open the Group Policy snap-in for the GPO.
2. Right-click the root node of the console and select Properties to display the Properties dialog box. 3. In the General tab, select the Disable Computer Configuration settings check box or the Disable User Configuration settings check box.
4. Click OK.
44
The General Tab in a GPO Properties Dialog Box
45
Indicating GPO Processing Exceptions
You can change the default GPO processing order by Modifying the order of GPOs for an object Specifying the Block Policy Inheritance
option Specifying the No Override option Enabling the Loopback setting
46
Modifying the GPO Processing Order To modify the GPO processing order:
1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services.
2. Right-click the site, domain, or OU, and then select Properties. 3. Click the Group Policy tab.
4. In the Group Policy Object Links list, select a GPO and click Up or Down to change its place in the processing sequence.
47
Modifying the GPO Processing Order (Cont.)
48
Blocking Policy Inheritance To block policy inheritance:
1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services.
2. Right-click the site, domain, or OU, and then select Properties. 3. Click the Group Policy tab.
4. Select the Block Policy Inheritance check box. (You cannot block GPOs that use the
No Override option.) 5. Click OK.
49
Using the No Override Option To use the No Override option:
1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services.
2. Right-click the site, domain, or OU, and then select Properties.
3. Click the Group Policy tab. 4. Select the GPO you want to modify, and then
click Options. 5. In the Options dialog box, select the No
Override check box. 6. Click OK.
50
The Options Dialog Box for a GPO
51
Enabling the Loopback Setting To enable the Loopback setting:
1. Open the Group Policy snap-in for the GPO. 2. In the console tree, expand Computer Configuration until the Group Policy folder is visible. 3.
In the details pane, double-click User Group Policy Loopback Processing Mode.
4. Select Enabled. 5. Select one of the following modes from the Mode
list: Replace: replaces the GPO list for the user with the GPO list
already obtained for the computer at startup Merge: appends the GPO list obtained for the user at logon to
the GPO list already obtained for the computer at startup
6. Click OK.
52
The Loopback Processing Mode Properties Dialog Box
53
Filtering GPO Scope
Policies in a GPO apply only to users with the Read permission for that GPO.
To filter the scope of a GPO, you can create security groups and then assign the Read permission to the selected groups.
This prevents a policy from applying to a specific group by denying that group the Read permission to the GPO.
54
Filtering GPO Scope (Cont.)
To filter the GPO scope: 1. Open the Group Policy snap-in for the GPO.
2. Right-click the root node of the console, and then select Properties. 3. Click the Security tab, and then select the security group that you want to filter this GPO through. 4. Set permissions for the group, and then click OK.
55
Linking a GPO to a Site, Domain, or OU
By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created.
You can use the Group Policy tab in the Properties dialog box of the site, domain, or OU to link a GPO to additional sites, domains, or OUs.
56
The Add A Group Policy Object Link Dialog Box
57
Removing a GPO Link To remove a GPO link:
1. Open Active Directory Users And Computers or Active Directory Sites And Services, as appropriate. 2. In the console tree, right-click the site, domain, or OU object that the GPO is to be unlinked from, and then select Properties. 3. Click the Group Policy tab, select the GPO you want to unlink, and then click Delete. 4. In the Delete dialog box, select Remove The Link From The List, and then click OK. 5. Click Close.
58
Deleting a GPO To delete a GPO:
1. Open Active Directory Users And Computers or Active Directory Sites And Services, as appropriate.
2. In the console tree, right-click the site, domain, or OU object that the GPO is to be deleted from, and then select Properties.
3. Click the Group Policy tab, select the GPO you want to delete, and then click Delete.
4. In the Delete dialog box, select Remove The Link And Delete The Group Policy Object
Permanently, and then click OK. 5. Click Close.
59
Group Policy Best Practices Disable unused parts of a GPO. Use the Block Policy Inheritance and No
Override features sparingly. Minimize the number of GPOs. Filter policies based on security group
membership. Use the Loopback setting only when
necessary. Avoid cross-domain GPO assignments.
60
Lesson Summary To implement group policies, you must create
a GPO and link it to an Active Directory object, such as site, domain, or OU.
In the Properties dialog box of a GPO, you can link the GPO to an additional site, domain, or OU; delegate administrative control; disable unused policy settings; and filter the scope.
To set group policies, expand the console tree in the Group Policy snap-in to locate the desired setting, open the Properties dialog box, and then select Enable or Disable.
61
Using Security Policies
One of the primary functions of group policies is to implement security policies that protect network resources from unauthorized access.
Many security-related policies are found in the Security Settings snap-in, which is in the Group Policy snap-in.
62
The Security Settings Item in a GPO
63
Account Policies Account policies apply to computers,
and include Password Policy Account Lockout Policy Kerberos Policy
Windows 2000 permits only one domain account policy—the account policy applied to the root of a domain. Exception: another account policy can be
defined for an OU.
64
Password Policy Lets you control which passwords users select and
how often they must change their passwords Password policies include
Enforce Password History: specifies the number of previous passwords Windows 2000 remembers for each user
Maximum Password Age: specifies the number of days until a password expires
Minimum Password Age: specifies the number of days a user must keep a password before the user can change it
Minimum Password Length: specifies the smallest number of characters a password can contain
Passwords Must Meet Complexity Requirements Store Passwords Using Reversible Encryption For All Users
In The Domain: modifies the encryption algorithm
65
Account Lockout Policy Locks a user account after a specified
number of failed logon attempts Account policies include
Account Lockout Duration: specifies the number of minutes a user account will remain locked
Account Lockout Threshold: specifies the number of failed logon attempts that can occur before lockout
Reset Account Lockout Counter After: specifies the number of minutes before the counter resets to zero
66
Kerberos Policy
The Kerberos Policy contains the following policies: Enforce User Logon Restrictions Maximum Lifetime For Service Ticket Maximum Lifetime For User Ticket Maximum Lifetime For User Ticket Renewal Maximum Tolerance For Computer Clock
Synchronization
67
Local Policies Pertain to the security settings on the
computer used by an application or user Based on the computer you are logged
on to and the rights you have on that particular computer
Local Policies include: Audit Policy User Rights Assignment Security Options
68
Audit Policy An audit policy lets you select security
events you want Windows 2000 to write to the security log for later display in Event Viewer.
When you enable auditing for an event, you specify whether successful attempts, failed attempts, or both will be logged.
Audit policies include: Audit Account Logon Events Audit Directory Service Access Audit Object Access
69
User Rights Assignment User rights grant a user the ability to
perform specific tasks. Commonly used Windows 2000 User
Rights Assignments: Add Workstations To Domain Back Up Files And Directories Log On Locally Manage Auditing And Security Log Restore Files And Directories Take Ownership Of Files Or Other Objects
70
Security Options
Security Options policies enable or disable security settings for the computer that control elements such as The digital signing of data Administrator and Guest account names Floppy drive and CD ‑ROM drive access Driver installation Logon prompts
71
The Security Options Policies in a GPO
72
Event Log
The Event Log security area contains Settings For Event Logs.
You can set the following policies for each of the three default logs (application, security, and system): Maximum Log Size Restrict Guest Access To Log Retain Log Retention Method For Log
73
The Event Log Policies
74
Restricted Groups Use Restricted Groups to prevent users
who have been added to a group temporarily from remaining in the group because of neglect.
The users you add to Restricted Groups are the only users authorized to be permanent members of that group.
If you add new members without adding them to this policy, the next time group policies are applied, those members are removed from the group.
75
The Restricted Groups Security Area
76
System Services
The settings in this area specify whether a service should load automatically when Windows 2000 starts.
Options for each service are Automatic: starts a service automatically at
system startup Manual: starts a service only if manually
started by an authorized user Disabled: disables a service so it cannot be
started
77
Registry and File System Areas
These areas let you use group policies to set access permissions for registry keys and file system elements, such as folders and files.
You can edit the security properties of the registry key or file path to specify which user or group objects have permission to access the key or path, as well as to configure inheritance settings, auditing, and ownership permissions.
78
Public Key Policies Use to control and manage public key
certificate settings by performing the following tasks: Specify that computers should submit a
certificate request to a certification authority and install the issued certificate.
Create and distribute a certificate trust list. Establish common trusted root certification
authorities. Add encrypted data recovery agents and
change the encrypted data recovery policy settings.
79
IP Security Policies on Active Directory Settings in this area configure computers
on the network to use Internet Protocol Security (IPSec).
You can use these policies to specify which types of Transmission Control Protocol/Internet Protocol (TCP/IP) traffic should use these IPSec communication modes: Client (Respond Only) Secure Server (Require Security) Server (Request Security)
80
Refreshing Policies
Sometimes modifications made to security policies do not take effect immediately.
To initiate policy propagation, you can Restart the computer Wait for automatic policy propagation to occur Use Secedit.exe to refresh the security settings
Secedit /refreshpolicy machine_policy Secedit /refreshpolicy user_policy
81
Lesson Summary GPOs use the Security Settings snap-in
to provide many security-related policies.
Account policies let you control user password and logon behavior.
Local policies let you configure auditing, user rights assignments, and other security options.
Restricted Groups lets you enforce membership in user groups.
82
Troubleshooting Group Policy Problems
You need to know the best practices and methods for solving problems that you might encounter relating to group policies.
83
Troubleshooting Group Policy
Consider dependencies between components.
When a problem appears in one component, check whether the components, services, and resources that it relies on are working properly.
Event logs are useful for tracking down causes of dependency-caused problems.
84
Troubleshooting Tips
You must have both the Read and Write permissions for the GPO in order to open it in the Group Policy snap-in.
Services that group policies rely on include Active Directory and Domain Name System (DNS).
Group policies also rely on the Windows 2000 networking components.
85
Troubleshooting Tips (Cont.)
GPOs are not applied to security groups; group policy affects only users and computers contained in sites, domains, and OUs.
When multiple GPOs apply, they are processed in this order: local GPO, site GPOs, domain GPOs, and OU GPOs. The settings in the last policy applied take precedence.
86
Troubleshooting Tips (Cont.)
The No Override option takes precedence over the Block Policy Inheritance option.
GPOs cannot be linked to Active Directory containers other than sites, domains, and OUs.
Local GPOs are the weakest; any nonlocal GPO can overwrite them.
87
Lesson Summary When troubleshooting group policy problems,
check the services that group policies rely on. To open a GPO in the Group Policy snap-in, a
user needs both the Read and Write permissions.
Security group memberships do not cause group policies to be applied to users—users receive group policies from the site, domain, or OU that a GPO is linked to.
No Override takes precedence over Block Policy Inheritance.