1 Chapter Overview Understanding Group Policies Implementing Group Policies Using Security Policies Troubleshooting Group Policy Problems.

1

Chapter Overview

Understanding Group Policies Implementing Group Policies Using Security Policies Troubleshooting Group Policy Problems

2

Understanding Group Policies Before attempting to implement group

policies, you need to be familiar with concepts that affect group policy operations. Definition of group policies How to use the Group Policy snap-in Group policy settings How group policy affects startup and logon How group policy settings are processed How security settings can be used to filter

group policy

3

What Are Group Policies? Group policies are collections of user and computer

configuration settings that you can link to computers, sites, domains, and organizational units (OUs) to specify the behavior of users' desktops.

To create a specific desktop configuration for a group of users, you create group policy objects (GPOs), which are collections of group policy settings.

GPOs can be local or nonlocal. One local GPO is always stored on each computer running

Microsoft Windows 2000. Nonlocal GPOs are linked to Active Directory objects (sites,

domains, and OUs), and can be applied to either users or computers.

4

Using the Group Policy Snap-In Use the Group Policy snap-in to create,

modify, and manage GPOs. There are two primary methods to open

Group Policy: Create a new Microsoft Management

Console (MMC) console and select Group Policy as a stand-alone snap-in.

Select an object in an Active Directory management console, and access Group Policy as an extension snap-in.

5

The Group Policy Snap-In

6

Opening the Local Group Policy Snap-In

The local group policies are those stored on each Windows 2000 computer.

To open the Group Policy snap-in with a focus on local group policies:

1. Start a new MMC console.2. Add the Group Policy stand-alone snap-in. 3. Select Local Computer in the Select Group

Policy Object dialog box.

7

The Add Standalone Snap-In Dialog Box

8

The Select Group Policy Object Dialog Box

9

Opening the Group Policy Snap-In for Another Computer You can open the local GPO for another

computer on the network if you have administrative rights to that computer.

To open the Group Policy snap-in for another computer:

1. Start a new MMC console. 2. Add the Group Policy stand-alone snap-in. 3. Browse and select another computer in

the Select Group Policy Object dialog box.

10

Opening the Group Policy Snap-In from Active Directory Users And Computers To access the Group Policy snap-in by

using Active Directory Users and Computers:

1. Open Active Directory Users And Computers. 2. In the console tree, right-click the domain or OU you want to set group policy for, and then select

Properties. 3. Click the Group Policy tab, select an entry, and then click Edit.

11

Opening the Group Policy Snap-In from Active Directory Sites And Services To access the Group Policy snap-in by

using Active Directory Sites And Services: 1. Open Active Directory Sites And Services.

2. In the console tree, right-click the site you want to set group policy for, and then select Properties.

3. Click the Group Policy tab, select an entry, and then click Edit.

12

Group Policy Settings Group policy settings define the desktop

environments for network users. Group policy settings are contained in a

GPO. There are two types of group policy settings:

Use computer configuration settings to set group policies for computers, regardless of who logs on to them.

Use user configuration settings to set group policies that apply to specific users, regardless of which computer the user logs on to.

13

Software Settings Folder

In both Computer Configuration and User Configuration, the Software Settings folder contains only Software Installation settings, by default.

Use Software Installation settings to specify how applications are installed and maintained.

Applications can be managed in one of two modes: Assigned or Published.

14

Software Settings Folder (Cont.)

15

Windows Settings Folder

In both the Computer Configuration and User Configuration folders, the Windows Settings folder contains two items: Scripts and Security Settings.

Use Scripts to specify startup/shutdown scripts (for computers) and logon/logoff scripts (for users).

Use Security Settings to manually configure the security levels assigned to a GPO.

16

Windows Settings Folder (Cont.)

17

Windows Settings—User Configuration

For only the User Configuration folder, Windows Settings also contains Internet Explorer Maintenance: lets you

administer and customize Microsoft Internet Explorer

Remote Installation Services: controls the behavior of remote operating system installations

Folder Redirection: lets you redirect Windows 2000 special folders to an alternate location

18

Administrative Templates Folder

For both Computer Configuration and User Configuration, the Administrative Templates folder contains all registry-based group policy settings, including settings for Windows Components System Network

19

Administrative Templates Folder (Cont.)

20

Administrative Templates Policy Settings

More than 450 policy settings are available for configuring the user environment.

In the registry Computer configurations are saved in

HKEY_LOCAL_MACHINE (HKLM) User configurations are saved in

HKEY_CURRENT_USER (HKCU)

21

How Group Policy Affects Startup and Logon The sequence for Computer Configuration

and User Configuration settings when a computer starts and a user logs on is as follows:

1. The network starts.2. The computer obtains an ordered list of GPOs.3. The system processes the Computer

Configuration settings.4. Startup scripts run.5. The user presses CTRL+ALT+DELETE to log

on.

22

How Group Policy Affects Startup and Logon (Cont.)

6. After the user is authenticated, the computer loads the user profile.

7. The computer obtains an ordered list of GPOs for the user.

8. The system processes the User Configuration settings.

9. The computer runs the logon scripts.

10. The operating system interface prescribed by

group policies appears.

23

How Group Policy Is Processed

Group policy settings are processed in the following order:

1. Local GPO2. Site GPOs3. Domain GPOs4. OU GPOs

The GPO that is processed last overrides conflicting settings in all other GPOs that were processed earlier.

24

Group Policy Processing Order

25

Exceptions to the Default Processing Order Workgroup Membership: a computer that is a

member of a workgroup processes only the local GPO.

No Override: any GPO linked to a site, domain, or OU can be set so that none of its policy settings can be overridden.

Block Policy Inheritance: at any site, domain, or OU, group policy inheritance can be selectively marked as Block Policy Inheritance. However, No Override settings cannot be blocked.

Loopback: used to circumvent the normal order that GPOs are applied in.

26

Loopback Modes

Loopback can be set to Merge or Replace mode. Replace: the GPO list for the user is

replaced by the GPO list obtained for the computer at startup.

Merge: the GPO list obtained for the computer at startup is appended to the GPO list obtained for the user at logon.

27

Group Policy Inheritance Group policies are typically passed down from parent to child

containers in the Active Directory service. However, if you specify a group policy for a child container,

the child container's group policy settings override any conflicting settings inherited from the parent container.

If a parent OU has policy settings that are not configured, the child OU does not inherit them.

Policy settings that are disabled are inherited as disabled. If a parent policy and a child policy are compatible, the child

inherits the parent policy, and the child's setting is also applied.

If a policy setting configured for a parent OU is incompatible with the same policy setting configured for a child OU, the child does not inherit the policy setting from the parent—instead, the setting for the child is applied.

28

Using Security Groups to Filter Group Policy

Because you can link more than one GPO to a site, domain, or OU, you might need to link GPOs associated with other directory objects.

By setting the appropriate permissions for security groups, you can filter group policy to influence only the computers and users you specify.

29

Lesson Summary Group policies are collections of user and

computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops.

The Group Policy snap-in is used to manage group policies.

Windows 2000 applies GPOs in this order: local GPO, site GPOs, domain GPOs, and OU GPOs.

By default, Active Directory objects inherit group policy settings from parent containers.

30

Implementing Group Policies

You may have to modify the group policies in place on a network or create new GPOs.

31

Tasks for Implementing Group Policies

You may need to perform numerous tasks to implement group policies. A few of these tasks are Creating a GPO Delegating administrative control of a GPO Specifying group policy settings for a GPO Indicating GPO processing exceptions

32

Creating a GPO

The first step in implementing a group policy is creating a GPO.

You also need to determine the type of Active Directory object you want to create a GPO for.

33

Creating a GPO (Cont.) To create a GPO:

1. For a GPO linked to a domain or an OU, open Active Directory Users And Computers, or for a GPO linked to a site, open Active Directory Sites And Services.

2. Right-click the site, domain, or OU object you want to create a GPO for, and then select Properties.

3. Click the Group Policy tab.4. Click New and type the name you want to assign

to the GPO. By default, the new GPO is linked to the site, domain, or OU

that you selected, and the GPO settings apply to that site, domain, or OU.

5. Click Close.

34

The Group Policy Tab

35

Creating a GPO Console After you create a GPO, you can create

a custom MMC console containing the Group Policy snap-in and focused on that particular GPO.

To create a GPO console:1. Start a new MMC console, and then add

the Group Policy stand-alone snap-in to it.

2. In the Select Group Policy Object dialog box, browse and select the GPO on which you want to focus.

36

Default GPO Permissions

Security Group

Default Permissions

Authenticated Users

Read, Apply Group Policy, Special Permissions

Creator Owner Special Permissions

Domain Administrators

Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

Enterprise Administrators

Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

SYSTEM Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

37

Delegating Administrative Control of a GPO

To delegate administrative control of a GPO:1. Open the Group Policy snap-in for the GPO.2. Right-click the root node of the console, and then select Properties. 3. Click the Security tab.4. Select a group and configure permissions to either allow or deny administrative access to the GPO. (Repeat this step as necessary.)

5. Click OK.

38

The Security Tab of a GPO Properties Dialog Box

39

Specifying Group Policy Settings for a GPO

To specify group policy settings: 1. Open the Group Policy snap-in for the GPO. 2. Expand the console tree until the policy you

want to set appears in the details pane. 3. In the details pane, double-click the policy

you want to set. 4. In the policy's Properties dialog box, select

Enabled to apply the policy, and then click OK.

40

Expanding the Console Tree to View Policies

41

The Properties Dialog Box for a Typical Policy

42

Disabling Unused Group Policy Settings

If all Computer Configuration or User Configuration policies for a GPO are unconfigured and unused, you can disable them to speed up the startup and logon processes for computers affected by the GPO.

43

Disabling Unused Group Policy Settings (Cont.) To disable all Computer Configuration or

User Configuration policies for a GPO: 1. Open the Group Policy snap-in for the GPO.

2. Right-click the root node of the console and select Properties to display the Properties dialog box. 3. In the General tab, select the Disable Computer Configuration settings check box or the Disable User Configuration settings check box.

4. Click OK.

44

The General Tab in a GPO Properties Dialog Box

45

Indicating GPO Processing Exceptions

You can change the default GPO processing order by Modifying the order of GPOs for an object Specifying the Block Policy Inheritance

option Specifying the No Override option Enabling the Loopback setting

46

Modifying the GPO Processing Order To modify the GPO processing order:

1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services.

2. Right-click the site, domain, or OU, and then select Properties. 3. Click the Group Policy tab.

4. In the Group Policy Object Links list, select a GPO and click Up or Down to change its place in the processing sequence.

47

Modifying the GPO Processing Order (Cont.)

48

Blocking Policy Inheritance To block policy inheritance:

1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services.

2. Right-click the site, domain, or OU, and then select Properties. 3. Click the Group Policy tab.

4. Select the Block Policy Inheritance check box. (You cannot block GPOs that use the

No Override option.) 5. Click OK.

49

Using the No Override Option To use the No Override option:

1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services.

2. Right-click the site, domain, or OU, and then select Properties.

3. Click the Group Policy tab. 4. Select the GPO you want to modify, and then

click Options. 5. In the Options dialog box, select the No

Override check box. 6. Click OK.

50

The Options Dialog Box for a GPO

51

Enabling the Loopback Setting To enable the Loopback setting:

1. Open the Group Policy snap-in for the GPO. 2. In the console tree, expand Computer Configuration until the Group Policy folder is visible. 3.

In the details pane, double-click User Group Policy Loopback Processing Mode.

4. Select Enabled. 5. Select one of the following modes from the Mode

list: Replace: replaces the GPO list for the user with the GPO list

already obtained for the computer at startup Merge: appends the GPO list obtained for the user at logon to

the GPO list already obtained for the computer at startup

6. Click OK.

52

The Loopback Processing Mode Properties Dialog Box

53

Filtering GPO Scope

Policies in a GPO apply only to users with the Read permission for that GPO.

To filter the scope of a GPO, you can create security groups and then assign the Read permission to the selected groups.

This prevents a policy from applying to a specific group by denying that group the Read permission to the GPO.

54

Filtering GPO Scope (Cont.)

To filter the GPO scope: 1. Open the Group Policy snap-in for the GPO.

2. Right-click the root node of the console, and then select Properties. 3. Click the Security tab, and then select the security group that you want to filter this GPO through. 4. Set permissions for the group, and then click OK.

55

Linking a GPO to a Site, Domain, or OU

By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created.

You can use the Group Policy tab in the Properties dialog box of the site, domain, or OU to link a GPO to additional sites, domains, or OUs.

56

The Add A Group Policy Object Link Dialog Box

57

Removing a GPO Link To remove a GPO link:

1. Open Active Directory Users And Computers or Active Directory Sites And Services, as appropriate. 2. In the console tree, right-click the site, domain, or OU object that the GPO is to be unlinked from, and then select Properties. 3. Click the Group Policy tab, select the GPO you want to unlink, and then click Delete. 4. In the Delete dialog box, select Remove The Link From The List, and then click OK. 5. Click Close.

58

Deleting a GPO To delete a GPO:

1. Open Active Directory Users And Computers or Active Directory Sites And Services, as appropriate.

2. In the console tree, right-click the site, domain, or OU object that the GPO is to be deleted from, and then select Properties.

3. Click the Group Policy tab, select the GPO you want to delete, and then click Delete.

4. In the Delete dialog box, select Remove The Link And Delete The Group Policy Object

Permanently, and then click OK. 5. Click Close.

59

Group Policy Best Practices Disable unused parts of a GPO. Use the Block Policy Inheritance and No

Override features sparingly. Minimize the number of GPOs. Filter policies based on security group

membership. Use the Loopback setting only when

necessary. Avoid cross-domain GPO assignments.

60

Lesson Summary To implement group policies, you must create

a GPO and link it to an Active Directory object, such as site, domain, or OU.

In the Properties dialog box of a GPO, you can link the GPO to an additional site, domain, or OU; delegate administrative control; disable unused policy settings; and filter the scope.

To set group policies, expand the console tree in the Group Policy snap-in to locate the desired setting, open the Properties dialog box, and then select Enable or Disable.

61

Using Security Policies

One of the primary functions of group policies is to implement security policies that protect network resources from unauthorized access.

Many security-related policies are found in the Security Settings snap-in, which is in the Group Policy snap-in.

62

The Security Settings Item in a GPO

63

Account Policies Account policies apply to computers,

and include Password Policy Account Lockout Policy Kerberos Policy

Windows 2000 permits only one domain account policy—the account policy applied to the root of a domain. Exception: another account policy can be

defined for an OU.

64

Password Policy Lets you control which passwords users select and

how often they must change their passwords Password policies include

Enforce Password History: specifies the number of previous passwords Windows 2000 remembers for each user

Maximum Password Age: specifies the number of days until a password expires 

Minimum Password Age: specifies the number of days a user must keep a password before the user can change it

Minimum Password Length: specifies the smallest number of characters a password can contain

Passwords Must Meet Complexity Requirements Store Passwords Using Reversible Encryption For All Users

In The Domain: modifies the encryption algorithm

65

Account Lockout Policy Locks a user account after a specified

number of failed logon attempts Account policies include

Account Lockout Duration: specifies the number of minutes a user account will remain locked

Account Lockout Threshold: specifies the number of failed logon attempts that can occur before lockout

Reset Account Lockout Counter After: specifies the number of minutes before the counter resets to zero

66

Kerberos Policy

The Kerberos Policy contains the following policies: Enforce User Logon Restrictions Maximum Lifetime For Service Ticket Maximum Lifetime For User Ticket Maximum Lifetime For User Ticket Renewal Maximum Tolerance For Computer Clock

Synchronization

67

Local Policies Pertain to the security settings on the

computer used by an application or user Based on the computer you are logged

on to and the rights you have on that particular computer

Local Policies include: Audit Policy User Rights Assignment Security Options

68

Audit Policy An audit policy lets you select security

events you want Windows 2000 to write to the security log for later display in Event Viewer.

When you enable auditing for an event, you specify whether successful attempts, failed attempts, or both will be logged.

Audit policies include: Audit Account Logon Events Audit Directory Service Access Audit Object Access

69

User Rights Assignment User rights grant a user the ability to

perform specific tasks. Commonly used Windows 2000 User

Rights Assignments: Add Workstations To Domain Back Up Files And Directories Log On Locally Manage Auditing And Security Log Restore Files And Directories Take Ownership Of Files Or Other Objects

70

Security Options

Security Options policies enable or disable security settings for the computer that control elements such as The digital signing of data Administrator and Guest account names Floppy drive and CD ‑ROM drive access Driver installation Logon prompts

71

The Security Options Policies in a GPO

72

Event Log

The Event Log security area contains Settings For Event Logs.

You can set the following policies for each of the three default logs (application, security, and system): Maximum Log Size Restrict Guest Access To Log Retain Log Retention Method For Log

73

The Event Log Policies

74

Restricted Groups Use Restricted Groups to prevent users

who have been added to a group temporarily from remaining in the group because of neglect.

The users you add to Restricted Groups are the only users authorized to be permanent members of that group.

If you add new members without adding them to this policy, the next time group policies are applied, those members are removed from the group.

75

The Restricted Groups Security Area

76

System Services

The settings in this area specify whether a service should load automatically when Windows 2000 starts.

Options for each service are Automatic: starts a service automatically at

system startup Manual: starts a service only if manually

started by an authorized user Disabled: disables a service so it cannot be

started

77

Registry and File System Areas

These areas let you use group policies to set access permissions for registry keys and file system elements, such as folders and files.

You can edit the security properties of the registry key or file path to specify which user or group objects have permission to access the key or path, as well as to configure inheritance settings, auditing, and ownership permissions.

78

Public Key Policies Use to control and manage public key

certificate settings by performing the following tasks: Specify that computers should submit a

certificate request to a certification authority and install the issued certificate.

Create and distribute a certificate trust list. Establish common trusted root certification

authorities. Add encrypted data recovery agents and

change the encrypted data recovery policy settings.

79

IP Security Policies on Active Directory Settings in this area configure computers

on the network to use Internet Protocol Security (IPSec).

You can use these policies to specify which types of Transmission Control Protocol/Internet Protocol (TCP/IP) traffic should use these IPSec communication modes: Client (Respond Only) Secure Server (Require Security) Server (Request Security)

80

Refreshing Policies

Sometimes modifications made to security policies do not take effect immediately.

To initiate policy propagation, you can Restart the computer Wait for automatic policy propagation to occur Use Secedit.exe to refresh the security settings

Secedit /refreshpolicy machine_policy Secedit /refreshpolicy user_policy

81

Lesson Summary GPOs use the Security Settings snap-in

to provide many security-related policies.

Account policies let you control user password and logon behavior.

Local policies let you configure auditing, user rights assignments, and other security options.

Restricted Groups lets you enforce membership in user groups.

82

Troubleshooting Group Policy Problems

You need to know the best practices and methods for solving problems that you might encounter relating to group policies.

83

Troubleshooting Group Policy

Consider dependencies between components.

When a problem appears in one component, check whether the components, services, and resources that it relies on are working properly.

Event logs are useful for tracking down causes of dependency-caused problems.

84

Troubleshooting Tips

You must have both the Read and Write permissions for the GPO in order to open it in the Group Policy snap-in.

Services that group policies rely on include Active Directory and Domain Name System (DNS).

Group policies also rely on the Windows 2000 networking components.

85

Troubleshooting Tips (Cont.)

GPOs are not applied to security groups; group policy affects only users and computers contained in sites, domains, and OUs.

When multiple GPOs apply, they are processed in this order: local GPO, site GPOs, domain GPOs, and OU GPOs. The settings in the last policy applied take precedence.

86

Troubleshooting Tips (Cont.)

The No Override option takes precedence over the Block Policy Inheritance option.

GPOs cannot be linked to Active Directory containers other than sites, domains, and OUs.

Local GPOs are the weakest; any nonlocal GPO can overwrite them.

87

Lesson Summary When troubleshooting group policy problems,

check the services that group policies rely on. To open a GPO in the Group Policy snap-in, a

user needs both the Read and Write permissions.

Security group memberships do not cause group policies to be applied to users—users receive group policies from the site, domain, or OU that a GPO is linked to.

No Override takes precedence over Block Policy Inheritance.