Group Policies Chapter 8
Group Policies • What are group policies? • Grouping of settings • A method in which to establish consistency and security on the desktop across the enterprise • More than 5000 settings
Group Policies • Allows an administrator to create consistency on the network • Group Policy Objects (GPOs) are created using the Group Policy Management Editor (GPME) • GPME is invoked by using the Group Policy Management Console (GPMC)
Group Policies • Alphabet Soup OMG! • GPOGroup Policy Object • GPMEGroup Policy Management Editor • GPMCGroup Policy Management Console
Group Policies What can we do with Group Policies? • Assign startup, shutdown, logon, logoff scripts • Another area for logon scripts. Maintenance scripts as well • Define password, lockout and audit policies • Password Policies are only applied at domain. • Audit who is logging on and logging off. • Standardize user settings • Display required application icons • Define and enforce restrictions on desktops • Do not allow changing of backgrounds or display settings • Redirect folders such as Documents • Rename local guest and administrator accounts
Group Policy Makeup • The Group policy consists of two nodes of configuration settings: • Computer Configuration • Settings are applied when the system loads the OS prior to logon • Settings always apply to the computer regardless of WHO is logging in • User Configuration • Settings are applied after the user logs in. • The system cannot apply user settings until it knows who the user is. • In Active Directory, the User Configuration Settings are applied no matter where that user is logging in.
Group Policy Object’s (GPO’s) and Active Directory How does this work with Active Directory? • Policies are stored in Active Directory • AD handles replication(sharing of changes to other DC’s) of policies in the Sysvol share • C:\windows\sysvol\sysvol • Removing domain based policies undo all changes made to the system
GPO’s and Active Directory How does this work with Active Directory? • Create a single policy and apply it to every user or computer in the Domain or to an Organizational Unit • Configure setting ONCE! Apply it 100’s of times!
GPO’s and Active Directory Are there policies already created and how can I use them? • There are two default policies in an Active Directory Domain • Microsoft suggests NOT modifying the default policies • Default Domain Policy • Found at the Domain level • Default Domain Controller Policy • Linked to the Domain Controller organizational unit. • Best practice is to BLOCK POLICY inheritance for this OU to prevent unwanted policies from affecting the Domain Controllers
GPO’s and Active Directory Fun Facts and/or Rules (Quiz/Exam Stuff) • Only policy settings that are enabled are read. • If a policy is set to Not Defined, it is ignored. • If you choose to filter permissions, via ACL’s, none of the GPO settings will apply, it is all or nothing. • Policies are inherited and cumulative. • Policies are refreshed every 90 minutes with a 30 minute randomization • DC’s are refreshed every 5 minutes
GPO’s and Active Directory • There are four levels for which policies are applied (LSDOU.) • (L)ocal->local computer policy. • (S)ite->Policies linked at the site level • (D)omain->Policies linked at domain level (same level as default domain policy) • (O)rganizational (U)nit (OU)->Policies linked at the OU level ***Quiz material*** • Multiple policies can be assigned to a single container. The rules are: • Listen to the last policy you heard from • Execute policies from the bottom up as they appear in the GUI
GPO’s and Active Directory • Polices can be applied/refreshed at cmd prompt • Gpupdate /? • GPupdate /force ->applies both user and computer configuration policies. Sometimes requires reboot. • Computer Configuration settings changes typically require reboot • User Configuration settings typically require log off/log on
GPO’s and Active Directory • GPO naming conventions – make it consistent and easy to interpret • Simply use a clear name to describe intent of the GPO • How significant is the number of GPOs applied? • 999 is the maximum number of GPOs applied • You have a little wiggle room
GPO Troubleshooting • Read the Explain Text for a GPO setting • Remember the gpupdate /force switch • If you move a user/computer to a new OU, the change will not take place immediately. • Reboot/Logon to resolve • Consider using a Virtualization - especially helpful for tattooing security settings; Undo when done!
Summary • Group Policies help create consistency across the domain. A consistent network is a manageable network. • Group Policies can help restrict/secure our network. • Group Policies have settings for both USER and COMPUTER configurations • The order in which GPO’s are applied in AD are: • Local • Site • Domain • Organizational Unit
Summary • Policy settings that are NOT DEFINED are simply ignored/not read. • The last policy that is read wins. • Domain policy disables requiring Cntrl-Alt-Del to login. • Sales_OU Policy enables requiring Cntrl-Alt-Del to login. • Which one wins and what is the effective setting? (L,S,D,OU) • Some policy settings can be applied by typing: gpupdate /force at the CLI.