Group policy object(GPO)

GPO is a list of settings that administrators use to configure user and computer operating environments remotely.

Despite the name, GPO do not apply to group objects.  You can link GPOs to sites, domains and OUs, and GPOs linked to these containers affect only user or computer accounts.

In Active Directory environment,  two GPOs are created and linked to two containers:

  • Default Domain Policy: This GPO is linked to the domain object, and specifies default settings that affect all users and computers in the domain.The settings in this policy are related mainly to account policies, such as password and logon requirements, and some network security policies.
  • Default Domain Controllers Policy: This GPO is linked to the Domain controller OU and specifies default policy settings for all DC in the domain.
    The settings in this policy pertain mainly to user rights assignments, which specify the types of actions users can p

In Group policy management MMC, there are two nodes for every GPO:

  • Computer configuration-Used to set policies that apply to computers within the GPO’s scope. These policies are applied to a computer when the computer starts.
    • Software settings:The item “software installation” enables administrators to install and manage applications remotely. Next time the computer in the GPO’s scope starts, the application is installed automatically. This feature is also called “assigning” the application to the computer.
    • Windows settings: Contains the scripts extension, the security settings node, and the Policy-based Qos node. Administrator can use the scripts extension to create scripts that run at computer startup or shutdown.
      The security node contains the lion’s share of policies that affect computer security, including account policies, user rights, Registry and file system permissions, and network communication policies.
      The policy-based Qos node: can be used to prioritize and control out-going network traffic from a computer.
    • Administrative templates: Affect the HKEY_LOCAL_MACHINE section of registry. Contains Control Panel, Network, Printers, System and Windows components folders.
      The settings in these folders affect computer settings that apply to all logged-on users. You can control hundreds of computer settings with the Administrative Templates folder. The templates folder uses policy definition file, called administrative templates files, in the XML format, which are referred to as ADMX files because of their .admx extension. Many software vendors provide administrative template files for controlling their application’s settings through group policies. Windows versions before vista and 2008 used .adm files. ADMX files also have an .adml extension, which  provides a language specific user interface in group policy management editor.
      THe ADMX and ADML files under ” %systemroot%\PolicyDefinitions” and open them in Notepad or another text editor.
  • User configuration-Used to set policies that apply to all users within the GPO’s scope. User policies are applied when a user logs on to any computer in the domain. So the policies defined here affect domain users within the GPO’s scope, regardless of which computer the user logs on to.
    Notably, user configuration node has far fewer security settings, User configuration policies tend to focus on the user working environment.

    • Software settings: Software installation extension.
      1. Assigned application: is made available as an icon(or link) on the start Menu the next time a user logs on to a computer in the domain. But the application is installed until the first time the user tries to run the application or open a document associated with it.
      2. Published application: is made available for a user to install by using “programs and features” in control panel.
    • Windwos settings: This folder contains 6 items:
      Remote installation services extension: controls the options that are available to users during remote OS installation uing RIS.
      The Scripts extension: use the scripts extension to create scripts that run at user logon and logoff. Identical to the Scripts(startup/shutdown). if both startup and logon script are to run, the startup script runs first. If both a shutdown and logoff script are to run, logoff script runs first.
      The Security Settings: contains policies for configuring certificates and controlling what software users can run.
      Folder redirection:To redirect users’ personal folders to a network share. This function can decrease the Roaming profile network traffic when logon or logoff. Because Folder redirection save the files to network location in real time, Roaming profile download and upload the files when logon and logoff. Keep in mind that give the authenticated user write permission to the network location, or else, it won’t work.
      Policy-based QoS :Same as the one in computer configuration, except is applied to a computer when a user affected by the policy logs on to the computer.
      Deployed Printers: same function as in the computer configuration node but applied to users.
      Internet Explorer maintenance: Can set the security settings, the home page, and the favorites folder.
    • Administrative templates: Affect the HKEY_CURRENT_USER section of registry. Settings to tightly control users’ computer and network environment.
      Eg. hide the control panel from the user, specific control panel items can be made available, or items on a user’s desktop and start menu can be hidden or disabled.
How group policies are applied

GPOs can be applied in four places: local computer, site, domain, and OU.  The policies are applied in this order, too. The last policy to be applied is the order takes precedence. Remember LSDOU!!!

The delay between application and setting:

  • GPOs are updated on DC every 5 minutes and on workstations and servers every 90 minutes, even if the computers don’t restart.
  • Apply the computer policies when computer restarts or user policies when the user logs on .
  • gpupdate.exe: Applies the computer policies to the computer immediately on which  the “gpupdate.exe” is running and user policies to the currently logged-on user.
Priority level

Group Policies are administered through the use of Group Policy Objects (GPOs), data structures that are attached in a specific hierarchy to selected Active Directory Objects, such as Sites, Domains, or Organizational Units (OUs).

These GPOs, once created, are applied in a standard order: LSDOU, which stands for (1) Local, (2) Site, (3) Domain, (4) OU, with the later policies being superior to the earlier applied policies.

When a computer is joined to a domain with the Active Directory and Group Policy implemented, a LGPO is processed. Note that LGPO policy is processed even when the Block Policy Inheritance option has been specified.

  • Account policies (password, lockout, Kerberos) are defined for the entire domain in the default domain GPO.
  • Local policies (audit, user rights, and security options) for DCs are defined in the default Domain Controllers GPO.
  • For DCs, settings defined in the default DC GPO have higher precedence than settings defined in the default Domain GPO. Thus, if a user privilege (for example, Add workstations to domain) were to be configured in the default Domain GPO, it would have no impact on the DCs in that domain.

Note: The Account Policies security area receives special treatment in how it takes effect on computers in the domain.

  • All DCs in the domain receive their account policies from GPOs configured at the domain node regardless of where the computer object for the DC is. This ensures that consistent account policies are enforced for all domain accounts.
  • All non-DC computers in the domain follow the normal GPO hierarchy for getting policies for the local accounts on those computers. By default, member workstations and servers enforce the policy settings configured in the domain GPO for their local accounts, but if there is another GPO at lower scope that overrides the default settings, then those settings will take effect.
Group Policy templates(GPT)

GPT is not stored in Active Directory but in a folder in “Sysvol”.

The location is “%systemroot%\SYSVOL\sysvol\domain\Policies”.

The name of the policy folders look random, but two folders have the same name on every domain controller. The folder starting with 6AC1 is the GPT for the Default domain controllers Policy, and the folder starting with 31B2 is the GPT for the Default domain policy.

In the GPT folder, there are at least 3 items:

  • GPT.ini : The file contains the version number used to determine when a GPO has been modified. Every time a GPO changes, the version number is updated. When GPO replication occurs, DCs use this version number to determine whether the local copy of the GPO is up to date.
  • Machine: This folder contains subfolders that store policy settings related to the computer configuration node.
  • User: This folder contains subfolders that store policy settings related to the user configuration node.
Group Policy Containers

 

GPC is an AD object stored in the system\policies folder and can be viewed in Active directory Users and Computers with the Advanced Features option enabled.
GPC stores GPO properties and status information but no actual policy settings. The folder name of each GPT is the same as the GPO’s GUID.

Useful Attributes:

  • Name of the GPO: tells the name of the GPO the GPC is associated with.
  • File path to the GPT: the UNC path to the related GPT folder
  • Version: same version number as the GPT.ini file in the GPT folder.
  • Flags(Status): The flags attribute contains a value that indicates the GPO’s status. 0 means the GPO is enabled; 3 means disabled.
Starter GPO
  • It is a GPO template, used as a baseline for new GPOs.
  • Focus on a narrow category of settings.
  • Don’t contain all the nodes of a regular GPO, only the Administrative Templates folder in both computer configuration and User configuration.
Replication

GPCs: they are active directory objects, are replicated during normal active directory replication.

GPTs: located in the sysvol share, are replicated by on of these methods:

  • File Replication Service( FRS): used when have a mix of windows server 2012, 2008, 2003, and 2000.
  • Distributed File system replication (DFSR): used when all DCs are running same version, 2008, or 2012.
    DFSR is more efficient because it uses an algorithm called remote differential compression( RDC) in which only data blocks that have changed are compressed and transferred across the network. It is more reliable because it uses a multimaster replication scheme.

Unsynchronized between GPT and GPC:

Because GPCs and GPTs use different replication methods, they can become out of sync.

GPCs are replicated when AD replication occurs, the interval is 15 seconds after a change occurs.

DFSR of the sysvol share occurs immediately after change is made. So Strange and unpredictable results could occur when GPC and GPT are not synced.

Replication problem can be diagnosed with Gpotool.exe, which is part of the windows resource Kit.

Best practice of creating and linking GPOs.

1. Editing the default GPOs is not recommended. It’s better to create a new GPO and linking them to containers.

2. Create GPOs that set policies narrowly focused on a category of settings and then name the GPO accordingly. For example, create a GPO name ComNetwork, which includes the network settings. Also easier for trouble shooting.

3.Test the policies before enabling them:

step1. Set up at least one test computer per OS used in the organization

step2. Join test computer to the domain and place their accounts in a test OU.

step3. Create one or more test accounts in the test OU

step 4. create the new GPO in the group policy objects folder and set the policies you want.

step5. Link the GPO to the test OU

step6. Restart and log on the test computers with the test user accounts to observer the policy effects.

step7.Make changes to the GPO and repeat step 6 until the policy has the desired effect.

step8. Unlink the policy from the test OU and link it to the target Active Directory container.

4. Click the object on the left pane, on the right pane, there are the GPOs which are linked to the object. GPOs appliy to the object in reverse of the specified link order. The last setting applied takes precedence. If the GPOs whose “Link order” are 1,2,3. The applying order is 3>2>1, so if any settings conflict, the GPO with link order is 1 takes precedence.

5. Site-linked GPOs should be used with caution. For one site and one domain, domain GPOs should be used rather than site-linked GPOs.

6. Domain-linked GPOs: Account policies can be defined only at domain level, so suggest that only account policies and few critical security policies at the domain level and setting the remaining policies on GPOs linked to OUs.

7. Active Directory Folders, such as computers and Users, are not OUs, can’t have a GPO linked to them. Only domain-linked and Site-linked GPOs affect objects in these folders. If you need to manage objects in these folders with group policies, moving them to OUs is recommended.

8. Majority of policies are defined at the OU level, GPO applied to nested OUs should be used for exceptions to policies set at higher level OU.

Pages: 1 2