Windows 2000 Group Policies
Group policies are used by administrators to configure and control user environment settings. Group Policy Objects (GPOs) are used to configure group policies which are applied to sites, domains, and organizational units (OUs). Group policy may be blocked or set so it cannot be overridden. The default is for subobjects to inherit the policy of their parents. There is a maximum of 1000 applicable group policies.
Group policies are linked to domains, organizational units, or sites in Active Directory. A policy must be linked to a container object in Active Directory to be effective. They are stored in any domain for storage but can be linked to other domains to make them effective there also. The policy must be linked to the container (site, domain, or OU) that it is stored in to be effective in that container. One policy object can be linked to sveral containers. Several policy objects can be linked to one container.
Group Policy Settings
Group policy settings only work for Windows 2000 computers. Settings that do the following may be applied with group policy:
• Manage user environments - Wallpaper and other settings.
• Manage scripts - Logon/logoff and startup/shutdown scripts.
• Manage security - Event log settings, account policies, and more.
• Manage software deployment - Applications may be automatically installed when the client computer starts.
• Redirect folders - Folders on a local computer may be redirected to a network share.
Group Policy Types
Group policy types and their order of application are:
• Local Policy
• Site Linked Policies
• Domain Linked Policies
• Organizational Unit Policies
Group policy may be set using Active Directory globally or or using Local Group Policy on local computers. The files are stored:
• Locally - SystemRoot\System32\GroupPolicy\
• Globally - SystemRoot\SYSVOL\sysvol\domainname\Policies\ on domain controllers. The global group policy is made of a Group Policy Object (GPO) which is an Active Directory object and the files in this directory.
The GPT.INI file contains information about the policy. Group policy templates are in the system volume\public directory.
Group Policy Priorities
Group policy is inherited by children objects of parents. If a parent object has group policy, then the children have the same policy. Group policies are applied down from the higher level objects to the lower level objects. The policies are cumulative unless they conflict, in which case the lower level policy applies to the object.
1. Local or Roaming Individual user profile is applied. Local policies cannot be blocked.
2. Local Group Policy is applied. Conflicts with individual policy are overridden by local group policy.
3. Group Policy is applied. Conflicts with individual policy or local group policy are overridden by group policy. The group policies are processed in the following order based on the object they are linked to:
1. Sites
2. Domains
3. Organizational Units
Policies normal behavior can be modified with the following settings:
• No Override - Normally the local policies or lower level policies will take presidence. If this setting is made on a higher level policy, the lower level policy cannot modify it and the policy associated with this setting will take precidence.
• Block Policy - Group Policy Objects (GPOs) are entirely blocked or applied. The No Override option takes priority over the Block Policy option.
Policy application steps:
1. When the computer is turned on, all group policies that are applicable to the computer are applied.
2. Any group policy startup scripts are run.
3. At user logon, after the user profile is set, all group policies for that user are applied.
4. Any group logon scripts are run, then any individual logon scripts are run.
5. At user logoff, group logoff scripts are run.
6. At system shutdown, any group policy shutdown scripts associated with the computer are run.
Group policy is updated by active directory to domain controllers every 5 minutes and to all Windows 2000 computers that are not domain controllers every 90 minutes. These updates are requested by the computer and the intervals may be modified by administrators.
Setting Group Policy
The creator of a policy and administrators have Full Control permission for policies. To set Group Policy, the user must have permission to Log on Locally on a domain controller
Group policies can be set from any domain controller, but the one that is the best to use is the PDC Emulator domain controller.
All group policy object containers have a default policy. Group policies can be managed using the Group Policy Editor. There are two default policy nodes:
• Computer configuration - Settings are applied to the computer and the user on the computer does not affect the settings.
• User configuration
Both nodes contain three sections for various settings which are:
• Administrative templates - Additional confuguration for computer and user settings.
• Software settings - Applications can be assigned to computers or users. The application can be run by the user or on the computer on which they are assigned. Either a stub for the application or the application is installed.
• Windows settings - The behavior of the operating system may be customized here.
The Microsoft Management Console (MMC) Group Policy snap-in is used to set local group policy. To start it, select "Start", "Run", and type "gpedit.msc". It also allows configuration of local Security Policies that may be set using the "Local Security Policy" Administrative Tool. The Group Policy snap-in on a remote computer may be used to set local Group Policies also. The following Local Group Policy settings are possible:
• Computer Configuration - Applies to specific computers
o Software Settings - Applications can be assigned to computers or users. The application can be run by the user or on the computer on which they are assigned. Either a stub for the application or the application is installed.
o Windows Settings - Used to manage startup and shutdown scripts.
Scripts (Startup/Shutdown)
Security Settings
Account Policies - Password and account lockout policy.
Account lockout policy - Set the reset interval between logon attempts. Set the failed logon counter reset interval. Set the duration of the lockout.
Password policy - Number of passwords remembered that can't be repeated. Maximum pasword age (42 default). Minimum password length.
Kerberos policy - Set lifetime of service tickets.
Local Policies - Audit, User rights, security options.
Audit policy - These may include Logon and logoff, File and object access, Use of user rights, User and group management, Security policy changes, System shutdown and restart, and Process Tracking.
User rights - Determines actions that a user can perform such as shutting the system down, change time, use the computer locally, and others.
Security options - Must be enabled by an administrator. Restricted groups are used to help automate group management. A user can be added to a restricted group temporarily and that user will be removed during the next security audit.
Event Log - Application, Security, and System log settings.
Restricted Groups - Can be sure certain group memberships are not modified locally.
System Services - Set services to automatic, manual, or disabled.
Registry - Registry settings to be affected by this group policy. Permissions for registry keys may set up here.
File system - Security settings for files and directories on several computers can be set along with file system extension associations with applications.
Public Key Policies - Encrypted Data Recovery Agents, Automatic Certificate Request Settings, Trusted Root Certificate Authorities, and Enterprise Trust.
IP Security Policies on Active Directory - Rules for secure servers, servers, and clients. These rules control whether information sent between clients and the server is encyrpted or secure. These are the default policies:
Client policy - Most communication is not secure (encrypted) but the client may request and get a secure channel.
Secured server policy - Only secure communication is attempted.
Server policy - The server attempts to use a secure channel, but if the client does not respond through the secure channel, an unsecure channel will be used.
o Administrative Templates - Can be used to manage a user's environment. More templates may be added for applications by creating a unicode file (usually provided by the application creator) with the ".adm" extension. The .adm file causes the HKEY_LOCAL_MACHINE registry key to be changed.
Windows Components - Can configure the user's ability to use specific Windows programs or certain functions in those programs. Those programs include Internet Explorer, Task Scheduler, Windows Installer, and NetMeeting.
System - Settings for:
Disk quotas - Levels of warnings and hard limits may be set.
DNS clients - The DNS suffix may be set.
Group policy
Logon - Scripts at startup or shutdown may be configured to run.
Windows file protection - System files may be scanned.
Network - Can configure access to offline files and limit the user's ability to configure connection sharing.
Printers - Policies may allow local printers to be published in Active directory.
• User Configuration - Applies to specific users.
o Software Settings - Applications can be assigned to computers or users. The application can be run by the user or on the computer on which they are assigned. Either a stub for the application or the application is installed.
o Windows Settings - Used to manage logon, and logoff scripts. It is best to manage these scripts here rather than by configuring user account properties.
Internet Explorer maintenance. - Settings:
Browser user interface settings
Connection settings
URLs section
Security zones
Programs settings
Scripts - Used for user configuration are used during logon and/or logoff.
Security Settings - Public key policies.
Remote Installation Service
Folder Redirection - Determines where users can get specific types of files. It is based on user groups or specific folders.
o Administrative Templates - Can be used to manage group policy options. More templates may be added for applications by creating a unicode file (usually provided by the application creator) with the ".adm" extension. The .adm file causes the HKEY_CURRENT_USER registry key to be changed.
o Windows Components - Can configure the user's ability to use specific Windows programs or certain functions in those programs. Those programs include:
Internet Explorer
Task Scheduler
Windows Installer
NetMeeting
Windows Explorer - Menu items may be disabled or removed.
Microsoft Management Console.
o System - The configuration may be set so the user cannot change their password or logoff. The group policy refresh interval is configured here.
Logon/logoff settings - Logon and logoff scripts may be hidden so the user is unaware that they are run. Part of the Task Manager or its entirety may be disabled.
Group policy settings
o Network - Can configure access to offline files and limit the user's ability to configure connection sharing.
o Start Menu and Taskbar - Can remove some options.
o Desktop - Desktop icons may be hidden.
o Control Panel - Configure the user's ability to use the control panel and specific features. Specific applets or the entire control panel may be hidden.
Creating Group Policy Objects
There are several tools used to create and manage group policy objects. The most appropriate tool to use depends on the level the group policy object is at. The tools are as follows:
• Active Directory Sites and Services Administrative tool - Used to create and manage Group Policy Objects (GPOs) that are associated with a site.
• Active Directory Users and Computers Administrative tool - Used to create Group Policy Objects (GPOs) that are associated with an OU or domain.
• MMC Group Policy snap-in - This tool, also called the "Group Policy Console" can be used to manage GPOs at any level.
Setting Group Policy
The Microsoft Management Console (MMC) Group Policy snap-in can be used to create and manage Group Policy objects if the user has the correct permissions. Enterprise Admins, Domain Admins groups and domain Administrators have correct permissions.
Group Policy inheritance is configured on the Active Directory container the GPO is in and on the object itself.
• There is a "Block Policy Inheritance" checkbox in the Group Policy Tab on the object container's properties dialog box.
• There is a "No Override: prevents..." checkbox in the Group Policy Tab on the object's properties dialog box.
In the case of a conflict between the two above settings, the "No Override: prevents..." checkbox option prevails. If this option is set on a parent container, the child cannot override the inheritance.
GPO Security
GPO security is used to specify the users and groups that can modify the GPO settings and to specify those to whom they apply as follows:
• The Group Policy settings apply to users and groups that have the Active Directory read and apply group policy permissions to the GPO. Authenticated Users have these settings apply by default.
• Users or groups that have the Active Directory read and write permissions to the GPO can modify the GPO settings.
The Object's or container's properties dialog box (Select "Action", "Properties") group policy tab, GPO's security tab is where the security settings are modified. This is done in the Administrative Tool "Active Directory Sites and Services" or "Active Directory Users and Computers". This allows policies to be set, or "filtered" so they only affect specific users or groups. When these permissions for the group policy objects are modified, the Discretionary Access Control List (DACL) for the policy object is modified. The DACL must permit the groups that the policy is for to have both "Read" and "Apply Group Policy" permission.
Linking GPOs
A GPO may be linked to another container. When this is done a new GPO, pointing to the original GPO, is created. The GPO settings of the original GPO apply to all objects it is linked to. At this point the new GPO may be modified and the new settings will apply only to the new GPO. If settings in the original GPO are modified, the settings in the linked GPOs will also be changed.
Group Policy Application Order
Groups are listed by priority in the System Policy Editor dialog box, Group Priority tab. When a user is in multiple groups, the highest priority group's policy applies. The groups may be moved up and down the list which sets their relative priorities..
Using Group Policy for Software Deployment
Methods:
• Assign the application to a computer - The application shortcut appears in the user start menu, and the application is installed the first time the user runs it..]
• Assign the application to a user - The application is installed the next time the computer is booted.
• Publish the application to the user - The application is installed the first time the user opens a document that is associated with the application. Once installed, the start menu lists the application.
Installation steps:
1. Prepare application for deployment if it is not in a Windows installer file (ending with .msi). Do one of:
o Convert the file to a Windows installer file.
1. Use WinINSTALL LE to repackage the application as a Windows installer file. This program is on the Windows 2000 Server CD in \VALUEADD\3RDPARTY\WINSTLE.
o Create application installation instructions in a text file ending with ".zap". These applications can only be published. Two sections of .zap file:
{Application] - Give "FriendlyName = " and "SetupCommand =" on two separate lines followed by the appropriate information.
[Ext] - List extensions to be associated with the application on separate lines followed by "=".
Group policies can also be used to:
• Deploy service packs
• Create application categories
• Maintain or upgrade software
• Remove previously deployed applications.
Policy Refresh Intervals
The default refresh interval for policies is 90 minutes. The default refresh interval for domain controllers is 5 minutes. Group policy object's group policy refresh intervals may be changed in the group policy object. The appropriate refresh interval depends on link speed. A slow network should have longer refresh intervals. A slow link is defined as one slower than 500Kbps.