Configuring Local Group Policy for windows 2003

Windows 2003 Group Policies allow the administrators to efficiently manage a group of people accessing a resource. Group policies can be used to control both the users and the computers. They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go. Group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of the Run command from the start menu. This will ensure that the users will not find Run command on that computer. Domain-based Group Policies allow the domain / enterprise administrators to manage all the users and the computers of a domain / forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains and OUs through group policies. There are more than 2000 pre-created group policy settings available in Windows Server 2003 / Windows XP. A default group policy already exists. You only need to modify the values of different policy settings according to your specific requirements. You can create new group policies to meet your specific business requirements. Group policies allow you to implement: Registry based settings: Allows you to create a policy to administer operating system components and applications. Security settings: Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria or URL zone. Software restrictions: Allows you to create a policy that would restrict users running unwanted applications and protect computers against virus and hacking attacks. Software distribution and installation: Allows you to either assign or publish software application to domain users centrally with the help of a group policy. Roaming user profiles: Allows mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server. Internet Explorer maintenance: Allows administrators to manage the IE settings of the users' computers in a domain by setting the security zones, privacy settings and other parameters centrally with the help of group policy.

Using Local Group Policy

Local Group Policies affect only the users who log in to the local machine but domain-based policies affect all the users of the domain. If you are creating domain-based policies then you can create

policy at three levels: sites, domains and OUs. Besides, you have to make sure that each computer must belong to only one domain and only one site. A group policy object (GPO) is stored on a per domain basis. However, it can be associated with multiple domains, sites and OUs and a single domain, site or OU can have multiple GPOs. Besides this, any domain, site or OU can be associated with any GPO across domains. When a GPO is defined it is inherited by all the objects under it and is applied in a cumulative fashion successively starting from local computer to site, domain and each nested OU. For example if a GPO is created at domain level then it will affect all the domain members and all the OUs beneath it. After applying all the policies in hierarchy, the end result of the policy that takes effect on a user or a computer is called the Resultant Set of Policy (RSoP). To use GPOs with greater precision, you can apply Windows Management Instrumentation (WMI) filters and discretionary access control list (DACL) permissions. The WMI filters allow you to apply GPOs only to specific computers that meet a specific condition. For example, you can apply a GPO to all the computers that have more than 500 MB of free disk space. The DACL permissions allow you to apply GPOs based on the user's membership in security groups. Windows Server 2003 provides a GPMC (Group Policy Management console) that allows you to manage group policy implementations centrally. It provides a unified view of local computer, sites, domains and OUs (organizational units). You can have the following tools in a single console: Active Directory Users and Computers Active Directory Sites and Services Resultant Set of Policy MMC snap-in ACL Editor Delegation Wizard The screenshot below shows four tools in a single console.

A group policy can be configured for computers or users or both, as shown here:

The Group Policy editor can be run using the gpedit.msc command. Both the policies are applied at the periodic refresh of Group Policies and can be used to specify the desktop settings, operating system behavior, user logon and logoff scripts, application settings, security settings, assigned and published applications options and folder redirection options. Computer-related policies are applied when the computer is rebooted and User-related policies are applied when users log on to the computer.

Configuring a Local Group Policy

To configure a local group policy, you need to access the group policy editor. You can use Group Policy Editor by logging in as a local administrator from any member server of a domain or a workgroup server but not from a domain controller. Sometimes this tool, or other Active directory tools that you need to manage group policy, does not appear in Administrative Tools. In that case you need to follow steps 1-10 given below to add Group Policy Editor tool in the console. 1. Click Start->Run and type mmc. The Console window appears, as shown below: 2. Select Add/remove Snap-in from the File menu.

The Add/Remove Snap-in window appears, as shown below: 3. Click Add. 4. The Add Standalone Snap-in window appears. 5. Select Group Policy Object Editor snap-in from the list. 6. Click Add and then click OK in Add/remove Snap-in window.

The Select Group Policy Object window appears, as shown below: 7. Keep the default value Local Computer 8. Click Finish.

The Local Computer Policy MMC appears, as shown below. You can now set the Computer Configuration or User Configuration policies as desired. This example takes User Configuration setting. 9. Expand User Configuration node:

10. Expand Administrative Templates and then select the Start Menu and Taskbar node, as shown in Figure 7. 11. Double-click the settings for the policy that you want to modify from the right panel. In this example double-click Remove Run Menu from Start Menu.

The properties window of the setting appears as shown in the below screenshot: 12. Click Enabled to enable this setting.

Once you click on 'OK', the local policy that you have applied will take effect and all the users who would log on to this computer will not be able to see the Run menu item of the Start menu. This completes our Local Group Policy configuration section. Next section (coming soon) covers Domain Group Policies that will help you configure and control user access throughout the Active Directory Domain.

Configuring Domain Group Policy for windows 2003

Windows 2003 Group Policies allow the administrators to manage a group of people accessing a resource efficiently. The group policies can be used to control both the users and computers. They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go.

The group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, the Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of Run command from the start menu. This will ensure that the users will not find Run command on that computer. The Domain-based Group Policies on the other hand allow the domain/enterprise administrators to manage all the users and the computers of a domain/ forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains, and OUs through group policies. There are more than 2000 pre-created group policy settings available in Windows Server 2003/ Windows XP. A default group policy already exists. You only need to modify it by setting values of different policy settings according to your specific requirements. You can also create new group policies to meet your specific business requirements. The group policies allow you to implement: Registry based settings: Allows you to create a policy to administer operating system components and applications. Security settings: Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria, or URL zone. Software restrictions: Allows you to create a policy that would restrict users to run unwanted applications and protect computers against virus and hacking attack. Software distribution and installation: Allows you to either assign or publish software application to domain users centrally with the help of a group policy. Automation of tasks using computer and User Scripts Roaming user profiles: Allow mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server. Internet Explorer maintenance: Allow administrators to manage the IE settings of the user's computers in a domain by setting the security zones, privacy settings, and other parameters centrally with the help of group policy.

Configuring a Domain-Based Group Policy

Just as you used group policy editor to create a local computer policy, to create a domain-based group policy you need to use Active Users and Computers snap-in from where you can open the GPMC . Follow the steps below to create a domain-based group policy 1. Select Active Directory Users and Computers tool from the Administrative Tools. 2. Expand Active Directory Users and Computers node, as shown below.

3. Right-click the domain name and select Properties from the menu that appears.

4. Click the Group Policy tab. 5. The Group Policy tab appears with a Default Domain Policy already created in it, as shown in here:

You can edit the Default Domain Policy or create a new policy. However, it is not recommended to modify the Default Domain Policy for regular settings. We will select to create a new policy instead. Click New to create a new group policy or group policy object. A new group policy object appears below the Default Domain Policy in the Group Policy tab, as shown below:

Once you rename this group policy, you can either double-click on it, or select it and click Edit. You'll next be presented with the Group Policy Object Editor from where you can select the changes you wish to apply to the specific Group Policy:

In this example, we have selected to Remove Run menu from Start Menu as shown above. Doubleclick on the selected setting and the properties of the settings will appear. Select Enabled to enable this setting. Clicking on Explain will provide plenty of additional information to help you understand the effects of this setting.

When done, click on OK to save the new setting. Similarly you can set other settings for the policy. After setting all the desired options, close the Group Policy Object editor . You new group policy will take effect.

Active Directory Tombstone Lifetime Modification Tombstone is a container object that contains the deleted objects from Active Directory. Actually when an object is deleted from Active Directory, it is not physically removed from the Active Directory for some days. Rather, the Active Directory sets the isDeleted' attribute of the deleted object to TRUE and move it to a special container called Tombstone, previously known as CN=Deleted Objects. The tombstones cannot be accessed through Windows Directories or through Microsoft Management Console (MMC) snap-ins. However, tombstones are available to Directory Replication Process, so that the tombstones are replicated to all the domain controllers in the domain. This process ensures that the object deleted is deleted from all the computers throughout the Active Directory. The tombstone lifetime attribute is the attribute that contains a time period after which the object is physically deleted from the Active Directory. The default value for the tombstone lifetime attribute is 60 days. However, you can change this value if required. Usually tombstone lifetime value is kept longer than the expected replication latency between the domain controllers so that the tombstone is not deleted before the objects are replicated across the forest.

The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication. Changing Tombstone Lifetime Attribute The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript. Using ADSIEdit Tool The easiest method to modify tombstone lifetime in Active Directory is by using ADSIEdit. The ADSIEdit tool is not installed automatically when you install Windows Server 2003. You need to install it separately by installing support tools from Windows Server 2003 CD. If you haven't got your CD's in hand, you can simply download the Windows 2003 SP1 Support Tools from Firewall.cx here. To install ADSIEdit tool and to modify tombstone lifetime in Active Directory using this tool, you need to: Insert the Windows Server 2003 CD. Browse the CD to locate the Support\Tools directory. Double-click the suptools.msi to proceed with the installation of support tools. Select Run command from the Start menu. Type ADSIEdit.msc to open the ADSI Editor, as shown below:

The ADSI Edit window appears:

6. Expand Configuration node then subsequently expand CN=Configuration, DC Firewall, DC=cx node. 7. Expand CN-Services node. 8. Drill down to CN=Directory Service under CN Windows NT , as shown in the figure below:

9. Right-click CN=Directory Service and select Properties from the menu that appears The CN=Directory Service Properties window appears, as shown below: 10. Double-click the tombstoneLifetime attribute in the Attributes list.

The Integer Attribute Editor window appears, as shown below:

11. Set the number of days that tombstone objects should remain in Active Directory in the Value field. 12. Click OK . The Tombstone Lifetime has now been successfully changed.

Other Ways Of Changing The Tombstone Lifetime Attribute Using an LDIF file To change the tombstone lifetime attribute using LDIF file, you need to create a LDIF file using notepad and then execute it using LDIFDE tool. To change the tombstone lifetime attribute using LDIF file, you need to: 1. Create a text file using notepad with the following content: dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, , <ForestRootDN> changetype: modify replace: tombstoneLifetime tombstoneLifetime: <NumberOfDays> 2. Provide the appropriate values in the text between <>. For example put the name of your Active Directory Forest Root domain in the <ForestRootDN> and put the number of days you want to set for tombstone lifetime in <NumberOfDays>. 3. Don't forget to put "-" on the last line. 4. Save the file with .ldf extension. 5. Open the Command Prompt and type the following command on the command prompt: Ldifde v I f <Path to tombstoneLifetime.ldf> The Tombstone Lifetime is successfully changed. Using a VBScript To change tombstone lifetime using VBScript, you need to type the following code with appropriate values and execute the script. intTombstoneLifetime = <NumberOfDays> set objRootDSE = GetObject("LDAP://RootDSE") set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") ) objDSCont.Put "tombstoneLifetime", intTombstoneLifetime objDSCont.SetInfo WScript.Echo "The tombstone lifetime is set to " & _ intTombstoneLifetime