Active Directory

Group Policy

Group Policy Overview

Successor to NT policies

Much more flexible

Only applies to 2000 workstations

Use old style policies for NT

Used to manage desktop environment

Integrated into Active Directory

What Can Group Policy

Manage?
Administrative Templates registry-

based settings
Security settings
Software installation
Scripts

Login, logout, startup, shutdown

Folder redirection
Remote Installation Services
Internet Explorer maintenance

Registry-based Settings
Control over desktop, control panel access,

Start Menu and Taskbar, some Windows

components, and more
Generally three settings Not configured,
Enabled, Disabled
Implemented via Administrative Templates

Text file with .adm extension

Extensible
Can create your own
Some programs ship with their own (Office)

Security Policy Settings

Account Policies password, account, Kerberos
Local Policies auditing, user rights, security options
Event Log e.g. maximum size
Restricted Group group membership
System Services security and startup settings
Registry registry key security
File System file system security
Public Key Policies encryped data, certificate

authorities
IP Security Policies IP security

Software Installation
Use to install software
Use to upgrade software
Three methods

Assign applications to users

Assign applications to computers
Publish applications to users
Available

to users, but not installed unless

requested

Script Settings
Assign scripts (login, logout etc.)
Set processing order

Folder Redirection
Redirect special folders

Start Menu, Desktop

My Pictures, My Documents, Application
Data

Choices

No redirection
Direct to same location
Different locations based on security
groups

Parts of Group Policy Objects

Each GPO has two sections
Computer Configuration
User Configuration
Each part may be disabled

Properties of GPO/General

Recommended if a section is unused,

disable it

E.g. On GPO to configure user desktop,

disable Computer Configuration section

Creating Group Policy Objects

AD Users and Computers
Properties of Domain/OU
Creates new GPO linked to that
domain/OU
AD Sites and Services

To create site GPO

Also via MMC Group Policy Snap-in

To create a GPO not linked to a site,

domain or OU

How are Group Policy Objects

Applied
GPOs may be linked to AD containers

Sites, Domains and Organizational Units (OUs)

Apply to users and computers within container
Objects in child OUs inherit GPO settings
from parent OUs, domain and site unless
explicitly blocked
No

inheritance across domain boundaries

One GPO may be linked to multiple containers

Multiple GPOs may be linked to a container
GPOs are not linked to groups

Modifying GPO Inheritance

Block Inheritance

If enabled on a container, objects in

container do not receive any GPO settings
from parent containers

No Override

If enabled on a GPO link, inheritance of

GPO settings cannot be stopped via block
inheritance
NB Applied to link, not the GPO itself

Filtering Group Policy Settings

GPO settings applied to all objects in

container
Filter using security groups

Change default GPO permissions

Need

Read and Apply GP ACEs to be able to

apply a GPO
Need Read and Write GP ACEs to be able to
read and modify a GPO

Deleting and Disabling Group

Policy Objects
Disabling a GPO
Disable Computer or User sections
Disable both to disable GPO entirely
Also disable using Options button in AD Users and
Computers/Container Properties
Deleting a GPO
AD Users and Computers
Will be offered two options
Remove the link from the list deletes link but
not GPO
Remove the link and delete the GPO permanently
deletes GPO

Disabling and Inheriting: What

do the Properties Belong to?
Properties of a given GPO
Disable Computer Configuration Settings
Disable User Configuration Settings
Properties of a given container

Block policy inheritance

Properties of a given link

No override
Disabled: the GPO is not applied to this
container

Storage of Group Policy

Objects
Group Policy Container (GPC)
Active Directory object storing version, status etc.
View by enabling Advanced Features in AD Users
and Computers, then System/Policies
Named by GUID
Group Policy Template (GPT)
Sysvol\Policies folder
Contains all GP) settings
Named by GUID
GPC and GPT replicated separately
Policies only apply if both GPC and GPT are in

sync

Storage of Group Policy

Settings
Stored in client registry
HKEY_LOCAL_MACHINE (Computer
settings)
HKEY_CURRENT_USER (User settings)
Special registry keys used

\Software\Policies (preferred)
\Software\Microsoft\Windows\CurrentVersi
on\Policies

Removed when GPO no longer applies

Order of GPO Application

Order of application is Site, Domain OU

(SDOU)
Multiple OUs order of application is
according to domain hierarchy (start at top of
tree and work down)
Multiple GPOs for same OU processed in
reverse order of list of GPOs shown for that OU

I.e. GPO at top of list takes precedence

Order can be changed

When are GP Settings

Applied?
Computer settings

On boot
According to periodic refresh cycle

User settings

On user logon
According to periodic refresh cycle

If computer and user settings conflict,

computer settings take precedence

Refreshing Group Policy

Default refresh intervals
2000 professional and member servers
very 90 minutes with randomized 30
minutes offset

Domain controllers every five minutes

Changed by altering administrative

template settings for user or computers

Exception software installation and
folder redirection policies only applied on
boot or user logon, not periodically

Conflicts
Where settings for GPO of parent container

conflict with those for GPO of child, child

container settings win
Where settings from different GPOs linked to
same container conflict, settings of GPO
highest in list are win

Use Up/Down to change position

Exception where computer and user settings

conflict, computer settings win

Except IP Security and User Rights settings

Managing Group Policy

Objects
Creating or editing GPOs controlled by PDC

emulator by default

Minimise conflicts

To change

Group Policy mmc snap-in/View/DC Options

Or use Group Policy

Recommended that this is left unchanged

NB By default, only Domain Admins, Enterprise

Admins, Group Policy Creator Owners and

System account can create and edit GPOs

Loopback Processing
Computer settings part of GPO linked to

OU apply only to computers within OU

Similarly, user settings apply only to
users within OU
Therefore, normally, user in OU A
logging on to computer in OU B gets
combination of user settings from OU A
GPOs and computer settings from OU B
GPOs (and any inherited etc.)

Loopback Processing cont.

May want to apply same user settings to

any user logging on to a given

workstation, regardless of user OU

E.g. classroom, public area workstations

Loopback processing does this

Merge mode applies normal GPOs for user

as well (but those from computer take
precedence)
Replace mode does not apply normal
GPOs for user

Local Group Policy

Computers also have a single Local Group

Policy Object (LGPO)

Only supports Security Settings, Administrative
Templates and Scripts
Processed before AD GPOs

Block inheritance does not stop its application

Generally unused in an AD setup

Most useful for configuring standalone computers

Delegation
It is possible to delegate responsibility

for the following tasks

Managing links
Creating GPOs
Editing GPOs

DomainExceptions for Domain

Controllers
Some settings only from GPOs linked to

domain

Domain controllers share same account database

so some settings must be the same
Not applied to Domain Controllers OU because
DCs may be moved out of this OU

NB Can change these settings in other GPOs

but will have no effect on domain policy

Will affect local logons (i.e. non-domain) if they

apply to workstations or member servers

Exceptions for Domain

Controllers cont.
Domain-wide settings
All account policies (Computer
Configuration/Windows Settings/Security Settings)
I.e. Password, Account lockout and Kerberos
policies)
Some settings from Computer
Configuration/Windows Settings/Local
Policies/Security Options
Automatically log off users when logon time
expires
Rename administrator account
Rename guest account

Common Desktop
Management Scenarios
Package containing GPOs developed for six

different scenarios that can be loaded into AD

Includes white paper describing scenarios

Excel spreadsheet documenting all GPO settings

Scenarios are for the following

Lightly Managed Desktop (e.g. power user)
Mobile User
Multi-User Desktop
AppStation (Highly Managed Desktop) (e.g. admin
user)
TaskStation (e.g. single task)
Kiosk (e.g. public workstation)

Common Desktop
Management Scenarios
NB Loading GPOs into AD does not

mean they take immediate effect

Not linked to any container

Use as starting points

Use Excel spreadsheet to document

GPO changes

Common Desktop
Management Scenarios
White paper

http://www.microsoft.com/technet/treeview/
default.asp?url=/TechNet/prodtechnol/wind
ows2000serv/deploy/grppolsc.asp

All files

http://www.microsoft.com/windows2000/zip
docs/grouppolscen.exe

OU Design Issues
Deep OU structure

Easier to apply GPOs without filtering

More likely to require inheritance
modifications

Flat OU structure

More likely to need filtering

Easier to troubleshoot (less inheritance
issues)

Number of GPOs Required

Few comprehensive GPOs

Less to manage
Shorter logon times

Many narrowly focussed GPOs

More to manage
Likely to need to more filtering
Increased logon times

In theory, up to 20 GPOs applying to a user

should not have major impact on logon times

Recommendations
Disable unused parts of GPO (computer,

user settings)
Limit use of inheritance blocking, no
override, loopback processing and
filtering

Simplifies troubleshooting

Limit total number of GPOs that apply to

a user or computer

Improves logon times

Recommendations cont.
Limit the number of admins who can edit

GPOs
Test thoroughly before applying to
users/computers
Document settings

Use spreadsheets from Common Desktop

Management Scenarios package

References
Windows 2000 Group Policy
http://www.microsoft.com/windows2000/do
cs/grouppolwp.doc
Loopback Processing of Group Policy

http://support.microsoft.com/support/kb/arti
cles/Q231/2/87.ASP

How to Use Group Policy Objects to

Deploy SP1 for Windows 2000

http://support.microsoft.com/support/kb/arti
cles/Q260/3/01.ASP

References
Group Policy Application Rules for Domain

Controllers

http://support.microsoft.com/support/kb/articles/Q2
59/5/76.ASP

Domain Security Policy in Windows 2000

http://support.microsoft.com/support/kb/articles/Q2
21/9/30.ASP

Configuring Account Policies in Active Directory

http://support.microsoft.com/support/kb/articles/Q2
55/5/50.ASP

Diagnosing Problems
Resource kit
Gpotool.exe
Gpresult.exe
FAZAM 2000
Help to see end results of applying a number of
GPOs
http://www.microsoft.com/windows2000/techinfo/re
skit/tools/existing/fazam2000-o.asp
Reduced functionality version
http://www.fullarmor.com/solutions/group/
Full, commercial version