Windows Lesson 9 - Group Policies
In this lesson we are going to learn about group policies, we will learn what they are, how to apply them, how to change settings, and how to troubleshoot.
What is a Group Policy?
A Group Policy is an object in Active Directory that contains settings that can be applied to users and/or computers. The name Group Policy refers to it being a collection, or a grouping, of settings and has nothing to do with security groups.
Once you've created a Group Policy Object (GPO) you need to link it to either a Domain, Site, or OU. The tool used to perform this linking is called Group Policy Management. Group Policy Management displays your Active Directory OU structure allowing you to link GPOs to your domains, sites, and OUs. Keep in mind that Group Policy Management is used to manage Group Policies, and Active Directory Administrative Center is used to manage user and computer accounts. If you create a GPO and link it to an OU and then want to move a user into that OU you will need to switch to Active Directory Administrative Center to manage the user account.
Linking Group Policies
In Group Policy Management there is a folder called Group Policy Objects which contains a list of all your GPOs. You can create new GPOs here then link them to multiple places. You can drag and drop a GPO onto a domain, site, or OU.
Alternatively you can right click on a domain, site, or OU and chose the option to link an existing GPO. Then you're able to chose the GPO to link. If you want you can create and link a GPO in one step using the right click menu.
If you forget to link the GPO to something then none of the settings will be applied. When troubleshooting why GPO settings aren't applying verify you've linked the GPO to the correct spot.
One of the advantages of a GPO is you can link it to multiple spots. For example you could create a GPO that installs developer tools for your users. Then you can apply it to each OU that contains the users that need to use the developer tools. If you select the GPO in Group Policy Management you can see where it's linked in the Location box.
We've learned that we can organize our OU's in a hierarchical structure. We can use this OU structure to our advantage when applying GPOs. You may find yourself making OU design decisions based on what you can do with GPOs. In our lab environment we have all split into child OUs for each department so you can create different GPOs for each department.
When you link a GPO to an OU it will affect all child OUs. This can result in an OU have multiple GPOs applied. When this happens the order in which the GPOs are applied becomes important. The GPOs are applied in the following order.
Local computer policy
When the GPOs are applied they overwrite each other if any of the settings conflict resulting in the Child OU winning. In the image below we see the policies applied to the GotoHull Users OU. The Default Domain Policy is applied first then the GotoHull Users policy, since the GotoHull Users policy is applied second it overwrites any conflicts in the Default Domain Policy.
You can override this behavior of inheritance by blocking it. When you block inheritance on an OU, policies from above aren't applied.
You may want to push an individual policy through all blocks, you can do this by enforcing it. When you enforce a policy that's linked to something it will apply everywhere, even when inheritance is blocked.
When you right click on a GPO that's linked to an OU you get see the option to enforce the policy. It's important to understand what that option means. It means the GPO will push through any block. This option does not mean turn the policy on. The Link Enabled option is all that's needed to turn the policy on.
Two Parts of a Group Policy
In Group Policy Management you can right click on a GPO to edit the setting. When looking at a GPO we see it's split into two sections, a Computer section and a User section.
When you configure settings in a GPO you need to know where it will be applied and what type of objects exist there. If you make changes to the computer configuration and apply the policy to an OU that contains users nothing will happen. This is because only computer objects would be affected and there are no computer objects in the OU.
There are times when you want to apply setting for each user that signs into a computer. For example if you have a computer lab and you want to lock down the settings for each user who uses the lab. You can do this by turning on Group Policy loopback processing mode. In this mode you can have a GPO linked to an OU that contains computers and configure settings in the user portion. The user settings will be applied to any user who signs into those computers. This settings is found in a GPO under Computer Configuration - Policies - Administrative Templates - System - Group Policy - Configure user Group Policy loopback processing mode.
Group Policy Policies vs Preferences
When you edit a GPO you will see an option for Policies and Preferences under both computer and user. Windows NT had System Policies you could use to change the settings on your client computers. In Window 2000 Server they were rebranded Group Policies and consisted of Policies. The Policies modify the registry settings on our clients controlling different aspects of the system. When a policy is applied the settings are enforced and can not be modified by the user.
In Windows Server 2008 Microsoft introduced Group Policy Preferences. The Preferences were formally a third party product called PolicyMaker that Microsoft purchased and integrated into Group Policy. There are a lot of settings that can be configured in both Policies and Preferences. The preferences give you an easier interface to manage the settings.
The main difference between a policy and preference is the options for how they are applied. When you put a GPO in place it's in effect until the GPO is not longer applied. With a preference you can specify it to be a first run setting and allow the user to change the setting. For example you can set everyone to have the same home page in Internet Explorer, but let them change it to something else if they want.
Group Policy Settings
We learned there are two sections to a GPO, Computer and User, each containing a Policies section. Under each of the policies section are three more sections. They are Software Settings, Windows Settings, and Administrative Templates. The Software Settings section is used to remotely install software on your client computers. The Windows Settings allows you to set scripts to run, redirect folders, configure Internet Explorer (IE) settings, and configure security settings. Administrative Templates contain all other settings and are expandable by using templates.
The Windows Settings section under Computer Configuration - Policies contains some important settings you can control. Here is a list of some of the common helpful ones.
Scripts - This is code that will run when the computer starts up or shuts down. This code runs before the computer is logged in, and after the users has logged out.
Account Policies - Used to set your password and authentication policies. You can use this to set the minimum length of passwords, how frequently they expire, enable complexity, and other options.
Restricted Groups - This allows you to control the membership of groups on your local computers. So you can make sure no one adds themselves to the local Administrators group.
System Services - This allows you to control what services are running on your client computers. This can come in handy if you want to shut down something on all your computers.
Registry - This allows you to remotely add values to the registry.
File System - This allows you to change the NTFS permissions remotely on your client computers. This can help if you need to give everyone full control to an older applications directory to make it run for non administrative users.
Public Key Policies - On your network you may want to setup secure access to services using certificates. If you generate free, in house, self signed certificates you can use this policy to tell all your clients to trust the certificate. This will prevent a security warning appearing when the users uses the resource.
Software Restriction Policies - You can use this to control what programs run on your clients. This can be helpful when trying to keep out viruses and spyware.
The Windows Settings section of the User Configuration has a couple important items as well
Scripts - This is code that will run when the user logs in or logs out.
Security Settings - In the user section you will find the ability to push out public keys and software restriction policies.
Folder Redirection - This allows you to redirect local folders to server folders. This way when users save their data to the folders it will be transparently sent to the server.
There are a lot of policies available in the Administrative Templates section, too many for us to cover. The policies are organized into categories helping you find what you're looking for. When you find a policy that you want you can select it and more information about the policy will appear in the left panel.
Double clicking on the policy will open the settings screen. You are able to enable or disable the policy and in some cases modify options for the policy.
The preferences section is organized by category as well.
When you configure a preference you are presented with a user friendly screen that looks similar to the screen used to configure the options on your clients. The advantage of this is you can use a preference to set multiple options using a familiar interface. In the image below we are adding a power plan that will require a password when the computer wakes up.
All preferences give you some additional options. The option to apply once and do not reapply is what make a preference different then policy. You can set the initial value for your users then let them modify it.
Once you have configured your policies you can use the settings tab to see what settings are in use. This provides a quick method for finding what settings are in use. This is better than hunting through a policy to see what's turned on.
Group Policies are great, but sometimes they don't seem to work right. When this happens there are some tools available to you to find out what's going.
In Group Policy Management there are two sections that can help.
Group Policy Modeling - This lets you answer the question what should happen. You run a wizard that shows what would happen if a particular user, or member of an OU logs into a particular computer, or a computer that's in an OU and shows you the outcome.
Group Policy Results - This lets you answer the question what did happen. This lets you pick a computer, and a user who has logged into that computer and it will show you what happened with the group policies when that user logged in.
Both of these tools will help discover inheritance problems, or other issues. There are some tools you can run on the clients to troubleshoot issues. When you create a GPO it can take time to replicate to all other DC's and all your clients. When you are making changes and testing them they delay will make it appear the settings aren't working. You can for the client to connect to the DC and retrieve an updated version of the policy by typing gpupdate /force from a command prompt. Since computer policies ar
e applied during the startup process you will need to restart to apply a new computer policy. If you're testing a policy applied to users log off to test them. This is because user policies are applied during the login process.
If a GPO doesn't seem to be applying you can use the gpresult command to help see what's going on. When you run gpresult it will show where your user object is in Active Directory. This can be helpful to make sure the computer thinks the user is in the correct OU. If you recently moved accounts around or created new OU's it may take some time to replicate. Gpresult helps you verify the computer thinks the account is in the right spot. If you run the command from a command prompt as administrator you'll see information on the computer account as well. Another thing gpresult shows you is that GPO's are applied. This lets you know if the problem is in the policy or in the way it's linked.
If you continue to have problems you can use the Resultant Set of Policy snap in to see what setting are applied in the GPOs. A snap in is an administrative tool that plugs into a Microsoft Management Console window. You can open Microsoft Management Console (MMC) by typing mmc at the start screen. With the empty MMC click File - Add/Remove Snap-in to display the list of available snap ins.
Find Resultant Set of Policy (RSoP) snap in and add it.
Once it's added step through the RSoP wizard.
The results will show you all the settings that are applied and where they came from. If there is a conflict you can use this to find out which one wins.