Week 5 - Group Policies (1).pptx

Full Transcript

Week 5: Group Policy
NTWK-8070: Windows Server Roles and
Features

This week…
This week we will learn about:
• Introduction to GPOs
• Types of Policies
• Working with Group Policy
• Example Policies

Group Policies – What are they?

Group Policies
• Group Policies are defined as an “infrastructure
to allow you to manage specific configurations
for users and computers”
• Group Policies exist in two forms:
– Local Group Policy – applying to local
computers
– ADDS (Active Directory) Group Policy – or a
policy that is applied to domain users and
computers

What are they used for?
• Group Policies are used in order secure your organization and
provide “standards”. You can also perform a wide number of other
tasks through Group Policy.
• With Group Policy you can (a non-exhaustive list):
–
–
–
–
–
–
–

Set Password Policies
Deploy Software
Control access to system features (i.e. disable certain applications)
Disallow access to certain devices (such as USB drives)
Disable certain accounts (Administrator, Guest)
Apply login/logoff scripts
Map printers and shared drives

Local Group Policy Editor

The Local Group Policy editor
• Local Group Policy Editor is a Microsoft
Management Console (MMC) snap-in that is
used to configure and modify Group Policy
settings within Group Policy Objects (GPOs).
• It applies only to that computer in which the
Group Policy is configured.
• Cannot be used to administer Domain Group
Policies.
• Can only administer a single Group Policy that
applies to the single computer it is applied on.

Group Policy Management

The Domain Group Policy Management
• Is used on PAWs (Privilege Accessed
Workstations – more on that later),
Servers, Member Servers, and those that
have Remote Server Administration Tools
to manage Group Policies across the
domain/organization.
• Is used to administer Group Policy Objects
across your entire domain/organization.

GPOs – What are they?

GPOs
A GPO is a “Group Policy
Object”
• GPOs are collections of
Group Policies
• Are only accessible
from the Domain Group
Policy Management
• You can have as many
group policy objects as
you want

How do GPOs apply?
In order to use GPOs, you must link them
first. With the exception of a GPO known as
“Default Domain Policy”, GPOs must be
“Linked” to an OU (Organizational Unit)
before they apply.
• This is one of the benefits of GPO: You
can apply different policies to different
Organizational Units.

GPO application order
In order to prevent GPO conflicts, GPOs
apply in a specific order: LSDOU
Local
Site
Domain
Organizational Unit
Each subsequent GPO application takes
precedence over the next.

GPO Application Example
L – Minimum Password Length: 18, Screen timeout: 5 min
S – Minimum Password Length: 8, Wallpaper: Blue.jpg
D – Minimum Password Length: 12, Screen timeout: 15 min
OU – Minimum, Password Length: 10, Wallpaper: Red.jpg
Password Length: 10, why? This is because it is specified at the OU level. It
overwrites any changes from L, S, D applications.
Screen Timeout: 15 min, why? Because the Domain policy overwrites anything
in the Local group policy (not specified anywhere else)
Wallpaper: Red.jpg. Why? Because it’s specified in the OU level, overwriting
anything else above it.

Linking a GPO
As mentioned, before a Group Policy is
applied, it must be “linked” to an OU.
This introduces the concept of inheritance.
With inheritance, child objects (OUs) inherit
any policies above it.

GPO Inheritance
A GPO applied to an organizational unit
applies directly to all users and computers in
the organizational unit and, by inheritance, to
all users and computers in child
organizational units.
You can, however, specify “Enforce” or
“Block”

Blocking Inheritance
As mentioned, child OUs get all
linked policies above it (higherlevel OUs, Domain and Site
policies). Blocking Inheritance will
sever the link between this
hierarchy – meaning that only
directly-linked GPOs will apply.
(OUs under will receive these
linked GPOs, but nothing higher)

Enforcing Inheritance
Sometimes you want to
ensure that GPOs can’t be
blocked.
Enforcing is also known as
“no override”)
It is applied on a GPO
(rather than an OU)
Also prevents changes from
being overwritten by childOU GPO objects/settings

GPO Link Order – Conflict Resolution

Conflicts are addressed by Link Order
• If you have multiple conflicting OUs, Link Order
comes into play.
• Unlike the Application Order (LSDOU) – Link
order is in order of most importance:
– A GPO with a link order of 1 will take precedence over
a GPO with a link order of 2
– Policies will still filter down (meaning that those
policies that don’t exist in GPO with the LO of 1, will
be applied in a GPO with the LO of 2.

• “Enforced” GPOs bubble up to the top, and will
still remain at the top.

Example – Link Order

Example – Link Order explained
In the previous screenshot, you can see the
“link order” and “enforcement” in play,
however notice that the first enforced policy
– the “Default Domain Policy Enforced” – is
#12, it still bubbles up to the top.
• So, Enforced GPOs have their own
hierarchy at the top, then comes nonenforced GPOs

Group Policies – Working with Group Policies

Working with GPOs
Before we work with GPOs, we must first
understand the two types of policies:
User and Computer policies.

User versus Computer

User Policies
You can use User Configuration in Group
Policy to set policies that apply to users,
regardless of which computer they log on to.
User Configuration typically contains
subitems for Software Settings, Windows
Settings, and Administrative Templates

Computer Policies
• With Computer Configuration in Group
Policy, you can set policies that are applied
to computers, regardless of who logs on to
the computers.
• Computer Configuration typically contains
Software Settings, Windows Settings, and
Administrative Templates.

Policies versus Preferences
For the context of this course, we will be
discussing Policies, not preferences. However a
short description is still beneficial:
Preferences are just that – settings that you are
able to push out through Group Policy.
The key difference is in security: Group Policy
Preferences (unlike Policies) are not strictly
enforced.

A note on security:
• Group Policies are almost always Registry
Changes.
• They are written to a special location and almost
always protected from being able to be changed
by regular users.
– Unlike Policies, which are simply changes to things
like INI config files
• Group Policies are also enforced and updated at regular
intervals (90 minutes + random offset of up-to 30
minutes, so between 1.5 hours and 2 hours). They also
happen at logon/logoff.

Software Settings, Windows Settings
and Administrative Templates
Inside of GP Management there are also 3 subtypes of policies:
Software Settings, Windows Settings, and Administrative
Templates.
Software Settings are settings that are related to deploying
applications through Group Policy
Windows Settings are built-in settings that allow you to control a
number of system-specific preferences that are key to Windows, such
as Security
Administrative Templates are an extendible list that is used to
manage applications and other types of policies
In this class, we will be discussing Windows Settings and Administrative Templates exclusively.

Creating Group Policies
As mentioned, in order
to use a new or custom
group policy (Default
Domain Policy always
exists) – you must first
create one and link it to
an OU.

Changing GPO Settings

Editing Policies

Policy Configuration Basics

Nomenclature
Not Configured: This is the default “leave whatever the
manufacturer/vendor wants” – or “default settings”
Enabled: This “enables” the specific policy item, for
example “Enabling the Disable Task Manager policy item
will disable Task Manager”
Disables: This “disables” the specific policy item, for
example “disabling the Disable Task Manager policy item
will enable Task Manager”

Nomenclature - Continued
Options: Sometimes additional options are provided, such
as being able to specify the nuances of a specific group
policy item.
Comment: This is a field for sysadmins to specify a
comment for internal use. Completely optional.
Supported On: This tells you what Operating Systems that
the Group Policy object will apply to.

End of Lecture, Questions?