1/19/12

Working with Group Polic

Working with Group Policy

by Daniel Petri - January 7, 2009 Printer Friendly Version
Se d 12 e le

This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself and the settings inside it (these settings and configurations will be discussed in different articles). Note that this article was written and contributed to the site by Amir Meron. Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group Policy can help you do the following: 1. 2. 3. 4. 5. 6. Configure user's desktops Configure local security on computers Install applications Run start-up/shut-down or logon/logoff scripts Configure Internet Explorer settings Redirect special folders

In fact, you can configure any aspect of the computer behavior with it. Although it is a cool toy; working with it without proper attention can cause unexpected behavior.

Terms
Here are some basic terms you need to be familiar with before drilling down into Group Policy: Local policy - Refers to the policy that configures the local computer or server, and is not inherited from the domain. You can set local policy by running gpedit.msc from the Run command, or you can add "Group Policy Object Editor" snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration options that the full-fledged Group Policy in AD. GPO - Group Policy Object - Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO Group Policy Object at the site level, domain level or OU level. GPC Group Policy Container - The GPC is the store of the GPOs; The GPC is where the GPO stores all the AD-related configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain Controllers of the Domain through replication of the Active Directory. GPT - Group Policy Templates - The GPT is where the GPO stores the actual settings. The GPT is located within the Netlogon share on the DCs. Netlogon share - A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is: C:\WINDOWS\SYSVOL\s svol\domain.com\SCRIPTS
www.petri.co.il/working_with_group_polic .htm 1/8

1/19/12

Working with Group Polic

When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it. To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.

GPO behavior
Group Policy is processed in the following order: Local Polic and so on. GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the previous one. The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger. What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU, and in it you configure Printer installation allowed and then at the "Dallas" OU you configured other GPO but do not allow printer installation, then the Dallas GPO is more powerful and the computers in it will not allow installation of printers. > Site GPO > Domain GPO > OU GPO > Child OU GPO

The example above is true when you have different GPOs that have similar configuration, configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all GPOs are merged and inherited by the computers or users.

Group Polic sections

Each GPO is built from 2 sections: Computer configuration contains the settings that configure the computer prior to the user logon combo-box. User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings. Within these two section you can find more sub-folders: Software settings and Windows settings both of computer and user are settings that configure local DLL files on the machine. Administrative templates are settings that configure the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %s stemroot%\inf folder so you can add them to the Administrative Templates. You can download .ADM files for the Microsoft operating systems

Tools used to configure GPO

www.petri.co.il/working_with_group_polic .htm 2/8

1/19/12

Working with Group Polic

You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in a different article): 1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command. 2. Active Directory Users and Computers snap in - or dsa.msc to invoke the Group Policy tab on every OU or on the Domain. 3. Active Directory Sites and Services - or dssite.msc to invoke the Group Policy tab on a site. 4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and needs to be separately installed. You can download it from HERE Note that if you'd like to use the GPMC tool on Windows XP, you need to install it on computers running Windows XP SP2. Installing it on computers without SP2 will generate errors due to unsupported and newer .ADM files.

GPMC utilit - Creating a GPO

When you create a GPO it is stored in the GPO container. After creation you should link the GPO to an OU that you choose.

Linking a GPO
To link a GPO simply right click an OU and choose Link an e isting GPO or you can create and link a GPO in the same time. You can also drag and drop a GPO from the Group Policy Objects folder to the appropriate Site, Domain or OU. When you right-click a link you can:

Edit a GPO - This will open the GPO window so you can configure settings. Link/Unlink a GPO - This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later.

Enabling/disabling computer or user settings

GPO has computer and user settings but if you create a GPO that contains only computer settings, you might want to disable the user settings in that GPO, this will reduce the amount of settings replicated and can also be used for testing. To disable one of the configurations simply choose the GPO link and go to Details tab:

How do I know what are the settings in a GPO?

www.petri.co.il/working_with_group_polic .htm 3/8

1/19/12

Working with Group Polic

Prior to the use of GPMC, an administrator who wanted to find out which one of the hundreds of settings of a GPO were actually configured - had to open each GPO and manually comb through each and every node of the GPO sections. Now, with GPMC, you can simply see what the configurations of any GPO are if you point on that GPO and go to the Settings tab. There you can use the drop-down menus to see computer or user settings.

Block/Enforce inheritance
You can block policy inheritance to an OU if you don t want the settings from upper GPOs to configure your OU. To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block all upper GPOs. In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used. You can see in this example that when you look at Computers OU, three different GPOs are inherited to it.

In this example you can see that choosing "Block inheritance" will reject all upper GPOs.

Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking.

Link order
When linking more than one GPO to an OU, there could be a problem when two or more GPOs have the same settings but with opposite configuration, like, GPO1 have Allow printer installation among other settings but GPO2 is configured to prevent printer installation among other settings. Because the two GPOs are at the same level, there is a link order which can be changed. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

Securit Filtering
www.petri.co.il/working_with_group_polic .htm 4/8

1/19/12

Working with Group Polic

Fi e i g e ch e he e , g "C e " OU i h a GPO b e c de Wi 2000 a i , ca ea i ha g . Thi A e i a e f he c ea i g c c

c e ha he GPO i a a c fig e Wi XP a i c ea e a g f Wi XP c ica ed OU ee i h each e

. If c fig ed i h ha GPO a d e a da he GPO f c e i i .

e ag ha i i . B defa

fig e i he fi e i g fie d ha e b defa c ea e a GPO i , ca ee ha "A

he "Read" a d "A " he ica ed e " a e i ed.

I g If e i

he ab . i a a a i e

e e a e e c i i

e, Office 2K3 i g A he ica ed e ha he g .

i be i

a ed

a c

ha a e

f he

i ed ed he he ab a d i h he

e , he i a a i , i e e e

f he Office i e c d ha e f he achi e . U i g fi e i g a i c , ca g De ega i fig e he ACL e i i

If a ee he e highe e

c fig e he e e i i i h highe e i . G i g he Ad a ced Tab i e i .

Ho

the GPO is updated on the computers

AD i ef e hed he c e b e e a a :

GPO i he i ed f 1. 2. 3. 4.

L g c Re a f he c E e 60 90 Ma a b i he de

e (If he e i g a e f " e e i g " i GPO) e (If he e i g a e f "c e e i g " i GPO) i e , he c e e hei DC f da e . gg da e c a d. Y ca add he /f ce i ch f ce a a. ' he Gp pda e c a d eed a diffe e

e i g a d c a d

Note: Wi d i ead:

2000 d e

S e c e d i t/ r e f r e s h p o l i c m a c h i n e _ p o l i c f c e e i g .

S e c e d i t/ r e f r e s h p o l i c u s e r _ p o l i c f I b If a e hc c e i g . a d fig a i ca e he /e f ie a ce ha i g ff a e i ia a e he /f age ce i g i a ea : da e.

cha ge e

www.petri.co.il/working_with_group_polic .htm

5/8

1/19/12

Working with Group Polic

You can force logoff or reboot using gpupdate switches.

How to check that the GPO was deplo ed

To be sure that GPO was deployed correctly, you can use several ways. The term for the results is called RSoP Resultant Sets of Policies. 1. Use gp e l command in the command prompt.

The default result is for the logged on user on that machine. You can also choose to check what is the results for other users on to that machine. If you use /v or /z switches you will get very detailed information. You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed. M i c r o s o f t( R )W i n d o w s( R )X PO p e r a t i n gSs t e mG r o u pP o l i c R e s u l tt o o lv 2 . 0 C o pr i g h t( C )M i c r o s o f tC o r p .1 9 8 1 2 0 0 1 C r e a t e dO n0 4 / 2 4 / 2 0 0 5 R S O Pr e s u l t sf o rX P P R O \ A d m i n i s t r a t o ro nX P P R O :L o g g i n gM o d e O STp e :M i c r o s o f tW i n d o w sX PP r o f e s s i o n a l O SC o n f i g u r a t i o n :M e m b e rW o r k s t a t i o n O SV e r s i o n :5 . 1 . 2 6 0 0 D o m a i nN a m e :N W T R A D E R S D o m a i nTp e :W i n d o w s N T4 S i t eN a m e :N / A R o a m i n gP r o f i l e : L o c a lP r o f i l e :C : \ D o c u m e n t sa n dS e t t i n g s \ A d m i n i s t r a t o r C o n n e c t e do v e ras l o wl i n k ? N o C O M P U T E RS E T T I N G S L a s tt i m eG r o u pP o l i c w a sa p p l i e d :0 4 / 2 4 / 2 0 0 5 G r o u pP o l i c w a sa p p l i e df r o m :l o n d o n . n w t r a d e r s . m s f t G r o u pP o l i c s l o wl i n kt h r e s h o l d :5 0 0k b p s A p p l i e dG r o u pP o l i c O b j e c t s D e f a u l tD o m a i nP o l i c R a a n a n aW S U SU p d a t e s L o c a lG r o u pP o l i c T h ef o l l o w i n gG P O sw e r en o ta p p l i e db e c a u s et h e w e r ef i l t e r e do u t R a a n a n aX PS P 2B e h a v i o r F i l t e r i n g :N o tA p p l i e d( E m p t) T h ec o m p u t e ri sap a r to ft h ef o l l o w i n gs e c u r i t g r o u p s : B U I L T I N \ A d m i n i s t r a t o r s E v e ro n e D e b u g g e rU s e r s B U I L T I N \ U s e r s
www.petri.co.il/working_with_group_polic .htm 6/8

1/19/12

Working with Group Polic

N TA U T H O R I T Y \ N E T W O R K N TA U T H O R I T Y \ A u t h e n t i c a t e dU s e r s U S E RS E T T I N G S L a s tt i m eG r o u pP o l i c w a sa p p l i e d :0 4 / 2 4 / 2 0 0 5 G r o u pP o l i c w a sa p p l i e df r o m :N / A G r o u pP o l i c s l o wl i n kt h r e s h o l d :5 0 0k b p s A p p l i e dG r o u pP o l i c O b j e c t s L o c a lG r o u pP o l i c T h eu s e ri sap a r to ft h ef o l l o w i n gs e c u r i t g r o u p s : E v e ro n e ,B U I L T I N \ A d m i n i s t r a t o r s ,R e m o t eD e s k t o pU s e r s ,B U I L T I N \ U s e r s ,L O C A L , N TA U T H O R I T Y \ I N T E R A C T I V E ,N TA U T H O R I T Y \ A u t h e n t i c a t e dU s e r s 1. Resultant Set of Polic The nap-in ha Logging mode Planning mode Thi op ion i no o mode : hich ell hich ell o o ha a e he eal e ing ha ill be he e e o l if ha o e e deplo ed on he machine choo e ome op ion . nap-in in MMC.

o compa ible beca

need o b o

e in he RSoP da a o find he e ing .

1. Group Polic Results in GPMC. Thi i he mo comfo able op ion ha le o f om a cen al loca ion. Thi op ion al o di pla HTML fo ma . check he RSoP da a on e e comp e o e he mma of he RSoP and De ailed RSoP da a in

In he e ample abo e e ample comp e and e e ing .

can ee he

mma

of applied o non applied GPO bo h of e and ee e ing.

When looking a he Se ing ab e can ee ha e ing did applied on he comp hich i he "Winning GPO" ha ac all config ed he comp e i h he pa ic la

Rela ed A icle G o p Polic Objec Modeling in Windo Se e 2008

7/8

www.petri.co.il/working_with_group_polic .htm

1/19/12

Working with Group Polic

Backing Up Group Policy Objects Using Group policy to Deploy Outlook 2007 Creating a Wireless Network Group Policy, Part 1

Privacy Policy | Site Info | Contact | Advertise

2012 Blue Whale Web Inc. |

www.petri.co.il/working_with_group_polic .htm

8/8