Group policy

Introduction

• Group Policy provides a convenient and effective way to

manage computer and user settings.
• With Group Policy, you can manage settings fo thousands
of users or computers in the same way that you manage
settings for one user or computer—and without ever
leaving your desk.
• To do this, you use one of several management tools to
change a setting to a desired value, and this change is
applied throughout the network to a desired subset of
users or computers or to any individual user or computer
Cot

• Before Group Policy, many of the administrative changes

that Group Policy enables were possible only by hacking
the Windows registry, and each change had to be made
individually on each target computer. This was time
consuming, tricky to implement, prone to disastrous
results
• Enter Group Policy, whereby you can simply enable or
disable a policy to tweak a registry value or other setting,
and the change will apply automatically to every computer
you designate the next time Group Policy is refreshed
Cot

• Group Policy allows you to back up (“save”) the state of

Group Policy before making changes. If something goes
wrong, you can restore Group Policy to its original state.
When you restore the state of Group Policy, you can be
certain that all changes are undone with the next Group
Policy refresh.
Types of policies

• In Active Directory, two distinct sets of policies are

defined:
■ Computer policies: These apply to computers and are stored
under Computer Configuration in Group Policy.
■ User policies: These apply to users and are stored under User
Configuration in Group Policy
Cont..
• Initial processing of the related policies is triggered by two unique events:
■ Processing of computer policies is triggered when a computer is started.
When a computer is started and the network connection is initialized, computer
policy settings are applied and a history of the registry-based settings that were
applied is written t %AllUsersProfile%\Ntuser.pol.
■ Processing of user policies is triggered when a user logs on to a computer.
When a user logs on to a computer, user policy settings are applied and a
history of the registry-based settings that were applied is written to
%UserProfile%\Ntuser.pol.
By default, Group Policy on domain controllers is refreshed every 5 minutes.
For workstations and other types of servers, Group Policy is refreshed every 90
to 120 minutes by default. In addition, Group Policy is refreshed every 16 hours
regardless of whether or not any policy settings have changed in the intervening
time.
Windows registry

• A central hierarchical database used in Microsoft

Windows 98, Windows NT and windows 2000 used to
store information that is necessary to condigure the
system for one or more users, applications and hardare
devices
• The registry containes information that windows
continually references during operation, such as profiles
for each user, the applications installed on the computer
and the type of documents that each can create, property
sheet settings for folders and applications icons
What is registry?

• Database where windows stores almost everyhting:

• operating system settings
• hardware configuration
• user preferences
• application settings
Registry structure

• Components:
• Hives, Root keys, Keys, subkeys and values
Working with Group Policy Objects

• Group Policy is applied in discrete sets, referred to as

Group Policy Objects (GPOs).
• GPOs contain settings that can be applied in a variety of
ways to computers and users in a specific Active Directory
domain, site, or OU. Because of the object-based
hierarchy in Active Directory, the settings of top-level
GPOs can also be inherited by lower-level GPOs.
Cont..
• For example, a setting for the cpandl.com domain can be inherited by the
Engineering OU within that domain, and the domain settings will be applied
to users and computers in the Engineering OU. If you don’t want policy
settings to be inherited, you can block these settings to ensure that only the
GPO settings for the low-level GPO are applied
• For local environments, a subset of Group Policy called Local Group Policy is
available. As the name implies, Local Group Policy allows you to manage
policy settings that affect everyone who logs on to a local machine
• Because Local Group Policy is a subset of Group Policy, there are some
things you can’t do locally that you can do in a domain setting
Cont..
• You manage Group Policy by configuring policy settings. A policy setting is an
individual setting that you apply, such as restricting access to the Run dialog
box. Most policy settings have three basic states:
■ Enabled:The policy setting is turned on, and its settings are active. You
typically enable a policy setting to ensure that it is enforced. Once enabled,
some policy settings allow you to configure additional options that fine-tune how
the policy setting is applied.
■ Disabled The policy setting is turned off, and its settings are not applied.
Typically, you disable a policy setting to ensure that it is not enforced.
■ Not Configured The policy setting is not being used. No settings for the
policy
are either active or inactive and no changes are made to the configuration
settings targeted by the poli cy.
Using Group Policy for Administration
• Using Group Policy, you can manage these key administrative areas:

• ■ Computer and user scripts: Configuring logon/logoff scripts for users and
startup/shutdown scripts for computers.
• Folder redirection Moving critical data folders for users to network shares where they can be
better managed and backed up regularly (domain-based Group Policy only).
• General computer security: Establishing security settings for accounts, event logs, restricted
groups, system services, the registry, and file systems. (With Local Group Policy, you can
only manage general computer security for account policies.)
• Local security policies Setting policy for auditing, user rights assignment, and user
privileges.
• IP security Setting IP security policy for clients, servers, and secure servers.
• Public key security Setting public key policies for autoenrollment, the Encrypting File System
(EFS), enterprise trusts, and more.
• Software installation Automated deployment of new software and software upgrades
(domain-based Group Policy only).
Inheritance policy
Linking
When you create a domain, two GPOs are created
by default:
The Default Domain Policy
• you should edit the Default Domain Policy GPO only to manage
the default Account Policies settings and three specific areas of
Account Policies:
■ Password Policy: Determines default password policies for
domain controllers such as password history and minimum
password length settings
■ Account Lockout Policy: Determines default account lockout
policies for domain controllers, such as account lockout duration
and account lockout threshold
■ Kerberos Policy: Determines default Kerberos policies for domain
controllers such as maximum tolerance for computer clock
synchronization