Using Group Policy
Centralized management of computer and user configuration settings within Windows Server 2003 is accomplished through Group Policy management, which was introduced in Windows Server 2000. Group Policy settings are configured within Group Policy Objects (GPOs), which can be linked to container locations throughout the Active Directory. The container objects will inherit the proper GPO settings based on object location within the site, domain, or OU to which the GPO has been linked. Group Policy settings are grouped into the following general categories:
Registry-Based PolicyThese settings are used for Registry-based configurations such as the automatic removal of the Run option within the Start menu.
Security SettingsThese settings include security settings for local, domain, and network connections as well as software restriction management based on access path.
Software RestrictionsThese settings can be used to configure the accessibility of individual software packages throughout the directory, limiting the damage that virus programs or undesirable software can cause.
Software Distribution and InstallationThese settings are used to manage the installation, update, and removal of approved software packages based on organizational factors and group membership.
Computer and User ScriptsScripts can be written for automatic configuration of the local environment at computer startup and shutdown, or user logon and logoff.
Roaming User Profiles and Redirected FoldersThese settings can be used to configure user environment storage locations, such as the location of the My Documents folder path, along with details for users with roaming profiles.
Offline FoldersThese settings can be used to configure the synchronization options and details for offline file management.
Internet Explorer MaintenanceThese settings can be used to configure user environment details when utilizing the Internet Explorer browser, such as security zones and privacy settings.
Configuration of individual settings is managed within the Group Policy Object Editor (see Figure 3.8), which is almost identical to its Windows Server 2000 equivalent. Windows Server 2003 has added more than 200 new settings that can be configured using this tool.
Figure 3.8 The Group Policy Object Editor showing current manipulation of the Maximum Password Age policy setting.
Using the Group Policy Management Console
One key technology introduced in Windows Server 2003 is the Group Policy Management Console (GPMC), which brings together many standard management functions for the manipulation of GPOs and their links into a single utility.
NOTE
The GPMC utility is not included in the Windows Server 2003 Administrative Tools package (Adminpak.msi), but is available as a free download (gpmc.msi) from Microsoft's download site: http://www.microsoft.com/downloads/details.aspx?FamilyID=f39e9d60-7e41-4947-82f5-3330f37adfeb&DisplayLang=en.
Using this utility, individual GPOs can be configured and linked, and each link's enforcement managed through a simple user interface, as shown in Figure 3.9.
Figure 3.9 The Group Policy Management Console showing a current manipulation of the enforcement status of the Default Domain Policy link to the mydomain.mycorp.com domain.
The current status of each GPO can be manipulated using the GPMC, as shown in Figure 3.10.
Figure 3.10 The Group Policy Management Console showing a current manipulation of the GPO status of the Default MyDomain Policy.
The GPMC also includes a well-developed reporting capability, which can be used to display the settings of an individual GPO, as shown in Figure 3.11.
Figure 3.11 The Group Policy Management Console showing a report of the current Default MyDomain Policy GPO settings.
Because accounts and groups inherit Group Policy settings based on their access privileges, the GPMC includes the capability to manipulate GPO delegation, as shown in Figure 3.12.
Figure 3.12 The Group Policy Management Console showing the current delegation settings for the groups and users with permissions to the Default MyDomain Policy.
By manipulating the privileges for each group or user, it's possible to further refine the application of Group Policy settings based on as complex a scheme of inheritance as is desirable. To block the application of a particular GPO's settings to a group or user, the rights to Read and Apply Group Policy can be denied, as shown in Figure 3.13.
Figure 3.13 Restricting the Read and Apply Group Policy rights of the Workgroup Leads group with regard to the Default MyDomain Policy.
The GPMC provides a convenient method for the review of all linked GPOs for a particular container, including the order in which the links will be evaluated, as shown in Figure 3.14.
Figure 3.14 The Group Policy Management Console showing all linked GPOs and their evaluation order for the mydomain.myserver.com domain.
Copying a GPO
The GPMC can be used to copy an existing GPO to any trusted domain in which the administrator using the GPMC utility has the right to create new GPOs. This can be accomplished by the following:
After adding the source and target domains to the GPMC and ensuring that the necessary rights have been granted to the account performing the migration, expand the Group Policy Objects node of the source domain.
It's possible to drag and drop a particular GPO listed in the source domain's Group Policy Objects container to the Group Policy Objects container in the target domain. Alternatively, right-clicking on the source GPO, selecting Copy, and then right-clicking on the container in the target domain and selecting Paste also provides the same result: opening the Cross-Domain Copying Wizard. Click Next.
Specify whether the copied GPO will use the default permissions for new GPOs or if the original GPO's permissions should be migrated and preserved.
After the wizard has performed a scan of the new GPO's application, specify a migration map for the specification of local security principal references. Clicking Next enables you to select a default migration mapping or the specification of unique by-item migration tables.
After the selection of all migration mapping, you can review the pending migration and then click the Finish button to complete the copying process.
Backing Up and Restoring GPOs
In addition to the ability to copy GPOs between domains, the GPMC can also be used to back up existing GPOs so that they can be recovered later through a restore procedure. Backing up a GPO stores a copy of the GPO's settings to a selected file location, which can be used to store multiple versions of the same GPO, allowing for versioned recovery to prior GPO settings through a simple restoration of the earlier form. A GPO backup can be accomplished by performing the following steps:
Within the GPMC, right-click the desired GPO and select the option to Back-up from the drop-down list provided.
Provide a location in which to store the GPO backup and an optional unique description for the backup.
Click the Backup button.
CAUTION
It's possible to back up all GPOs by right-clicking on the Group Policy Objects node and selecting Back Up All from the options provided.
Restoration of an existing backup can be accomplished by the following procedure:
Within the GPMC, right-click the desired GPO and select the option to Restore from Backup from the drop-down list provided.
Provide the backup location used previously to store the GPO backups.
Select the desired backup file and choose to view the settings of the highlighted backup before restoration, if desired.
Provide the details of the pending operation; click Finish to perform the restoration.
It's also possible to manage all existing backups by right-clicking on the Group Policy Objects node and selecting Manage Backups from the drop-down list of options. Within the Manage Backups dialog box, you can view a listing of existing backups that can be restored and deleted from this interface; you can also view the settings for each.
Importing GPO Settings
Previous GPO backups can also be used for migration of settings when interforest GPO copying is not convenient, such as between testing and production environments. The following procedure can be used to perform an importation of GPO settings from an available backup:
Within the GPMC, you should create a new GPO or you can use an existing one as the target for the imported settings.
Right-click on the target GPO and select Import Settings from the drop-down list of options provided to open the Import Settings Wizard.
You'll be prompted with the option to backup the current settings of the existing GPO before performing the import operation.
After selecting the backup source location and specific GPO backup, a scan will be performed. If any local security principals or UNC paths must be migrated, you'll be prompted to provide a migration mapping before the import procedure begins.
Click the Finish button to allow the importation of previously backed up settings to the target GPO, overwriting its current settings.
Configuring the Resultant Set of Policy
The GPMC includes several features beyond the manipulation of individual GPO links, such as the ability to evaluate the overall Resultant Set of Policy (RSoP) with regard to a particular account or group, as shown in Figure 3.15.
This capability is invaluable for troubleshooting the resulting settings that are produced through the application of GPO links across many levels of container inheritance. Each resulting setting and the GPO link that is its source can be displayed, as shown in Figure 3.16.
In addition to static information such as GPO settings, the GPMC's reporting capability for modeling Resulting Set of Policy details can also be used to review policy-related events generated within the target system's event logs, as shown in Figure 3.17.
Figure 3.15 The Group Policy Management Console showing an evaluation of the RSoP for the Administrator account.
Figure 3.16 The Group Policy Management Console showing each setting and the Winning GPO that produces the configuration result.
Figure 3.17 The Group Policy Management Console showing policy-related events queried from the target server's event logs.
Performing Policy Simulation
The GPMC also includes the capability to perform an evaluative simulation of the effect of a particular GPO's application to the current GPO configuration through the use of the Group Policy Modeling subcomponent, which includes the ability to perform a simulated application of a GPO's settings based on a detailed query specification, as shown in Figure 3.18.
Figure 3.18 The Group Policy Management Console showing the query settings for an evaluation of GPO application.
Group Policy settings can be evaluated within this testing environment before rolling out the results within the production environment. This feature, along with others present within the GPMC, make it possible to perform complex troubleshooting and testing of planned changes to policy settings to facilitate centralized management over even very extensive and complex directory structures.
Configuring Security Policy Management
Microsoft Windows Server 2003 provides many different means by which individual settings can be configured, including the Group Policy Management Console as well as the Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services MMC snap-ins. After the Group Policy Management Console has been installed, the Group Policy tab (displayed in the Properties pages of sites, domains, and OUs when the MMC is started in Author mode) displays an Open button that redirects GPO access attempts to the GPMC, making this utility a one-stop solution for all categories of GPO manipulation.
The Group Policy Object Editor accessible through the aforementioned MMC snap-ins (refer to Figure 3.8) provides the ability to manipulate all possible settings for a particular GPO. Additionally, Microsoft Windows Server 2003 also includes more focused utilities, such as the Local Security Policy, Domain Security Policy, and Domain Controllers Security Policy MMC snap-ins. These utilities allow the manipulation of security settings within the appropriate GPO, where templates can be used to apply standard configuration settings based on the intended role of the target system.
A number of preconfigured security templates are stored in %systemroot%\ Security\Templates and include the following:
Compatws.infThe compatibility template is used to relax security settings to allow users to make use of applications that do not conform to the requirements for the Windows Logo Program for Software.
DC Security.infThe default security template for domain controllers.
Hisecdc.infThe highly secure template for domain controllers.
Hisecws.infThe highly secure template for workstations.
Rootsec.infThe root directory permissions template.
Securedc.infThe secure template for domain controllers.
Securews.infThe secure template for workstations.
Setup security.infThe default security settings for a system created during initial installation.
Using Security Policy MMC Snap-ins
Windows Server 2003 includes several MMC snap-ins that can be added to custom MMCs. Two in particular are useful in the manipulation of security template settings: the Security Configuration and Analysis MMC snap-in and the Security Templates MMC snap-in. The following steps can be used to create a custom MMC with these snap-ins configured:
-
Select Start, Run, and then type MMC in the Open box. After clicking OK, a new blank MMC console opens.
-
From the Console main menu, select File and then Add/Remove Snap-in from the list of options provided. Select the console to which the snap-ins will be added, then click the Add button to open the Add Standalone Snap-in dialog box.
-
From the list of options provided, create a custom MMC that includes many standard tasks. For the purposes of this example, highlight the Security Configuration and Analysis option and click Add, highlight the Security Templates option, and click Add again.
-
Click the Close button and then the OK button to return to the custom console, as shown in Figure 3.19.
-
Save this custom MMC for later reuse by selecting File, Save As. After selecting the container location and name for the new custom MMC, save the console with its current settings.
Figure 3.19 A custom MMC console with the Security Templates and the Security Configuration and Analysis MMC snap-ins added.
The Security Templates MMC snap-in can be used to create and modify templates, which can then be modeled and applied within the Security Configuration and Analysis MMC snap-in using the same techniques described within the Group Policy Editor MMC snap-in accessed through the GPMC.
When a target template is analyzed against current security settings, the Security Configuration and Analysis MMC snap-in produces a comparative analysis of each setting, as shown in Figure 3.19.
Managing Policies Through the Command Line
Microsoft Windows Server 2003 includes command-line utilities that mirror much of the same functionality present in the graphical user interface utilities previously discussed in this chapter, including
Secedit.exeA utility used to analyze and configure security settings based on templates. This is a command-line close equivalent to the Security Configuration and Analysis MMC snap-in, which was also present in Windows Server 2000. In the Windows Server 2003 version of the utility, the /refreshpolicy option is no longer present.
Gpupdate.exeThis utility is used to refresh Group Policy settings, replacing the /refreshpolicy option within the secedit utility. This utility can be used to force a logoff or reboot when the update is complete to ensure that new policy settings are applied immediately.
Gpresult.exeA utility that can be used to display Group Policy settings and the RSoP of a target user or computer account. This utility is a command-line close equivalent to the reporting and analysis functions within the GPMC.
CAUTION
You should be able to use the gpupdate utility to refresh a GPO. The syntax of the gpupdate.exe utility is provided in the Microsoft help file:
gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]
To see a listing of all the parameters and their meanings, type the following at the command-line shell prompt:
gpupdate /?
The GPMC's Software Development Kit (SDK) includes a number of scripts that can be used to automate GPO troubleshooting, including the following:
ListAllGPOs.wsfUsed to list all GPOs within a domain
FindDisabledGPOs.wsfUsed to list any GPOs currently disabled
DumpGPOInfo.wsfUsed to display information about a particular GPO
QueryBackupLocation.wsfUsed to list all GPOs stored within the specified target backup location
FindUnlinkedGPOs.wsfUsed to list all unlinked GPOs within a domain