Working with Group Policy
This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself and the settings inside it (these settings and configurations will be discussed in different articles).
Note that this article was written and contributed to the site by Amir Meron.
Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group Policy can help you do the following:
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
- Configure user’s desktops
- Configure local security on computers
- Install applications
- Run start-up/shut-down or logon/logoff scripts
- Configure Internet Explorer settings
- Redirect special folders
In fact, you can configure any aspect of the computer behavior with it. Although it is a cool toy; working with it without proper attention can cause unexpected behavior.
Here are some basic terms you need to be familiar with before drilling down into Group Policy:
Local policy – Refers to the policy that configures the local computer or server, and is not inherited from the domain. You can set local policy by running gpedit.msc from the Run command, or you can add “Group Policy Object Editor” snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration options that the full-fledged Group Policy in AD.
GPO – Group Policy Object – Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO – Group Policy Object – at the site level, domain level or OU level.
GPC – Group Policy Container – The GPC is the store of the GPOs; The GPC is where the GPO stores all the AD-related configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain Controllers of the Domain through replication of the Active Directory.
GPT – Group Policy Templates – The GPT is where the GPO stores the actual settings. The GPT is located within the Netlogon share on the DCs.
Netlogon share – A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon’s real location is:
When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it.
To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.
Group Policy is processed in the following order:
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the previous one.
The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger.
What does it mean “stronger”? If you configure a GPO and linke it to “Organization” OU, and in it you configure Printer installation – allowed and then at the “Dallas” OU you configured other GPO but do not allow printer installation, then the Dallas GPO is more powerful and the computers in it will not allow installation of printers.
The example above is true when you have different GPOs that have similar configuration, configured with opposite settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all GPOs are merged and inherited by the computers or users.
Group Policy sections
Each GPO is built from 2 sections:
- Computer configuration contains the settings that configure the computer prior to the user logon combo-box.
- User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings.
Within these two section you can find more sub-folders:
- Software settings and Windows settings both of computer and user are settings that configure local DLL files on the machine.
- Administrative templates are settings that configure the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the Administrative Templates.
You can download .ADM files for the Microsoft operating systems
Tools used to configure GPO
You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in a different article):
- Group Policy Object Editor snap-in in MMC – or – use gpedit.msc from the Run command.
- Active Directory Users and Computers snap in – or dsa.msc – to invoke the Group Policy tab on every OU or on the Domain.
- Active Directory Sites and Services – or dssite.msc – to invoke the Group Policy tab on a site.
- Group Policy Management Console – or gpmc.msc – this utility is NOT included in Windows 2003 server and needs to be separately installed. You can download it from HERE
Note that if you’d like to use the GPMC tool on Windows XP, you need to install it on computers running Windows XP SP2. Installing it on computers without SP2 will generate errors due to unsupported and newer .ADM files.
GPMC utility – Creating a GPO
When you create a GPO it is stored in the GPO container. After creation you should link the GPO to an OU that you choose.
Linking a GPO
To link a GPO simply right click an OU and choose Link an existing GPO or you can create and link a GPO in the same time. You can also drag and drop a GPO from the Group Policy Objects folder to the appropriate Site, Domain or OU.
When you right-click a link you can:
Edit a GPO – This will open the GPO window so you can configure settings.
Link/Unlink a GPO – This setting allows you to temporarily disable a link if you need to add settings to it or if you will activate it later.
Enabling/disabling computer or user settings
GPO has computer and user settings but if you create a GPO that contains only computer settings, you might want to disable the user settings in that GPO, this will reduce the amount of settings replicated and can also be used for testing.
To disable one of the configurations simply choose the GPO link and go to Details tab:
How do I know what are the settings in a GPO?
Prior to the use of GPMC, an administrator who wanted to find out which one of the hundreds of settings of a GPO were actually configured – had to open each GPO and manually comb through each and every node of the GPO sections. Now, with GPMC, you can simply see what the configurations of any GPO are if you point on that GPO and go to the Settings tab. There you can use the drop-down menus to see computer or user settings.
You can block policy inheritance to an OU if you don’t want the settings from upper GPOs to configure your OU.
To block GPO inheritance, simply right click your OU and choose “Block Inheritance”. Blocking inheritance will block all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used.
You can see in this example that when you look at Computers OU, three different GPOs are inherited to it.
In this example you can see that choosing “Block inheritance” will reject all upper GPOs.
Now, if we configure the “Default domain policy” with the Enforce option, it will overcome the inheritance blocking.
When linking more than one GPO to an OU, there could be a problem when two or more GPOs have the same settings but with opposite configuration, like, GPO1 have Allow printer installation among other settings but GPO2 is configured to prevent printer installation among other settings. Because the two GPOs are at the same level, there is a link order which can be changed.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
Filtering let you choose the user, group or computer that the GPO will apply onto. If you configured “Computers” OU with a GPO but you only want to configure Win XP stations with that GPO and exclude Win 2000 stations, you can easily create a group of Win XP computers and apply the GPO only to that group.
This option save you from creating complicated OU tree with each type of computer in it.
A user or a group that you configure in the filtering field have by default the “Read” and “Apply” permission. By default when you create a GPO link, you can see that “Authenticated users” are listed.
In the above example, Office 2K3 will be installed on all computers that are part of the two listed groups.
If we still were using Authenticated users, the installation of the Office suite could have followed the user to any computer that he logs onto, like servers or other machines. Using filtering narrows the installation options.
If you want to configure these permissions with higher resolution, you can go to Delegation tab and see the permissions. Going to the Advanced Tab will let you configure the ACL permission with the highest resolution.
How the GPO is updated on the computers
GPO inherited from AD is refreshed on the computers by several ways:
- Logon to computer (If the settings are of “user settings” in GPO)
- Restart of the computer (If the settings are of “computer settings” in GPO)
- Every 60 to 90 minutes, the computers query their DC for updates.
- Manually by using gpupdate command. You can add the /force switch to force all settings and not only the delta.
Note: Windows 2000 doesn’t support the Gpupdate command so you need run a different command instead:
Secedit /refreshpolicy machine_policy
for computer settings.
Secedit /refreshpolicy user_policy
for user settings.
In both commands you can use the /enforce that is similar to the /force in gpupdate.
If any configuration change requires a logoff or a restart message will appear:
You can force logoff or reboot using gpupdate switches.
How to check that the GPO was deployed
To be sure that GPO was deployed correctly, you can use several ways. The term for the results is called RSoP – Resultant Sets of Policies.
- Use gpresult command in the command prompt.
The default result is for the logged on user on that machine. You can also choose to check what is the results for other users on to that machine. If you use /v or /z switches you will get very detailed information.
You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed.
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 04/24/2005 RSOP results for XPPRO\Administrator on XPPRO: Logging Mode ------------------------------------------------------------------------- OS Type: Microsoft Windows XP Professional OS Configuration: Member Workstation OS Version: 5.1.2600 Domain Name: NWTRADERS Domain Type: WindowsNT 4 Site Name: N/A Roaming Profile: Local Profile: C:\Documents and Settings\Administrator Connected over a slow link? No COMPUTER SETTINGS ------------------------- Last time Group Policy was applied: 04/24/2005 Group Policy was applied from: london.nwtraders.msft Group Policy slow link threshold: 500 kbps Applied Group Policy Objects -------------------------------- Default Domain Policy Raanana WSUS Updates Local Group Policy The following GPOs were not applied because they were filtered out ---------------------------------------------------------------------------- Raanana XP SP2 Behavior Filtering: Not Applied (Empty) The computer is a part of the following security groups: -------------------------------------------------------------- BUILTIN\Administrators Everyone Debugger Users BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users USER SETTINGS -------------- Last time Group Policy was applied: 04/24/2005 Group Policy was applied from: N/A Group Policy slow link threshold: 500 kbps Applied Group Policy Objects -------------------------------- Local Group Policy The user is a part of the following security groups: ---------------------------------------------------- Everyone, BUILTIN\Administrators, Remote Desktop Users, BUILTIN\Users, LOCAL, NT AUTHORITY\INTERACTIVE, NT AUTHORITY\Authenticated Users
- Resultant Set of Policy snap-in in MMC.
The snap-in has two modes:
Logging mode which tells you what are the real settings that were deployed on the machine
Planning mode which tells you what will be the results if you choose some options.
This option is not so compatible because you need to browse in the RSoP data to find the settings.
- Group Policy Results in GPMC.
This is the most comfortable option that let you check the RSoP data on every computer or user from a central location. This option also displays the summary of the RSoP and Detailed RSoP data in HTML format.
In the example above example you can see the summary of applied or non applied GPOs both of computer and user settings.
When looking at the Settings tab we can see what settings did applied on the computer and see which is the “Winning GPO” that actually configured the computer with the particular setting.