Group Policy Group Policy Basics

1
Group Policy Group Policy Basics
Windows Boston
Published 2007 Clyde G. Johnson, MCSE, A
2
What can Group Policy manage

• Deploy software
• Security Settings
• Assign startup/shutdown and logon/logoff scripts
• Set Standard Security settings for machines
• Redirect certain folders in user profiles
• Remote Installation services
• Software Restrictions

3
Local Group policy

• Local Group policy
• GPEDIT.MSC
• Unique to each machine.
• Does NOT need Active Dirctory.
• Vista has three layers
• Administrators
• Non-Administrators
• And single users

4
Active Directory Design

• Three reasons for an OU
• Delegation
• Group Policy
• Example
• Windowsboston
• Users
• Workstations
• Servers
• Groups

5
Group Policy Management Console

• Free update from Microsoft.
• Installs on Windows XP (with .net 1.1) and
  Windows 2003.
• Improved UI and simplified security management.
• New features
• Edit
• Copy / Import
• Backup / Restore
• Report

6
Group Policy Nodes

• Two Nodes
• User Configuration
• Computer Configuration
• If there are no settings
• in one node. Then disable
• the processing of that
• node.

7
GPO Categories

• Administrative Templates (registry settings)
• Security Settings
• Software Settings
• Folder Redirection
• IE Maintenance

8
Administrative Templates

• Collection of registry settings.
• Are updated with most releases and service pack.
• Are usually located at windir\inf
• Office has their own.
• There are 3rd party and custom templates.

9
When are they applied?

• Computer startup (computer node)
• User Logon (user node)
• User Logoff (user node)
• Logoff scripts only
• Computer shutdown (computer node)
• Shutdown scripts only
• Refresh Cycle (both nodes)
• Except folder redirection , software deployment
  and scripts
• This is when machines check for Group policy
  changes

10
Where to Start

• Common Desktop Management Scenarios Using GPMC
• Set of example policies and a whitepaper
• Group Policy Settings Reference
• http//www.microsoft.com/downloads/details.aspx?fa
  milyid7821C32F-DA15-438D-8E48-45915CD2BC14displa
  ylangen
• Excel spreadsheet with all group policy settings
  and what OS each setting is supported on.
• Pick a problem and try to use Group Policy to
  resolve it.

11
Common Desktop Management Scenarios

• Package containing GPOs developed for six
  different scenarios that can be loaded into AD
• Includes white paper describing scenarios
• Excel spreadsheet documenting all GPO settings
• Scenarios are for the following
• Lightly Managed Desktop (e.g. power user)
• Mobile User
• Multi-User Desktop
• AppStation (Highly Managed Desktop) (e.g. admin
  user)
• TaskStation (e.g. single task)
• Kiosk (e.g. public workstation)

12
Read This Book From Cover to Cover

• Group Policy Management, Troubleshooting and
  Security
• For Window Vista, Windows 2003,Windows XP and
  Windows 2000
• By Jeremy Moskowitz
• ISBN 978-0-470-10642-6
• http//www.moskowitz-inc.com/grouppolicy/book.html
  

13
Testing and Troubleshooting

• Do not develop on production GPOs
• Gpupdate
• GPResult
• Userenv.log
• RSOP

14
Do not develop GPOs in production!

• TEST, TEST, TEST
• Group Policy is one of the BEST ways to cause
  headaches to ALL your users with a touch of a
  button.
• Settings are applied to your OU when you click on
  them. There is NO save button.
• Create a test environment in a virtual machine.
  Not on the Network!
• Dont Change Group Policy settings on production
  OUs Request a test GPO and use it on test OU.

15
GPUPDATE

• Refreshes local and Active Directory-based Group
  Policy settings, including security settings
• Use the /force option to reapply all settings
  even those that have not changed. (usually
  requires a reboot)

16
GPResult /V

• Use GPRESULT to test and track application of
  group policy
• GPRESULT displays information about a user and
  computer's domain and group memberships as well
  as itemizing where all group-policy related
  settings were applied.
• This is a very important tool to use when testing
  a new group policy or attempting to diagnose
  problems with policies not being applied
  incorrectly.

17
Userenv.log

• Turn on Verbose Logging in the registry.
  (KB221833)
• systemRoot\Debug\UserMode
• When verbose logging is turned on this will log
  information about the profile and group policy
  processing.

18
Problem Solving

• The greatest use of Group Policy is to solve
  problems on your machines.
• Default mail client
• Software rollout
• HTML Help
• Folder Redirection
• Software Restriction

19
Example Default mail client

• Problem
• Every time Microsoft installed a outlook related
  patch, This would flip back to outlook.
  (KB933450).
• Because Group policy objects were not changed.
  The default mail client group policy was not
  reapplied automatically.
• Solution
• Registry setting in a computer startup script.

20
Example - Shadowcopy.

• We decide that we need Shadowcopy.
• Shadow copy is essentially a previous version of
  the file or folder at a specific point in time.
• A snapshot is usually taken twice a day.
• Relives the administrator of the burden of
  restoring files for users. OR makes it easier for
  the administrator to restore files for users.

21
Solution Shadowcopy

• Acquire a software setup package with an MSI
  extension.
• Extract it.
• Create it yourself (win-install)
• Share and secure Administrative Point
• \\servername\share
• NTFS Security as a poor mans licensing server.
• Setup a GPO to deliver the software
• Assign or publish the software (assign to
  computer)

22
Example HTML Help

• Problem
• Microsoft releases a patch that prevent CHMs
  from being viewed across a network. (896358)
• These are necessary for our ERP help system
• Uninstalling the patch is an option. But the
  vulnerability is real AND being exploited in the
  wild.

23
HTML Help Solution

• Found a registry hack that will let local
  intranet zone work
• HKLM\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestriction
  s\MaxAllowedZone1
• But this is not exposed in any Group Policy now
  existent.
• We created a custom group policy template and
  applied it to all the workstations.

24
Example Folder Redirection

• Problem
• People have documents on their desktops.
• Not backed up or encrypted.
• Solution
• Create a policy that redirects their My
  documents and Desktop folder to the network.
• For laptops we created a policy that enables
  offline folders AND encrypts the local folder
  they are in.

25
Example. - Software restriction

• Requested to deny the use of solitaire.
• We dont load it by default.
• Used software restriction policy.
• This is a very dangerous thing.
• Its deny everything by default.
• Disabled Solitaire by Hash rule.
• This means that no matter where or by what name
  solitaire goes by. It is restricted.

26
Vista

• Overhaul of the ADM templates (ADMx)
• administrative template files in Vista use a new
  XML-based file format (.ADMX).
• ADMx Central store
• 800 new or expanded Policies (now over 2k)
• Control removable media
• Control power management

27
Resources

• How To Delegate the Unlock Account Right
• http//support.microsoft.com/kb/294952
• Group Policy Management Console (GPMC)
• http//www.microsoft.com/windowsserver2003/gpmc/d
  efault.mspx
• Introduction to Shadow Copies of Shared Folders
• http//www.microsoft.com/windowsserver2003/techin
  fo/overview/scr.mspx
• http//www.appdeploy.com/
• Using Administrative Template Files with
  Registry-Based Group Policy
• http//www.microsoft.com/technet/prodtechnol/wind
  owsserver2003/technologies/management/gp/admtgp.ms
  px
• How To Use Software Restriction Policies in
  Windows Server 2003
• http//support.microsoft.com/kb/324036
• Using Software Restriction Policies to Protect
  Against Unauthorized Software
• http//technet.microsoft.com/en-us/library/28df04
  f8-f97f-7143-9536-5ca33b55d1a9.aspx

28
Resources (cont.)

• Userenv and GPE logging
• http//searchwinit.techtarget.com/tip/0,289483,si
  d1_gci1250007,00.html
• Debugging GPO problems with Userenv logs
• http//searchwinit.techtarget.com/tip/0,289483,si
  d1_gci1249039,00.html
• http//www.gpoguy.com/FAQs/troublefaq.htm
• http//www.gpoguy.com/FAQs/troublefaq.htm
• Group Policy Common Scenarios Using GPMC
• http//www.microsoft.com/downloads/details.aspx?f
  amilyid354b9f45-8aa6-4775-9208-c681a7043292displ
  aylangenOverview