1 Introducing Group Policy

8/10/2019 1 Introducing Group Policy

1/23


2/23


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=2&FontSize= 2/23

eatures that are included in the newer Windows operating systems.

hat Is Group Policy?

igure 1: What Is Group Policy?

Group Policy is a mechanism for applying computer and user settings to one or many

computers throughout an Active Directory environment. These settings are typically referred

o as Policies and stem from the security policies that were present in earlier versions of

indows. Now, the security policies themselves are part of Group Policy. The term Group

olicy is somewhat of a misnomer as the policies are not configured at the Group level, but

are instead applied at the local, site, domain, or OU level.

Group Policy was introduced with Windows 2000 as a replacement for the system policies of

older Windows environments. The system policies used in the past were inflexible and difficulto reverse once they were put in place.

The new Group Policy in Windows Server 2012 and Windows 8 Client builds upon the

oundation established with Windows 2000. Some Group Policy enhancements were made in

indows Server 2003, but they do not compare to the new features and numerous new

settings in Group Policy with the newest versions of Windows.

You can use Group Policy to affect many different parts of a Windows Server 2012

environment.


3/23



The most common impression of Group Policy is that it is used to lock down the user

environment. Although Group Policy can be used in that way, this feature is just one of its

any powerful capabilities.

fficiently managing Group Policy for any number of computers involves establishing an

Active Directory structure. Understanding Active Directory is essential to a successful Group

olicy deployment.

Desktop Settings and Restrictions

igure 2: Desktop Settings and Restrictions

Group Policies are broken down into two sections: User Configuration and Computer

Configuration. The User Configuration items are specific to user accounts no matter where

hey may log on, while the Computer Configuration items are specific to the computer system

o matter who may log on to it.

ithin the User and Computer sections are two sub-sections:

Policies: The Policies layer has Software Settings, Windows Settings, and Administrative

Templates beneath it.

Preferences: The Preferences layer contains Windows Settings and Control Panel Settings.

ost of the desktop-related settings and restrictions are found within the Policies,

Administrative Templates, Preferences, Windows Settings, Preferences, and Control Panel

Settings areas.


4/23



The settings can range from the aesthetic background logo to a complete lockdown of the

system.

Security Policies

igure 3: Security Policies

se Security Policies to enforce standards for security, auditing, NTFS permissions, ACLs on

egistry keys, IPSec policies, and much more.

Security Policies can be used to enforce corporate security standards, or to conform with

industry or governmental policies.

Folder Redirection


5/23



igure 4: Folder Redirection

The folder redirection process stores the users My Documents and other selected folders on a

server instead of locally. The user is unaware of this change and offline synchronization

caches the documents on the users local hard drive.

Software Deployment

igure 5: Software Deployment

A powerful feature of Group Policy is the ability to distribute software packages and to restrict

access to unauthorized software. Other more powerful tools also provide these features, such

as Microsoft SMS, but for the small to mid-sized environment, the built-in software

anagement tools may be all that are needed.

istributing Software Packages

The Software Installation section within Group Policy allows for the distribution of software

ackages. This capability relies upon the Windows Installer service that is present on all

indows operating systems from Windows 2000 to the present.

n order to distribute software using Group Policy, the package must be in MSI format. This

eans that an application that is not currently packaged as an MSI file cannot be distributed

nless it is repackaged or a new package is built for it. Many commercially available tools can

do this packaging.


6/23



t is possible (but not desirable) to distribute legacy installer packages using a special file called

a ZAP. A ZAP file is a simple text file that contains the name of the executable command that

erforms the installation. Unfortunately, it does not have any of the powerful features of the

SI format, such as self-healing, reporting, and clean uninstall.

Software can be distributed either to the User Configuration section of a Group Policy, or to

he Computer Configuration section. If software is distributed to the user, the package will

ollow the user from one machine to another. If the package is configured in the Computer

Configuration section, it will be available to anyone that logs on to the computer.

hen you distribute software to the User Configuration section of Group Policy, you can

distribute it as either an assigned package or a published package. Software packages created

in the Computer Configuration section can only be assigned.

Assigned packages are mandatory and are installed at computer boot time in the case of

software assigned to the Computer Configuration section. When packages are assigned to the

ser Configuration section, they are installed at either first logon or the first time the user

attempts to use the application in the package.

ublished packages are optional. The end user must install them from within Add/Remove

rograms on Windows XP and Windows Server 2003, or from within Programs and Features

on Windows Vista and Windows Server 2008.

Software Restrictions

igure 6: Software Restrictions

ecause of the growing threat of viruses and rogue software, a great need exists to control the

software that the users run. Anti-virus software is certainly a necessity, but it catches only the


7/23



software that is a known threat. Any new viruses or Trojan horse that slips under the radar

can still be a huge problem.

The SRP (Software Restriction Policies) that are available in Group Policy can prevent

suspect software from running before it ever becomes an issue. Software restrictions enforce

corporate standards regarding the type of software that end users can install and run. This

could lead to greater productivity or, at the very least, reduce downtime due to software that

causes stability problems.

AppLocker is a new software restriction methodology that was introduced with Windows 7

and Server 2008 R2. It is more powerful and flexible than the Software Restriction Policies

available in previous versions of Windows. AppLocker allows policies to be created by

scanning a folder structure and automatically picking up the executable file types to be allowed

or restricted.

Logon Scripts

igure 7: Logon Scripts

ogon scripts have generally been used to perform actions at logon that could not be

configured as Group Policy settings. More and more of these settings are now incorporated

into Group Policy as individual configurable items.

or instance, logon scripts have historically created a mapped network drive for users upon

logon.


8/23



indows Server 2008 Group Policy now contains an option under User Configuration,

references, Windows Settings, Drive Maps that allows you to configure the mapped drives.

Group Policy Scenarios

igure 8: Group Policy Scenarios

You can use Group Policy in a variety of ways to control the Windows environment.

igure 8 lists the possible ways that you can use Group Policy.

To prevent changes to the desktop environment

Use desktop restrictions to constrain the user environment so that users are less likely todo themselves harm, and generate support calls.

To enforce an Audit policy for servers

Use auditing in security policies to track who is accessing specific files and folders within

the operating system.

To maintain user documents on a central server

Use Folder Redirection to direct a users saved documents to a server-based folder

instead of storing the documents locally.


9/23



To assign a software package to many computers

Use software deployment to automatically distribute software to users and computers.

To prevent users from running unauthorized code

Use software restriction policies to prevent users from running prohibited or maliciousprograms.

To map a drive letter to a server resource

Use login scripts to automate certain routines like the mapping of network drives or

printers.

New Group Policy Features Introduced with Windows

Server 2008 and Windows Vista

igure 9: New Group Policy Features Introduced with Windows Server 2008 and Windows

ista

sers familiar with Group Policy from Windows 2000 and Windows Server 2003 will find

significant changes in the Windows Server 2008 operating system. All administrators need to

now the details of these differences because many environments will consist of a mix of

indows operating systems (from Windows XP to Windows Server 2012) for some time to

come.

any of these policy enhancements are effective only in Windows Server 2008, Windowsista and later environments. Older operating systems will still be able to interoperate in the

ew framework, but will not be able to take advantage of many of the new Group Policy


10/23


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=2&FontSize 10/23

settings and features.

Since the release of Service Pack 1 for Windows Vista, the Group Policy structure for

indows Vista and later Windows versions are the same. The current Group Policy

anagement Editor now includes separate top-level Policiesand Preferencessections

This topic describes the enhancements to the Group Policy Management Editor and the

changes to the Group Policy service. This topic also describes the new categories of settings

hat are available in Group Policy.

Group Policy Management Editor Enhancements

igure 10: Group Policy Management Editor Enhancements

The Group Policy Management Editor has been enhanced with many new features for

indows Server 2008. Key enhancements include:

New format for ADMX (Administrative Templates): Administrative Templatesare

now based on an XML file format. The new GPO tools can read both the older ADM files

and the newer ADMX files. All ADMX files are now stored centrally in Sysvol.

Starter GPO: It creates a template of GPO settings that you can reuse.

Comments for GPOs: You can add custom comments to GPOs.

GPO filtered view: You can now display settings in a variety of ways, including a sorted

view or a filtered view.


11/23



GPMC: The GPMC was a feature pack download for Windows Server 2003. Now, the

GPMC is the standard tool for managing group policies.

Group Policy Service Changes

igure 11: Group Policy Service Changes

The obvious changes to the Group Policy management process are not the only differences in

olicies with Windows Vista and later. Significant changes also exist behind the scenes.

Group Policy service: Group Policy has been moved from the Winlogon service and now

runs as a service of its own. This nearly eliminates the need for reboots after policy

changes, including after the distribution of software.

Local Group Policy enhancements: Multiple GPOs can now be created for the local

computer that allow for easier deployment of kiosk-type environments.

Network location awareness: Group Policy no longer relies on ICMP. It uses event

detection and event notification and provides faster startup times when group policies are

applied.

New GPO Settings


12/23



igure 12: New GPO Settings

Over 1,700 settings were already available in Group Policy in Windows Server 2003. In

indows Server 2008, the number exceeds 2,400 to support all the new features found in

indows Vista and later. Figure 12 lists some of these new categories of settings.

ew Power Management Options

All of the currently available power management options in the Windows operating systems

can now be managed through Group Policy. The advantage of this feature is that a central

standard can be set for power management settings without having to visit each computerindividually or writing complex scripts to accomplish the same goal.

ith a renewed emphasis on reduction of power consumption in many environments, the

ability to put a rigid power management policy in place is critical. Simply turning monitors off

after a few hours of inactivity can save hundreds of dollars annually per monitor.

lock Device Driver Installation

The new device driver management features go far beyond the simplistic device driver

signing settings that were previously available in Group Policy. Now the settings are far more

ranular.

You can now block or allow device driver installation down to a specific PnP hardware

identifier.


13/23



You can block installation of removable media devices. This feature is very important for

sensitive environments where you want to reduce the risk of data being copied and carried out

of the facility.

inally, you can customize a balloon tip message when installation is prevented. You can use

his message, for example, to outline the corporate policies regarding the usage of removable

edia or other devices.

indows Firewall with Advanced Security Options

The new Microsoft Windows Firewall with Advanced Security tool is much more advanced

han its predecessor. In addition to blocking or allowing incoming access, the new interface

allows you to create inbound and outbound firewall policies.

PSec functionality has now been integrated directly into the Windows Firewall interface.

hen you need to secure a connection, you can very quickly configure IPSec to encrypt all or

selected data between the systems involved.

ew Windows Internet Explorer Options

The newest versions of Windows Internet Explorer, version 7 and later, bring with them a

certain amount of baggage in the form of hundreds of new settings, and a redesigned GUI.

ost of these settings are now configurable through Group Policy. You can centrally define

ome pages, security settings, history retention, and much more.

You can also centrally control the user interface settings and turn off some of the new

indows Internet Explorer interface elements or reset them to the classic values.

rinter Installation

ocation-Based Printer Installation

The new printer deployment capabilities of Windows Server 2008 were partly introduced in

indows Server 2003 R2. This feature allows for shared printer connections to automatically


14/23



e made available to the computer or user side of the GPO. With this capability,

administrators can rely less on scripts for the installation of printers within a logon script.

rinter Driver Installation for Non-Administrators

hether printers are deployed or manually installed by the end user, the installation of printer

device drivers now occurs in the background with elevated privileges. In the past, when a user

connected to a shared printer, if the device driver did not exist, it would not install. An

administrator would then have to install the printer on behalf of the user. Now, printer drivers

install automatically with the proper rights.

New Group Policy Features Introduced with WindowsServer 2008 R2 and Windows 7

igure 13: New Group Policy Features Introduced with Windows Server 2008 R2 and

indows 7

indows Server 2008 R2 and Windows 7 provide a few additional Group Policyenhancements.

igure 13 lists these enhancements.

Windows PowerShell cmdlets: The Windows PowerShell cmdlets manage Group Policy

from Windows PowerShell and run Windows PowerShell scripts during logon and startup.

Microsoft has included a library of cmdlets specific to Group Policy management that allow

GPO configuration from the command line and for automation.


15/23



Group Policy Preferences: Additional types of GPO preference items have been added.

Preferences were added to the original Windows Server 2008 release, but have been

augmented with new capabilities in Windows Server 2008 R2.

Starter GPOs: Improvements have been made to the Starter GPOs. New default Starter

GPOs have been added to the GPMC interface.

Administrative Template Settings: A new user interface and many additional policy

settings have been added. The Administrative Templatessection has been augmented

with hundreds of new settings and an editor window that is easier to navigate.

AppLocker: AppLocker is a new mechanism for restricting access to software that is only

supported by Windows Server 2008 R2 and Windows 7. AppLocker supports wildcards for

version numbering, allowing a single policy to restrict multiple versions of a file. AppLocker

also can restrict by user name or group.

New Group Policy Features in Windows Server 2012

and Windows 8 Client

igure 14: New Group Policy Features in Windows Server 2012 and Windows 8 Client

indows Server 2012 and Windows 8 Client are very similar to their predecessors. However,

here are several new features and enhancements in the latest version of Group Policy.

igure 14 lists these enhancements:

Remote Update from the GPMC: Use the GPMC to force a refresh of policies against all


16/23



computers in a specific OU.

PowerShell Invoke-GPUpdate: Use the Invoke-GPUpdate cmdlet to update policies on

the local or remote machines.

Group Policy Infrastructure Status: Use the replication Status tab to check on the

replication status of GPOs in the domain. This eliminates the need for GPOTool.exe.

Policy Error Links in RSOP Results: View Group Policy related events from local or

remote machines.

Hundreds of new GPO items: Hundreds of new settings are specific to Windows Server

2012, Windows 8 Client and the new IE 10 browser.

cronyms

The following acronyms are used in this section:

ACL access control list

ADM Administrative TemplatesADMX Administrative Templates XML-based

CD-ROM compact disc read-only memory

VD-ROM digital versatile disc read-only memory

GPMC Group Policy Management Console

GPO Group Policy object

GUI graphical user interface

CMP Internet Control Message Protocol

PSec IP Security

D5 Message Digest 5

SI Microsoft Software Installer

TFS New Technology File System

OU organizational unit

KI public key infrastructure

nP plug and play

SoP Resultant Set of Policy

SMS Systems Management Server


17/23



SRP Software Restriction Policies

SB Universal Serial Bus

ML Extensible markup language

AP Zero Administration Package

Section Review

Summary

Group Policy is a mechanism for applying computer and user settings to one or manycomputer throughout an Active Directory environment.

Use Group Policy to:

Prevent changes to the desktop environment

Enforce an Audit policy for servers

Maintain user documents on a central server

Assign a software package to many computers

Prevent users from running unauthorized code

Map a drive letter to a server resource

Use the following Group Policy tools to:

Group Policy

Tool

Use it to

Group Policy Management Console View and

manage

all the

policiesthat exist

in a given

Active


18/23



Directory

forest

Group Policy

Management Editor View and modify all of the policy settings within a GPO

Gpupdate.exe Remotely update GPOs

Gpresult.exe Display all the policy settings that are active for a computer

or user

RSoP snap-in Troubleshoot the policies that are applied to computers or

users

Figure 15: Group Policy Tools

Some basic desktop policies are:

Policy Description

Computer Configuration

User Configuration

Settings that apply only to the computer objects that are within the scope

of the policy

Settings that apply only to the user objects that are within the scope of the

policy

Desktop Settings and

Restrictions Include a wide range of desktop settings, from changing the aesthetic

background logo to a complete lockdown of system

Logon Scripts Perform actions at logon; settings are now incorporated into Group Policy

as individual configurable items

Folder Redirection Process that stores the users personal My Documents files on a server

instead of locally


19/23



Figure 16: Desktop Policies

Some basic software policies are:

Policy Description

Distributing Software

Packages Software Installation section within Group Policy is used to distribute

software packages

User Configurationand Computer Configurationsections of Group

Policy are used to distribute software to user or computer, respectively

Add/Remove Programson Windows XP and Windows Server 2003 or

from Programs and Features within Windows Vista and Windows

Server 2008 are used by the end user to install published packages

Restricting Access to

Software Four types of SRPs (Path Rule, Network Zone Rule, Hash Rule,

Certificate Rule) are used to prevent suspect software from running

Figure 17: Software Policies

New Group Policy features in Windows Server 2008 and Windows Vista are:

Policy Description

Group Policy

Management

Editor

Enhancements

New format for ADMX: Based on XML file format; new GPO tools can read ADM

and ADMX files

Starter GPO: Creates a template of GPO settings that you can reuse

Comments for GPOs: Add custom comments to GPOs

GPO filter view: Displays settings in a variety of ways, including sort view or

filtered view

GPMC: Standard tool for managing group policies

Group Policy

Service Changes Group Policy service: Runs as a service of its own


20/23



Local Group Policy enhancements: Create multiple GPOs for the local computer

Network location awareness: Group Policy now uses event detection and event

notification and provides faster startup times when group policies are applied

New GPO

Settings New power management options: Set central standard for power managementsettings

Block device driver installation: Settings are now more granular; can block or

allow device driver installation down to a specific PnP hardware identifier; can block

installation of removable media devices; can customize a balloon tip message when

installation is prevented

Windows Firewall with Advanced Security options: With a new interface you can

easily create outbound filters; IPSec functionality has been integrated directly into the

Windows Firewall interface

New Internet Explorer options: Most new Windows Internet Explorer settings are

now configurable through Group Policy; can centrally define homes pages, security

settings, history retention, etc.

Printer installation:Location-based printer installation(shared printer connections

are automatically available to computer or user side of the GPO);printer driver

installation for non-administrators(installation of printer device drivers now occurs

in the background with elevated privileges)

Figure 18: New Group Policy Features in Windows Server 2008 and Windows Vista

New Group Policy features in Windows Server 2008 R2 and Windows 7 are:

Policy Description

Windows

PowerShell

cmdlets

Manage Group Policy from Windows PowerShell and run Windows PowerShell

scripts during logon and startup; cmdlets allow GPO configuration from the

command line and for automation

Group Policy

Preferences Additional types of GPO preference items were added

Starter GPOs


21/23



New default Starter GPOs were added to the GPMC interface

Administrative

Template Settings New user interface and additional policy settings were added; Administrative

Templates section was augmented with new settings and an editor window that is

easier to navigate

AppLocker A new mechanism for restricting access to software that is only supported by

Windows Server 2008 R2 and Windows 7; supports wildcards for version

numbering, allowing a single policy to restrict multiple versions of a file; can restrict

by user name or group

Figure 19: New Group Policy Features in Windows Server 2008 R2 and Windows 7

nowledge Check

1. What is Group Policy used for? (Choose all that apply.)

a. To configure desktop settings

b. To deploy software

c. To enforce security policies

d. To run logon scripts

2. What is Group Policy? Write a brief description in the space provided.

3. Match each Group Policy feature with its correct description. Write the letter of the

description in the Answer column.

Answer Group

Policy

Feature

Description

1.________

GPMC A.A tool used to create inbound and outbound firewall policies. IPSec

functionality has been integrated directly into the interface.

Windows B.These allow GPO configuration from command line and for


22/23



2.________ Firewall with

Advanced

Security

automation.

3.________

AppLocker C.These set the central standard for power management settings.

4.________

Windows

PowerShell

cmdlets

D.A standard tool used to manage group policies.

5.________

Power

management

options

E.A new mechanism for restricting access to software that is only

supported by Windows Server 2008 R2 and Windows 7; supports

wildcards for version numbering, allowing a single policy to restrict

multiple versions of a file; can restrict by user name or group.

Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.

1. What is Group Policy used for? (Choose all that apply.)

a. To configure desktop settings

b. To deploy software

c. To enforce security policies

d. To run logon scripts

2. What is Group Policy?

It is a mechanism for applying computer and user settings to one or many

computers throughout an Active Directory environment.

3. Match each Group Policy feature with its correct description. Write the letter of the

description in the Answer column.

Answer Group Policy

Feature

Description


23/23


1. DGPMC F.A tool used to c reate inbound and outbound firewall polic ies. IPSec

functionality has been integrated directly into the interface.

2. AWindows Firewall

with Advanced

Security

G.These allow GPO configuration from the command line and for

automation.

3. EAppLocker H.These set the central standard for power management settings

4. BWindows

PowerShell cmdlets

I.A standard tool used to manage group policies.

5. CPower management

options

J.A

supported by

Windows Server 2008 R2 and Windows 7; supports wildcards for

version numbering, allowing a single policy to restrict multiple versions

of a file; can restrict by user name or group.

new mechanism for restricting access to software that is only