Microsoft Windows 2000 Group Policy

1
Microsoft Windows 2000Group Policy

• Michael Seagle
• Support Professional
• Windows 2000 AD Services
• Microsoft Corporation

2
Group Policy Requires

• Active Directory
• Microsoft Windows 2000 Professional clients
• No support for Microsoft Windows NT 4.x or
  earlier
• No support for Microsoft Windows 9x or earlier

3
Where Does Group Policy Live?

• Within group policy objects (GPOs)
• Created within a domain
• Linked to any number of sites, domains, and
  organizational units (SDOUs)
• Multiple GPOs can be linked to a single SDOU

4
When Does Group Policy Get Applied?

• Windows 2000
• Applies computer settings from group policies

Computer starts

• Windows 2000
• Applies user settings from group policies

User logs on
and at periodic intervals
5
Where Does My Policy Come From?
Site
1
Domain
2
3
OU

• Only for user/computer, not groups
• Policy is inherited
• Closer settings override farther ones

6
Modifying Inheritance

• No Override
• Block Inheritance
• Highest No Override takes precedence over lower
  No Overrides
• No Override takes precedence over Block
  Inheritance

7
What If an SDOU Is Linked to Multiple GPOs?

• Higher GPOs over-ride lower GPOs
• GPOs are processed in the reverse order listed on
  the tab

8
What If I Do Not Want Everyone in an OU to Be
Affected by a GPO?

• You cannot link a GPO to a security group
• You can filter GPOs by changing the default
  permissions on the GPO, using security groups
• You need the Read and Apply Group Policy ACEs to
  have a GPO apply
• You need Read and Write in order to read or
  modify a GPO

9
Default GPO Permissions

• Authenticated Users
• Read
• Apply group policy
• Local System, Domain Admins, Enterprise Admins
• All permissionsexcept AGP

10
Where Is GPO Information Stored?

• Located in Active Directory
• Stores version, status, and policy information
• Named by GUID, not by friendly name

Group Policy Container
Group Policy Object
Virtual Storage Location for Policy Settings

• GPC and GPT are replicated separately
• Individual policies only apply if both are in
  sync (except IPSec)

11
Deleting a GPO

• Deleting a GPO from an SDOU gives you a choice
  between
• Unlinking the GPO from the SDOU
• Permanently deleting the GPO
• Unlink is preferred, because
• Deleted GPOs must be completely rebuilt
• Other AD containers might be linked to the GPO
  (although you can check for this)

12
The Toolbox

• Explain Tab
• Group Policy Reference
• Group Policy Results
• Group Policy Verification Tool
• Active Directory Replication Monitor
• Group Policy Log

13
Under the Hood

• Client-side extensions and the registry
• GPO application history

14
Client-side Extensions

• Client-side extensions exist for different policy
  types
• At logon, client-side GP extensions apply policy
  settings to client
• Extensions are registered by GUID at
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogon\GPExtensions

15
Identifying Extensions

• 25537BA6-77A8-11D2-96BC-0000F8080861
• Folder Redirection

16
CSE Registry Values

• DllName
• ProcessGroupPolicy (CSE function call)
• NoMachinePolicy (for example, Folder Redirection)
• NoUserPolicy (for example, IP Security)
• NoSlowLink (for example, Application Management)
• NoBackgroundPolicy (for example, Application
  Management)
• NoGPOListChanges (for example, most)

17
CSE Registry Values

• RequiresSuccessfulRegistry (for example, EFS
  Recovery, Disk Quotas)
• EnableAsynchronousProcessing (for example,
  Security)

18
How Policy Is Applied

• At logon, client-side GP extensions apply policy
  settings to client
• GPO application history is stored in the registry

19
Policy History

• The History key has subkeys for each extension,
  named by GUID
• Each extension key has subkeys for each GPO
  applied, numbered incrementally from 0

20
History Registry Values

• DisplayName
• DSPath (except for LGPO)
• FileSysPath (to GPT)
• GPOLink (to AD containers)
• 0 unlinked
• 1 local
• 2 site
• 3 domain
• 4 OU

21
History Registry Values

• GPOName (GUID or LGPO name)
• Options (disabled, inheritance mods, and so
  forth)
• Version (used to determine if the GPO has changed)

22
Scenarios

• Group policy settings are not applied
• Group policy settings applied inconsistently
• Unable to manage group policy

23
If GP Settings Are Not Applied

• Check for inheritance conflicts
• Check for security issues
• Check for disabled GPOs
• Check for incomplete replication
• Check interdomain trusts
• Check for recently moved user or computer
• Are you migrating?

24
If GP Settings Are Applied Inconsistently

• Check for preferences versus policies
• Check for asynchronous processing
• Are you using IPSec or User Rights policies?

25
If You Cannot Manage GP

• Snap-in problems
• Delegation problems
• Consistency and/or performance problems

26
Required Permissions

• To have policy applied, you must have Read and
  Apply Group Policy
• To use the Group Policy snap-in, you must have
  Read and Write
• Domain Admins are covered for AD-based GPOs
• Local admins are covered for LGPOs

27
Creating a Site GPO

• Use Active Directory Sites and Services
• You must be a member of Enterprise Admins

28
Delegating Control of Group Policy

• If OU admins have trouble managing group policy,
  check their permissions
• Managing GPO links on an SDOU
• Creating GPOs
• Editing GPOs

29
Manage Group Policy Links

• Required in order for an OU admin to link a GPO
  created by another admin
• Allows user to add, remove, and reprioritize
  linked GPOs
• Does not allow user to create or edit GPOs
• Assigned using the Manage Group Policy Links
  predefined delegation
• Actually grants read/write access to gPLink and
  gPOptions properties of SDOU

30
Create GPO

• Required in order for an OU admin user to create
  a GPO
• Allows user to create GPOs and edit only GPOs
  created by that user (or delegated to that user)
• Does not allow user to link GPOs to an SDOU
• Delegated by adding a user to the Group Policy
  Creator Owners security group

31
Edit GPO

• Allows user to edit that GPO
• Does not allow user to link the GPO to SDOUs
• Assigned by granting a user all permissions on
  the GPO except for Apply Group Policy

32
Where Are GPOs Managed?

• By default, on the PDC operations master
• You can select an alternate DC, but
• If multiple admins edit the same GPO on different
  DCs, the last writer wins
• Be sure that no one else is editing the GPO data
  is written to the GPO with each change
• Be sure that GPO has fully replicated before
  changing it

33
Which DC Should I Choose?

• For safety, choose the PDC Operations Master
• For consistency, choose the DC used by the Active
  Directory snap-ins
• For performance, choose the any available domain
  controller option (will favor the local site)
• You can set the DC option using policy(User
  Configuration\System\Group Policy)

34
Recommendations

• Simplify
• Document
• Test

35
To Simplify Troubleshooting

• Limit the number of admins who can edit GPOs (to
  reduce possibility of simultaneous editing)
• Limit inheritance modification, filtering, and
  loopback
• Limit the number of GPOs that apply to an SDOU
• Test!

36
Documenting Group Policy
Keeping track of special settings may allow you
to resolve conflicts at a glance
A database allows you to easily look at all
policies affecting a given SDOU
37
(No Transcript)