USEFUL GROUP POLICY CONCEPTS

A random collection of some helpful tips. Let’s start with a review!

Review: What is Group Policy?Group Policy provides the centralized management and configuration of Operating Systems, Apps, and user settings via Active Directory.

Set Screensaver timeout

Review: What are GPO’s good for?You can tweak things like: Password complexity settings

Screensaver timeouts

File/Folder Permisisons

Web browser settings

WiFi profiles

Application-specific settings

What a user can and cannot access (regedit.exe, cmd.exe, OS features)

Networking characteristics

Windows Update settings

And much, much more!

Managing Group Policies

Open Group Policy Management Console (GPMC) from your Domain Controller

Or

Install the Remote Server Administration Toolkit (RSAT) on your Windows client OS

Windows 10 build >= 9926: http://www.microsoft.com/en-us/download/details.aspx?id=45520

Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296

Windows 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972

Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887

Windows Vista: http://www.microsoft.com/en-us/download/details.aspx?id=21090

Managing Group Policies

Review: What exactly are Group Policy Objects?

Group Policy Objects (GPO’s) are settings & definitions which reside on your domain controllers and replicate via DFS and FRS, stored in the sysvol folder.

These GPO’s contain settings which can manipulate a computer’s or user’s configuration/experience – as such, the settings are broken into ‘Computer Configuration’ and ‘User Configuration.’

GPO’s are then associated (aka ‘linked’) to Organizational Units (OU’s) in Active Directory. Any user or computer object in the OU tree will apply the settings from those GPO’s by default.

You can link one GPO to many OU’s if desired.

You can allow or disallow GPO application per user/computer/group by way of Security Filtering.

Review: The order in which GPO’s are applied

1. Local computer policy (gpedit.msc)2. Site3. Domain4. OU5. Child OU (highest priority)

Things change a bit if you right-click and ‘enforce’ group policies – The order of precedence now favors the enforced policy.

Review: When Group Policies are Applied

By default they refresh at around 90 minutes for workstations and 5 minutes for domain controllers.

They are also processed at bootup/logon.

You can force a refresh by running GPUpdate /force from an elevated command prompt

You can also force a refresh from the GPMC or ADUC if you are running Windows 8 or Server 2012 (SpecOps makes a tool for this as well that works with Windows 7).

http://www.specopssoft.com/product/specops-gpupdate/

Review: Getting started with Group Policy?

1. Create a new OU2. Move a computer/user object into the OU3. Create a new GPO, make a change 4. Link the new GPO to your test OU. Starter tips: Don’t modify the default domain policy (DDP) –

use only for account security settings. Don’t move your domain controllers out of the

‘Domain Controllers’ OUNifty online reference for GPO settings: http://gpsearch.azurewebsites.net

SOFTWARE RESTRICTIONS

Yes, you don’t need to open that email from george32426@earthlink.com. Really.

Stopping your users from running “junk”

Software Restriction Policies Allow or disallow

certain programs from being run on your domain computers

Users will receive a “helpful” popup telling them that their application has been blocked

Event log entry 866 is generated

Software Restriction Policies: How they work

Block or approve applications based on file hash, path, or folder name. Decent start for preliminary defense against malware like Cryptolocker.

AppLocker is the next generation of SRP, found on Windows Ultimate & Enterprise (and Server).

Software Restriction Policies: Blacklist or Whitelist?

You maintain a list of applications that are not OK to run. Everything else is allowed to execute.

Good for when you need to block one or two problem apps in your environment.

Easier to introduce/implement.

This is tedious.

Configure under Computer Configuration\Policies\Windows Settings\Software Restriction Policies\Unrestricted

You maintain a list of applications that are approved* to run. Everything else is not allowed to execute.

The whitelist will set up a default set of applications that Windows needs to operate.

Requires extensive testing to make sure everything works as expected.

Best for overall system security.

Configure under Computer Configuration\Policies\Windows Settings\Software Restriction Policies\Disallowed

Blacklisting Whitelisting

Software Restriction Policies - where to find them

In your GPMC, head to: Computer or User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies

GROUP POLICY PREFERENCES

Do you have a moment to talk about our savior, Group Policy Preferences?

create

replace

update

delete

Group Policy Preferences (GPP)

Printers & Mapped Drives ODBC Data Sources Modify local user groups Power Plans Scheduled Tasks & Services Copy, Update or Remove Files/Folders Application Shortcuts Registry Entries Etc.

Group Policy Preferences – where to find them

Head to ‘Computer’ or ‘User Configuration’\Preferences in your GPMC.

Item Level Targeting: Granular Preferences

Deployment of preferences and configs to computers & users based upon very specific criteria:

Examples: If a computer has a battery If a user is or is not a member of a security

group If a computer has a specific IP address If an object is a member of a particular OU

Etc. Or a combination of the above!

Group Policy Preferences Console Shortcuts

• F5 – applies all visible options (green)

• F6 – applies only the option that currently has focus (green)

• F7 – does not apply the option that currently has focus (dashed red)

• F8 – does not apply all visible options (dashed red)

Extremely useful if you only want to configure a single preference out of a large grouping.

LOOPBACK POLICIES

Perfect for Terminal/Citrix servers…

What do Loopback Policies do?

These are policies where you can configure user based configurations on computer objects.

I.e. lock out user access to certain items or perhaps set application specific settings only when they log into a particular computer.

Great for Kiosk/Terminal/Citrix other shared computers where every user must have the same experience on a specific computer.

How to set up a Loopback Policy

1. Set up a group policy as you normally would, configuring items under ‘User Configuration.’ A good start would be to lock out certain desktop items.

2. Under ‘Computer Configuration,’ modify ‘Configure user Group Policy loopback processing mode’ under Windows Settings\Administrative Templates\System\Group Policy.

3. Enable ‘Replace’ mode to start with. ‘Merge’ takes longer to process and may produce unexpected results if you’re just starting out.

4. Link group policy to OU where computer object resides.

5. Log in and enjoy!

POWERSHELL AND GROUP POLICY

Working with GPOs in PowerShell: What you need

Windows 7 or better: RSAT (Remote Server Administration Tools)

-or- Server 2008 R2 member

server or better: with the GPMC (Group Policy Management Console) installed

-or- Server 2008 R2 Domain

Controller or better

At least PowerShell 2.0 (this comes with Windows 7/Server 2008 R2)

Must Have AND

When performing ‘administrative-like’ duties in PowerShell, always right-click and run PowerShell as an administrator.

The more you know…

Starter cmdlets

Get-GPO Get-GPOReport Backup/Restore-GPO Get-GPResultantSetOfPolicy (like

‘GPResult /h’) Set-GPLink

Backup your GPO

Example of output:

DisplayName : Computer Policy - Test

GpoId : a4bafa8d-a66d-4b08-a433-01e79086e08b

Id : 004c5691-45a3-47f5-a556-77b5fb7d4109

BackupDirectory : c:\temp

CreationTime : 4/28/2015 10:44:26 PM

DomainName : lnrdomain.local

Comment :

Backup-GPO –All –Path c:\temp | out-file c:\temp\gpo-backups.txt

The ID from the Backup-GPO cmdlet output corresponds to the GPO directory names contained the backup folder.

Backup your GPO

Restore your GPO

This will restore the specified GPO via the ID back to your domain from the c:\temp path.

A couple things to note:

If you are restoring a GPO that was previously deleted, the restored GPO will NOT retain its original links in AD.

Restoring a GPO will restore the original GPO ID. However, when you run Backup-GPO again against this GPO, a new BackupID will be generated.

Restore-GPO –BackupID 004c5691-45a3-47f5-a556-77b5fb7d4109 –Path c:\temp

Get an output of all your Policy settings

You can use the following PowerShell cmdlet to export the settings for all your domain policies:

This is great for a reviewing all GPOs (grab a pot of coffee!), and looks similar to the ‘GPResult.exe’ HTML output.* You can also run this against a single policy:

*Note that RSoP PowerShell cmdlet is Get-GPResultantSetOfPolicy

Get-GPOReport –All –ReportType Html –Path “c:\temp\gpo-output.html”

Get-GPOReport -Name “Computer Policy – Test” –Path “c:\temp\cp-test.html”

For more information relating to PowerShell and GPO’s…

Use PowerShell to find more cmdlets relating to Group Policy…

Want to know more about a specific cmdlet? Type the following:

If you have PowerShell 3.0 or better, you can do this…

Get-Help Get-GPO #<-- Or whatever cmdlet you want to know about

Get-Help Get-GPO -ShowWindow

Get-Command –Noun “GP*”