USEFUL GROUP POLICY CONCEPTS
A random collection of some helpful tips. Let’s start with a review!
Review: What is Group Policy?Group Policy provides the centralized management and configuration of Operating Systems, Apps, and user settings via Active Directory.
Set Screensaver timeout
Review: What are GPO’s good for?You can tweak things like: Password complexity settings
Screensaver timeouts
File/Folder Permisisons
Web browser settings
WiFi profiles
Application-specific settings
What a user can and cannot access (regedit.exe, cmd.exe, OS features)
Networking characteristics
Windows Update settings
And much, much more!
Managing Group Policies
Open Group Policy Management Console (GPMC) from your Domain Controller
Or
Install the Remote Server Administration Toolkit (RSAT) on your Windows client OS
Windows 10 build >= 9926: http://www.microsoft.com/en-us/download/details.aspx?id=45520
Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296
Windows 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972
Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887
Windows Vista: http://www.microsoft.com/en-us/download/details.aspx?id=21090
Managing Group Policies
Review: What exactly are Group Policy Objects?
Group Policy Objects (GPO’s) are settings & definitions which reside on your domain controllers and replicate via DFS and FRS, stored in the sysvol folder.
These GPO’s contain settings which can manipulate a computer’s or user’s configuration/experience – as such, the settings are broken into ‘Computer Configuration’ and ‘User Configuration.’
GPO’s are then associated (aka ‘linked’) to Organizational Units (OU’s) in Active Directory. Any user or computer object in the OU tree will apply the settings from those GPO’s by default.
You can link one GPO to many OU’s if desired.
You can allow or disallow GPO application per user/computer/group by way of Security Filtering.
Review: The order in which GPO’s are applied
1. Local computer policy (gpedit.msc)2. Site3. Domain4. OU5. Child OU (highest priority)
Things change a bit if you right-click and ‘enforce’ group policies – The order of precedence now favors the enforced policy.
Review: When Group Policies are Applied
By default they refresh at around 90 minutes for workstations and 5 minutes for domain controllers.
They are also processed at bootup/logon.
You can force a refresh by running GPUpdate /force from an elevated command prompt
You can also force a refresh from the GPMC or ADUC if you are running Windows 8 or Server 2012 (SpecOps makes a tool for this as well that works with Windows 7).
http://www.specopssoft.com/product/specops-gpupdate/
Review: Getting started with Group Policy?
1. Create a new OU2. Move a computer/user object into the OU3. Create a new GPO, make a change 4. Link the new GPO to your test OU. Starter tips: Don’t modify the default domain policy (DDP) –
use only for account security settings. Don’t move your domain controllers out of the
‘Domain Controllers’ OUNifty online reference for GPO settings: http://gpsearch.azurewebsites.net
SOFTWARE RESTRICTIONS
Yes, you don’t need to open that email from [email protected]. Really.
Stopping your users from running “junk”
Software Restriction Policies Allow or disallow
certain programs from being run on your domain computers
Users will receive a “helpful” popup telling them that their application has been blocked
Event log entry 866 is generated
Software Restriction Policies: How they work
Block or approve applications based on file hash, path, or folder name. Decent start for preliminary defense against malware like Cryptolocker.
AppLocker is the next generation of SRP, found on Windows Ultimate & Enterprise (and Server).
Software Restriction Policies: Blacklist or Whitelist?
You maintain a list of applications that are not OK to run. Everything else is allowed to execute.
Good for when you need to block one or two problem apps in your environment.
Easier to introduce/implement.
This is tedious.
Configure under Computer Configuration\Policies\Windows Settings\Software Restriction Policies\Unrestricted
You maintain a list of applications that are approved* to run. Everything else is not allowed to execute.
The whitelist will set up a default set of applications that Windows needs to operate.
Requires extensive testing to make sure everything works as expected.
Best for overall system security.
Configure under Computer Configuration\Policies\Windows Settings\Software Restriction Policies\Disallowed
Blacklisting Whitelisting
Software Restriction Policies - where to find them
In your GPMC, head to: Computer or User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies
GROUP POLICY PREFERENCES
Do you have a moment to talk about our savior, Group Policy Preferences?
create
replace
update
delete
Group Policy Preferences (GPP)
Printers & Mapped Drives ODBC Data Sources Modify local user groups Power Plans Scheduled Tasks & Services Copy, Update or Remove Files/Folders Application Shortcuts Registry Entries Etc.
Group Policy Preferences – where to find them
Head to ‘Computer’ or ‘User Configuration’\Preferences in your GPMC.
Item Level Targeting: Granular Preferences
Deployment of preferences and configs to computers & users based upon very specific criteria:
Examples: If a computer has a battery If a user is or is not a member of a security
group If a computer has a specific IP address If an object is a member of a particular OU
Etc. Or a combination of the above!
Group Policy Preferences Console Shortcuts
• F5 – applies all visible options (green)
• F6 – applies only the option that currently has focus (green)
• F7 – does not apply the option that currently has focus (dashed red)
• F8 – does not apply all visible options (dashed red)
Extremely useful if you only want to configure a single preference out of a large grouping.
LOOPBACK POLICIES
Perfect for Terminal/Citrix servers…
What do Loopback Policies do?
These are policies where you can configure user based configurations on computer objects.
I.e. lock out user access to certain items or perhaps set application specific settings only when they log into a particular computer.
Great for Kiosk/Terminal/Citrix other shared computers where every user must have the same experience on a specific computer.
How to set up a Loopback Policy
1. Set up a group policy as you normally would, configuring items under ‘User Configuration.’ A good start would be to lock out certain desktop items.
2. Under ‘Computer Configuration,’ modify ‘Configure user Group Policy loopback processing mode’ under Windows Settings\Administrative Templates\System\Group Policy.
3. Enable ‘Replace’ mode to start with. ‘Merge’ takes longer to process and may produce unexpected results if you’re just starting out.
4. Link group policy to OU where computer object resides.
5. Log in and enjoy!
POWERSHELL AND GROUP POLICY
Working with GPOs in PowerShell: What you need
Windows 7 or better: RSAT (Remote Server Administration Tools)
-or- Server 2008 R2 member
server or better: with the GPMC (Group Policy Management Console) installed
-or- Server 2008 R2 Domain
Controller or better
At least PowerShell 2.0 (this comes with Windows 7/Server 2008 R2)
Must Have AND
When performing ‘administrative-like’ duties in PowerShell, always right-click and run PowerShell as an administrator.
The more you know…
Starter cmdlets
Get-GPO Get-GPOReport Backup/Restore-GPO Get-GPResultantSetOfPolicy (like
‘GPResult /h’) Set-GPLink
Backup your GPO
Example of output:
DisplayName : Computer Policy - Test
GpoId : a4bafa8d-a66d-4b08-a433-01e79086e08b
Id : 004c5691-45a3-47f5-a556-77b5fb7d4109
BackupDirectory : c:\temp
CreationTime : 4/28/2015 10:44:26 PM
DomainName : lnrdomain.local
Comment :
Backup-GPO –All –Path c:\temp | out-file c:\temp\gpo-backups.txt
The ID from the Backup-GPO cmdlet output corresponds to the GPO directory names contained the backup folder.
Backup your GPO
Restore your GPO
This will restore the specified GPO via the ID back to your domain from the c:\temp path.
A couple things to note:
If you are restoring a GPO that was previously deleted, the restored GPO will NOT retain its original links in AD.
Restoring a GPO will restore the original GPO ID. However, when you run Backup-GPO again against this GPO, a new BackupID will be generated.
Restore-GPO –BackupID 004c5691-45a3-47f5-a556-77b5fb7d4109 –Path c:\temp
Get an output of all your Policy settings
You can use the following PowerShell cmdlet to export the settings for all your domain policies:
This is great for a reviewing all GPOs (grab a pot of coffee!), and looks similar to the ‘GPResult.exe’ HTML output.* You can also run this against a single policy:
*Note that RSoP PowerShell cmdlet is Get-GPResultantSetOfPolicy
Get-GPOReport –All –ReportType Html –Path “c:\temp\gpo-output.html”
Get-GPOReport -Name “Computer Policy – Test” –Path “c:\temp\cp-test.html”
For more information relating to PowerShell and GPO’s…
Use PowerShell to find more cmdlets relating to Group Policy…
Want to know more about a specific cmdlet? Type the following:
If you have PowerShell 3.0 or better, you can do this…
Get-Help Get-GPO #<-- Or whatever cmdlet you want to know about
Get-Help Get-GPO -ShowWindow
Get-Command –Noun “GP*”
Top Related