Chapter 9. Group Policy Objects

Introduction

Active Directory Group Policy Objects (GPOs) can customize virtually any aspect of a computer or user’s desktop. They can also be used to install applications, secure a computer, run logon/logoff or startup/shutdown scripts, and much more. You can assign a GPO to a local computer, site, domain, or organizational unit. This is called scope of management (SOM), because only the users or computers that fall under the scope of the computer, OU, site, or domain will process the GPO. Assigning a GPO to a SOM is referred to as linking the GPO. You can restrict the application of GPOs further by using security groups to filter which users or groups they will apply to or by using inheritance blocking.

You can also use a WMI filter to restrict the application of a GPO. A WMI filter is simply a WMI query that can search against any information on a client’s computer. If the WMI filter returns a true value (i.e., the client computer matches the conditions that are specified in the filter), the GPO will be processed; otherwise, it will not. So not only do you have all of the SOM options for applying GPOs, but also you can use any WMI information available on the client’s computer to determine whether GPOs should be applied. For more on the capabilities of GPOs, we recommend reading Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).

Group Policies are defined by a set of files that are replicated to each domain controller in a domain and a groupPolicyContainer (GPC) object that is stored in the cn=Policies,cn=System,<DomainDN> container. GPC objects contain information related to software deployment, wireless deployments, IPSec assignments, and metadata about the version of the GPO. GPC objects are used for linking to OUs, sites, and domains. The guts of GPOs are stored on the filesystem of each domain controller in Group Policy Template (GPT) files and can be found in the %SystemRoot%SYSVOLsysvol<DomainDNSName>Policies directory.

So why are there two storage points for GPOs? The need for the Active Directory object is obvious: to be able to link GPOs to other types of objects, the GPOs need to be represented in Active Directory. Group Policy Templates are stored in the OS filesystem to reduce the amount of data that needs to be replicated within Active Directory.

For legacy Windows computers, each Group Policy Object stores individual copies of Administrative templates (.adm files) in the SYSVOL folder. In an environment containing numerous GPOs, this can add significantly to the amount of data that must be replicated to the SYSVOL share on all domain controllers in a domain. However, since Windows Vista, GPO settings are deployed using a new XML-based .admx format, and administrators have the option to configure a single Central Store to provide a storage instance for all GPOs in a domain.

Furthermore, Windows Server 2008 introduced Group Policy Preferences (GPPs), a new group of GPO settings that can be used to manage configuration items that could not be managed previously (or that could not be managed particularly well) via GPOs, including managing the creation of file shortcuts, ODBC connections, drive mappings, printer connections, and more.

Managing GPOs

While the new capabilities of GPOs were significant when first introduced with Active Directory, the obvious things that were lacking were good tools for managing them. The dual storage nature of GPOs creates a lot of problems. Initially, Microsoft did not provide a scriptable interface for accessing and manipulating GPO settings. Additionally, there were no tools for copying or migrating GPOs from a test environment to production. Back then the primary tool for managing GPOs was the Group Policy Editor (GPE), now known as the Group Policy Management Editor (GPME). The main function of the GPME is to modify GPO settings; it does not provide any other management capabilities.

Microsoft realized these were major issues for Group Policy adoption, so it developed the Group Policy Management Console (GPMC) with the release of Windows Server 2003. The GPMC is an MMC snap-in that provides the kitchen sink of GPO management capabilities: you can create, delete, import, copy, back up, restore, and model GPO processing from a single interface. Perhaps what is even better is the scriptable API that comes with the GPMC. Pretty much every function you can accomplish with the GPMC tool, you can do via a script.

Note

The only major feature that is still lacking is the ability to modify the settings of a GPO directly via command line or script (although there is some ability to modify specific types of settings, improvement is needed). Previously, this could be done with only the GPOE, but there are third-party options that can provide this type of functionality. The GPMC still provides numerous options for migrating GPOs, which addresses the majority of the problems people face today.

In versions prior to Windows Server 2008, GPMC is an out-of-band download that can be obtained from Microsoft. In Windows Server 2008 and later, Group Policy Management is a feature, and it can be installed on Windows client computers as part of the Remote Server Administration Tools (RSAT). Note that throughout the book we use the name “Group Policy Management” instead of GPMC in order to match up with the shortcut and menu names used by Windows.

Another tool that you can download from the Microsoft website is GPInventory. This is an incredibly useful tool that will allow you to perform a software inventory for users and computers in a domain or OU, and to track information about the rollout of GPOs in AD, such as computers that have not applied new GPO information. Additionally, the Group Policy Best Practice Analyzer (GP BPA) is a free download that can help you identify Group Policy configuration errors within your environment.

The majority of solutions presented in this chapter use the Group Policy Management snap-in. Most of the command-line solutions we provide will use one of the scripts provided in the Group Policy Management Console Sample Scripts install available from the Microsoft Download Center. A whole host of precanned scripts have been written already, in a mix of VBScript and JScript, which serve as great command-line tools and good examples to start scripting GPOs. These scripts are available by default in the C:Program Files (x86)Microsoft Group PolicyGPMC Sample Scripts directory on a Windows Server 2012 server that has had the sample scripts installed on it. You can execute them in one of two ways, either by using cscript:

> cscript listallgpos.wsf

or, if you make cscript your default WSH interpreter, by executing the file directly. To make cscript your default interpreter, run this command:

> cscript //H:cscript

Finding the GPOs in a Domain

Problem

You want to find all of the GPOs that have been created in a domain.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container.

  3. Expand the Domains container.

  4. Browse to the desired domain.

  5. Expand the domain and then expand the Group Policy Objects container. All of the GPOs in the domain will be listed under that container.

Using a command-line interface

You can generate a list of all GPOs in a domain using the listastallgpos.wsf script, as well as DSQuery and AdFind:

> listallgpos.wsf [/domain:<DomainDNSName>] [/v]

> dsquery * domainroot -filter (objectcategory=grouppolicycontainer)
-attr displayname

> adfind -default -f (objectcategory=grouppolicycontainer)↵
 displayname

Using PowerShell

To get all of the GPOs in the current domain and return their display name, run the following PowerShell command:

Get-GPO -All | Select DisplayName

Discussion

See Introduction for more on how GPOs are stored in Active Directory.

Using PowerShell

You can obtain the details from a single GPO by replacing -All with the -Name parameter, followed by the friendly name of the GPO, such as Get-GPO -Name "Default Domain Policy".

Creating a GPO

Problem

You want to create a Group Policy Object within Active Directory.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, and browse to the domain that will contain the new GPO.

  3. Expand the domain and then right-click on the Group Policy Objects container and select New.

  4. Enter the name of the GPO, ensure that the Source Start GPO is set to (none), and then click OK.

Using a command-line interface

> creategpo.wsf <GPOName> [/domain:<DomainDNSName>]

Using PowerShell

To create a GPO called "Marketing GPO" in the current domain, use the following syntax:

New-GPO -Name "Marketing GPO"

If the GPO is successfully created, the cmdlet will output the display name of the GPO, along with the GUID and other information.

Discussion

When you create a GPO through the Group Policy Management snap-in, it is initially empty with no settings or links configured. See Modifying the Settings of a GPO for more on modifying GPO settings, and Creating a GPO Link to an OU for more on creating a link.

Copying a GPO

Problem

You want to copy the properties and settings of one GPO into another GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the source GPO, expand the domain, and then expand the Group Policy Objects container.

  3. Right-click on the source GPO and select Copy.

  4. Right-click on the Group Policy Objects container and select Paste.

  5. Select whether you want to use the default permissions or to preserve the existing permissions from the GPO being copied, and click OK.

  6. A status window will pop up that will indicate whether the copy was successful. Click OK to close.

  7. Rename the new GPO by right-clicking it in the left pane and selecting Rename.

Using a command-line interface

> copygpo.wsf <SourceGPOName> <TargetGPOName>

Using PowerShell

Copy-GPO -SourceName "<SourceGPOName>" -TargetName "<TargetGPOName>"

Discussion

Prior to the GPMC tool, two of the biggest problems with managing GPOs in large environments were migrating GPOs from one forest to another and copying GPOs from one domain to another within the same forest. It is common to have a test forest where GPOs are initially created, configured, and tested before moving them into production. The problem before GPMC was that once you had the GPO the way you wanted it in the test forest, there was no easy or well-publicized way to move it to the production forest.

With the GPMC and the Group Policy Management snap-in, you can simply copy GPOs between domains. You can also import GPOs, which is similar to a copy operation. A GPO import uses a backup of the source GPO in order to create the new GPO. See Importing Settings into a GPO for more information on importing a GPO.

Some properties of GPOs, such as security group filters, UNC paths, and Restricted Groups, may vary slightly from domain to domain; for example, a logon script that runs from \SERVERAshare in the source domain may need to run on \SERVERBshare in the target domain. In that case, you can use a GPMC migration table to help facilitate the transfer of those types of references to the target domain. For more information on migration tables, see the GPMC help file and Creating a Migration Table.

Using PowerShell

PowerShell has greatly simplified the process of managing GPOs. With PowerShell, you can copy all of the GPOs in one domain to a different domain in a single line of PowerShell.

Deleting a GPO

Problem

You want to delete a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, expand the domain, and then expand the Group Policy Objects container.

  3. Right-click on the target GPO and select Delete.

  4. Click OK to confirm.

Using a command-line interface

> deletegpo.wsf <GPOName> [/domain:<DomainDNSName>]

Note

To retain the links to the deleted GPO, use the /keeplinks switch. Otherwise, all links will be deleted along with the GPO.

Using PowerShell

Remove-GPO -Name "<GPO Friendly Name>" -KeepLinks

Discussion

When you delete a GPO through the Group Policy Management snap-in, it attempts to find all links to the GPO in the domain and will delete them if the user has permissions to delete the links. If the user does not have the necessary permissions to remove the links, the GPO will still get deleted, but the links will remain intact. Any links external to the domain the GPO is in are not automatically deleted. For this reason, it is a good practice to view the links to the GPO before you delete it. Links to deleted GPOs show up as “Not Found” in the Group Policy Management snap-in.

Using PowerShell

To delete a GPO in a remote domain, use the -DomainName switch, followed by the FQDN of the domain.

See Also

Listing the Links for a GPO for viewing the links for a GPO; Remove-GPO cmdlet reference

Viewing the Settings of a GPO

Problem

You want to view the settings that have been defined in a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, expand the domain, and then expand the Group Policy Objects container.

  3. Click on the target GPO.

  4. In the right pane, click on the Settings tab.

  5. Click the Show All link to display all configured settings.

Using a command-line interface

> getreportsforgpo.wsf "<GPOName>" <ReportLocation> [/domain:<DomainDNSName>]

Using PowerShell

Get-GPOReport -Name "<GPO Friendly Name>" -Path <Path With File Name>↵
 -ReportType HTML

Discussion

The Group Policy Management snap-in can generate an XML or HTML report that contains all of the settings in a GPO. See Modifying the Settings of a GPO for more information on how to modify GPO settings.

Using PowerShell

The Get-GPOReport cmdlet can produce output in either HTML or XML format, by using the –ReportType HTML or –ReportType XML switch, respectively.

See Also

Get-GPOReport cmdlet reference

Modifying the Settings of a GPO

Problem

You want to modify the settings associated with a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, expand the domain, and then expand the Group Policy Objects container.

  3. Right-click on the target GPO and select Edit. This will bring up the Group Policy Management Editor.

  4. Browse through the Computer Configuration or User Configuration settings and modify them as necessary.

Using PowerShell

You can modify a registry-based setting in a GPO by using PowerShell. The following example modifies the IE High Sec GPO by disabling the Flash add-in:

Set-GPRegistryValue -Name "IE High Sec" -key "HKLMSoftwarePoliciesMicrosoftInternet Explorer" -ValueName "DisableFlashInIE" -Type String -Value "1"

Discussion

Modifying GPOs has historically been performed from a GUI. Up until the Set-GPRegistryValue cmdlet was introduced, there wasn’t an easy way to modify a GPO from a command-line environment. Note that the Set-GPRegistryValue cmdlet is restricted to registry settings only and thus isn’t as fully featured as the Group Policy Management Editor.

See Also

Copying a GPO for copying a GPO; Viewing the Settings of a GPO for viewing the settings of a GPO; Importing Settings into a GPO for importing settings into a GPO; Set-GPRegistryValue cmdlet reference

Importing Settings into a GPO

Problem

You want to import settings from one GPO to another.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the target GPO, and expand the Group Policy Objects container.

  3. Right-click on the target GPO and select Import Settings.

  4. Click Next.

  5. Click the Backup button if you want to take a backup of the GPO you are importing into.

  6. Click Next.

  7. Select the backup folder location and click Next.

  8. Select the backed-up GPO you want to import from and click Next.

  9. The Import wizard then will scan to see whether there are any security principals or UNC paths in the GPO being imported from. If there are, it will give you an option to modify those settings.

  10. Click Next.

  11. Click Finish.

Using a command-line interface

> importgpo.wsf "<GPOBackupLocation>" "<OrigGPOName>" "<NewGPOName>"

Using PowerShell

Import-GPO -BackupGpoName "<Friendly Name of Source GPO>" -TargetName "<Friendly Name of Target GPO>" -Path "<Path to backed up GPO>"

Discussion

The Group Policy Management import function uses a backup of the source GPO to create the new “imported” GPO. This means you must first back up the source GPO. You can then import the settings from that GPO into a new GPO, which may be in the same domain or in a completely different forest. Importing a GPO is a great way to help facilitate transferring GPO settings from a test environment to production.

Some properties of GPOs, such as security group filters and UNC paths, may vary slightly from domain to domain; a logon script that runs from \SERVERAshare in the source domain may need to run on \SERVERBshare in the target domain, for example. In this case, you can use a migration table to help facilitate the transfer of those kinds of references to the target domain. For more information on migration tables, see Creating a Migration Table.

Using PowerShell

Be aware that the target GPO will be overwritten by the contents of the GPO backup during the import operation.

See Also

Copying a GPO for copying a GPO; Creating a Migration Table; Backing Up a GPO for backing up a GPO; Import-GPO cmdlet reference

Creating a Migration Table

Problem

You want to create a migration table to assist in copying or migrating a GPO from one domain or forest to another.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc). Navigate to the forest and domain containing the GPOs you wish to migrate or copy.

  2. Right-click on the Group Policy Objects node and select Open Migration Table Editor.

  3. You will begin with a blank migration table. To populate the source fields from existing data, click on Tools→Populate from GPO or Tools→Populate from Backup. Select the GPO or the backup that you wish to import. Optionally, place a checkmark next to “During scan, include security principals from the DACL on the GPO.” Click OK.

  4. Modify the Destination Name column of any entries to match their format in the destination forest or domain.

  5. To add a new entry, enter the name of the item in the Source Name column. In the Source Type column, select one of the following:

    • User

    • Computer

    • Domain Local Group

    • Domain Global Group

    • Universal Group

    • UNC Path

    • Free Text or SID

  6. To delete an entry, right-click on the entry and select Delete.

  7. To configure an entry to use the same information as configured in the source GPO, right-click on the entry and select Set Destination→Same As Source.

  8. To configure an entry to use the relative name of the destination, right-click on the entry and select Set Destination→Map by Relative Name. For example, if you have an entry for the [email protected] user in a GPO that you wish to copy to the mycompany.com forest, selecting Map by Relative Name will populate the entry in the destination GPO as [email protected].

  9. To ensure that you have properly formatted all entries in the table, click Tools→Validate Table, then click File→Save or File→Save As to save the migration table.

Using a command-line interface

> createmigrationtable.wsf <DestinationFileName> /GPO:<GPO> /MapByName

Discussion

One of the convenient features of the Group Policy Management snap-in is the ability to copy a GPO’s settings from one GPO to another, or to migrate GPOs between domains or forests. In some cases, certain entries in the GPO may need to be modified to suit the needs of the destination domain or forest. For example, a UNC for user home directories will likely need to be modified to correspond to a server or DFS share in the destination, as well as individual user or group names. To address this need, you can create and populate a migration table to automatically transform the necessary entries on one or more GPOs.

Using a command-line interface

To create a migration table from the command line, use the createmigrationtable.wsf script that is included in the ~GPMC Sample Scripts folder. The script requires two arguments: the destination filename and the GPO that it should be populated from.

As an alternative to the /GPO: switch, you can use /BackupLocation: to populate the migration table from a GPO backup. By default, a migration table that you create using this script will use Same As Source mapping, or you can specify the /MapByName parameter to use relative name mapping.

See Also

Copying a GPO for more on copying a GPO; Importing Settings into a GPO for information on importing settings into a GPO

Creating Custom Group Policy Settings

Problem

You want to deploy settings via Group Policy that are not covered by the default set of GPO templates that come with Active Directory.

Solution

Windows comes preloaded with a number of default templates that define a number of settings that can be controlled via GPO. To control and deploy settings for additional or third-party applications, you’ll need to create your own custom ADM or ADMX file to manage the settings you require. You’ll create this file in Notepad or another simple text editor, and save it as <FileName>.adm or <FileName>.admx. For example, the following ADMX file will add a new search provider to Internet Explorer using a customized ADMX file:

<?xml version="1.0" encoding="utf-8"?> <policyDefinitions
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0"
  schemaVersion="1.0"
xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="search" namespace="Microsoft.Policies.search" />
    <using prefix="inetres" namespace="Microsoft.Policies.InternetExplorer" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <policies>
    <policy name="PopulateSearchProviderList_1" class="User"
      displayName="$(string.PopulateSearchProviderList)"
      explainText="$(string.IE_Explain_PopulateSearchProviderList)"
      key="SoftwarePoliciesMicrosoftInternet ExplorerSearchScopes">
      <parentCategory ref="inetres:InternetExplorer" />
      <supportedOn ref="inetres:SUPPORTED_IE7Vista"/>
      <enabledList>
        <item key="SoftwarePoliciesMicrosoftInternet ExplorerSearchScopes"
          valueName="Version">
          <value>
            <decimal value="VERSION" />
          </value>
        </item>
        <item key="SoftwarePoliciesMicrosoftInternet
          ExplorerSearchScopesSUBKEY1" valueName="DisplayName">
          <value>
            <string>NAME1</string>
          </value>
        </item>
        <item key=" SoftwarePoliciesMicrosoftInternet
          ExplorerSearchScopesSUBKEY1" valueName="URL">
          <value>
            <string>URL1</string>
          </value>
        </item>
      </enabledList>
    </policy>
    <policy name="PopulateSearchProviderList_2" class="Machine"
      displayName="$(string.PopulateSearchProviderList)"
      explainText="$(string.IE_Explain_PopulateSearchProviderList)"
      key="SoftwarePoliciesMicrosoftInternet ExplorerSearchScopes">
      <parentCategory ref="inetres:InternetExplorer" />
      <enabledList> Insert same as user policy above </enabledList>
    </policy>
  </policies>
</policyDefinitions>

In addition to the ADMX file, you will need to create an ADML file using a format similar to the following:

<?xml version="1.0" encoding="utf-8"?>
  <policyDefinitionResources xmlns:xsd=http://www.w3.org/2001/XMLSchema
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0"
schemaVersion="1.0"
    xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
    <displayName>enter display name here</displayName>
    <description>enter description here</description>
    <resources>
      <stringTable>
        <string id="PopulateSearchProviderList">Populate List of search
providers</string>
        <string id="IE_Explain_PopulateSearchProviderList">
This policy setting will allow you to populate a list of search providers that 
will be displayed in Internet Explorer's search box. If you enable this policy 
setting and if the "Restrict search providers to a specific list of search
providers" Group Policy setting is enabled, this list will be the only list 
that appears in the Internet Explorer drop-down list. If the "Add a specific 
list of search providers to the user's search provider list" Group Policy 
setting is enabled, this list will be added to the user's list of search 
providers. If you disable this policy setting or do not configure it, 
users will have complete freedom to create their own search provider list.
</string>
      </stringTable>
    </resources>
  </policyDefinitionResources>

Discussion

When you create a custom ADMX file, save it to the %windir%policydefinitions folder; the ADML file will be saved in the %windir%policydefinitions<Definition Language> folder. After saving the files, you can edit a GPO to use the new settings. The templates will automatically populate in the Administrative Templates section of the GPO.

Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

Problem

You want to assign either user logon/logoff scripts or computer startup/shutdown scripts in a GPO.

Solution

Using a graphical user interface (steps specific to Windows Server 2008 and later)

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the target GPO, and expand the Group Policy Objects container.

  3. Right-click on the target GPO and select Edit. This will bring up the Group Policy Management Editor.

  4. Browse to Computer Configuration→Policies→Windows Settings→Scripts. If you want to assign a user logon or logoff script, browse to User Configuration→Policies→Windows Settings→Scripts.

  5. In the right pane, double-click on the type of script you want to add.

  6. Click the Add button.

  7. Select the script by typing its name or browsing to its location.

  8. Optionally, type any script parameters in the Script Parameters field.

  9. Click OK twice.

Discussion

When you assign a script in a GPO, you can reference a script that either is stored locally on the domain controller somewhere under the SYSVOL share or is stored in a UNC path to a remote fileserver. The default storage location is in the <DomainName>SYSVOL<DomainName>scripts folder—for example, \adatum.comsysvoladatum.comscripts.

Installing Applications with a GPO

Problem

You want to install an application on a group of computers using a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the target GPO, and expand the Group Policy Objects container.

  3. Right-click on the target GPO and select Edit. This will bring up the Group Policy Management Editor.

  4. Expand Software Settings under Computer Configuration or User Configuration, depending on which you want to target the installation for.

  5. Right-click on Software Installation and select New→Package.

  6. Browse to the network share that has the MSI package for the application and click OK. Be sure to specify a UNC path such as \servernameshareinstaller.msi. If you enter a local file path on the DC, such as c:packagespro.msi, the client will not be able to access the installer.

  7. Select whether you want to assign the application or publish it, and click OK. You can also click Advanced to define further how you want to deploy the software installation package.

Discussion

Installing applications with a GPO is a powerful feature, but you must be careful about the impact it can have on your network throughput and clients. If the MSI package you are installing is large in size, it will take a while for it to download to the client computer. This can result in sluggish performance on the client, especially over a heavily utilized connection. (Software installation does not occur over slow links, by default.) You’ll also want to make sure you’ve thoroughly tested the application before deployment. After you’ve configured the GPO to install an application, it will be only a short period of time before it has been installed on all targeted clients. If there is a bug in the application or the installer program is faulty, the impact could be severe to your user base and support staff alike.

Your two options for deploying an application are to assign it or to publish it. If you assign an application using the “deploy at logon” option, it will be installed automatically on the targeted clients when users log on to those machines. If you publish an application or assign it without choosing this option, it will be installed the first time a user double-clicks on a shortcut to the application or attempts to open a file that requires the application. A published application also can be installed manually from the Programs and Features applet in the Control Panel on the target computers. You can assign an application to both user and computer objects, but you can publish applications only to users.

Note

If you need to exert more granular control over your software installations than is enabled by Group Policy, you should investigate leveraging the additional capabilities of dedicated deployment software such as Microsoft’s System Center Configuration Manager (ConfigMgr).

Disabling the User or Computer Settings in a GPO

Problem

You want to disable either the user or the computer settings of a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the target GPO, and expand the Group Policy Objects container.

  3. Right-click on the target GPO and select GPO Status.

  4. You can select User Configuration Settings Disabled to disable the user settings, Computer Configuration Settings Disabled to disable the computer settings, or All Settings Disabled to disable both user and computer settings.

Using PowerShell

$gpm = New-Object -ComObject GPMgmt.GPM
$gpmConstants = $gpm.GetConstants()
$objDomain = $gpm.GetDomain("<Domain FQDN>", "", $gpmConstants.UseAnyDC)
$objGpo = $objDomain.GetGPO("{<GPO GUID>}")
$objGpo.SetComputerEnabled($true)
$objGpo.SetUserEnabled($false)

Discussion

GPOs consist of two parts, a user section and a computer section. The user section contains settings that are specific to a user that logs in to a computer, while the computer section defines settings that apply to the computer regardless of which user logs in. You can enable or disable either the user configuration or the computer configuration section of a GPO, or both. By disabling both, you effectively disable the GPO. This can be useful if you want to stop a GPO from applying settings to clients, but you do not want to delete it, remove the links, or clear the settings.

Disabling the user configuration or the computer configuration is useful in environments that have separate OUs for computers and users. Typically, you would disable the computer configuration for GPOs linked to the users’ OU, and vice versa. Disabling half of the GPO in this way makes GPO processing a tiny bit more efficient but likely will have almost no impact on overall performance.

Using PowerShell

Although 26 cmdlets are dedicated to managing Group Policy, none of them can be used to enable or disable computer or user settings. Instead, we utilize a COM object in PowerShell.

See Also

“Group Policy Cmdlets in Windows PowerShell”; MSDN: GPMGPO.SetUserEnabled; MSDN: GPMGPO.SetComputerEnabled

Listing the Links for a GPO

Problem

You want to list all of the links for a particular GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the target GPO, and expand the Group Policy Objects container.

  3. Click on the GPO you want to view the links for.

    In the right pane, the defined links for the GPO will be listed under the Scope tab.

Using a command-line interface

> dumpgpoinfo.wsf "<GPOName>"

Using PowerShell

Get-ADOrganizationalUnit -Filter * -Properties * | Where {$_.gPLink -match "<GPO GUID>"} | Select Name

Discussion

See Introduction for more information on GPO linking.

Using PowerShell

The built-in PowerShell cmdlets are not useful for retrieving links. Instead, we rely on searching the other direction: the OUs themselves. In the PowerShell solution, we get all of the OUs in the current domain and then filter them for any that have the specified GPO GUID stored in the gpLink attribute. This indicates that the GPO is linked to the OU. Finally, we select only the name of the OUs.

See Also

Introduction; Creating a GPO Link to an OU for creating a GPO link to an OU

Creating a GPO Link to an OU

Problem

You want to apply the GPO settings to the users and/or computers in an OU. This is called linking a GPO to an OU.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, and expand the target domain.

  3. Right-click on the OU you want to link and select Link an Existing GPO.

  4. Select from the list of available GPOs and click OK.

Using PowerShell

New-GPLink -Name "<GPO Display Name>" -Target "<Container DN>"

Discussion

Linking a GPO is the process whereby you assign a scope of management (SOM), which can be an OU, site, or domain. The solutions show how to link a GPO to an OU, but they easily could be modified to link to a site or domain.

See Linking a GPO to an OU for details on how to link an OU by modifying the gpLink attribute, instead of using the Group Policy Management interface.

Using PowerShell

During the creation of the new link, you can also specify the link order by using the –Order <Number> parameter.

See Also

New-GPLink cmdlet reference; MSDN: GPM-SOM.CreateGPOLink

Blocking Inheritance of GPOs on an OU

Problem

You want to block inheritance of GPOs on an OU.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, and expand the target domain.

  3. Right-click on the OU you want to block inheritance for and select Block Inheritance.

Using PowerShell

Below are two ways to block inheritance by using PowerShell. The first example uses one of the cmdlets from the Group Policy module, whereas the other relies on a COM object.

Set-GPInheritance -Target "<OU DN>" -IsBlocked Yes

$gpm = New-Object -ComObject GPMgmt.GPM
$gpmConstants = $gpm.GetConstants()
$objDomain = $gpm.GetDomain("<Domain FQDN>", "", $gpmConstants.UseAnyDC)
$objOU = $objDomain.GetSOM("<OU DN>")
$objOU.GPOInheritanceBlocked = $true

Discussion

By default, GPOs are inherited down through the directory tree. If you link a GPO to a top-level OU, that GPO will apply to any objects within the child OUs. Sometimes that may not be what you want, and you can disable inheritance as described in the solutions.

Try to avoid blocking inheritance when possible because it can make determining what settings should be applied to a user or computer difficult. If someone sees that a GPO is applied at a top-level OU, he may think it applies to any object under it. Using the Resultant Set of Policies (RSoP) snap-in can help identify what settings are applied to a user or computer (see Simulating the RSoP).

See Also

Simulating the RSoP; Set-GPInheritance cmdlet reference; MSDN: GPMSOM; MSDN: GPOInheritanceBlocked; MSDN: GPMDomain.GetSOM

Enforcing the Settings of a GPO Link

Problem

You want to ensure that a GPO’s settings are enforced regardless of any Block Inheritance settings that have been enforced farther down the scope of management.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the target GPO, and expand the container containing the link you want to enforce.

  3. Right-click on the link you want to configure and place a checkmark next to Enforced. To remove the Enforced setting, right-click on the link and remove the checkmark.

Using PowerShell

Set-GPLink -Guid "<GPOGUID>" -Target "<SiteName>" -Enforced Yes

Discussion

As a counterpoint to the ability to block inheritance of a GPO for a particular site, domain, or OU, an administrator can configure a particular GPO link as Enforced, meaning that the settings contained in that GPO will be configured for that SOM regardless of the presence of any Block Inheritance configuration. This is useful in a decentralized environment, for example, where a central IT department has configured a certain Group Policy baseline that it wishes to enforce regardless of what individual departments may have configured on their own. Just like security filtering and Block Inheritance, though, we recommend that you use this function sparingly, as it can create complex troubleshooting issues when trying to determine where and how the Group Policy application is failing.

Note

Remember that the Enforced setting is configured against a particular link to a GPO, not against the GPO itself. This means that one GPO can be linked to several locations, but not all of those links need to be enforced.

See Also

Blocking Inheritance of GPOs on an OU; Set-GPLink cmdlet reference; MSDN:IGPMSearchCriteria; MSDN:GPMC Object Model

Applying a Security Filter to a GPO

Problem

You want to configure a GPO so that it applies only to members of a particular security group.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the target domain, and expand the Group Policy Objects container.

  3. Click on the GPO you want to modify.

  4. In the right pane under Security Filtering, click the Add button.

  5. Use the Object Picker to select a group and click OK.

  6. Highlight Authenticated Users and click the Remove button.

  7. Click OK to confirm.

Using a command-line interface

> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply
> setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None

Using PowerShell

Set-GPPermission -Name <GPO Display Name> -TargetName "<Group Name>" -TargetType Group -PermissionLevel GpoApply"

Discussion

You can use security filtering to restrict the users, groups, or computers that a GPO applies to by granting or denying the Apply Group Policy permission on the ACL of the GPO. By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to be applied only to members of one specific group.

As a rule, you should avoid using Deny permissions as part of any custom security filter, because this can lead to confusion with accounts that are members of groups with conflicting filter settings. For example, if a user is a member of a group that has Deny set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win. This can be difficult to troubleshoot, particularly if nested group memberships are involved.

Warning

Be very careful when changing permissions on GPOs. If you create a very restricted GPO and apply a security filter to it, also be sure to put tight controls on who can modify the GPO and how. If for some reason that security filter were removed (resulting in no security filters), the restrictive GPO could be applied to every user or computer in the domain.

Using PowerShell

The Set-GPPermission cmdlet allows you to apply one of the following preconfigured permissions:

  • GpoRead

  • GpoApply

  • GpoEdit

  • GpoEditDeleteModifySecurity

  • None

See Also

Set-GPPermission cmdlet reference;MSDN: GPM.CreatePermission; MSDN: GPMGPO.GetSecurityInfo

Delegating Administration of GPOs

Problem

You want to delegate permissions on GPOs and related tasks within Active Directory.

Solution

Using a graphical user interface

To delegate the ability to create GPOs, do the following:

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. Navigate to the Group Policy Objects node and click on the Delegation tab.

  3. To add permissions for a new user or group to create GPOs, click Add. Use the object picker to select the object you want and click OK.

To delegate permissions on a particular GPO, follow these steps:

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. Navigate to the GPO that you want to delegate permissions for and click on the Delegation tab.

  3. To add permissions for a new user or group, click Add. Use the object picker to select the object you want and click OK.

  4. In the Permissions drop-down box, select “Read”, “Edit settings,” or “Edit settings, delete, and modify security,” then click OK.

To delegate Group Policy−related tasks on a particular site, domain, or OU, do the following:

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. Navigate to the site, domain, or OU that you want to delegate permissions for and click on the Delegation tab.

  3. In the Permission drop down, select “Link GPOs,” “Perform Group Policy Modeling analyses,” or “Read Group Policy Results data.”

  4. To add permissions for a new user or group, click Add. Use the object picker to select the object you want and click OK.

  5. In the Permissions drop-down box, select “This container only” or “This container and all child containers”; then click OK.

Discussion

In addition to using Active Directory users and groups to control how GPOs are applied within a site, domain, or OU, you can also use ACLs to delegate permissions over GPOs to allow you to decentralize the administration of them in your organization.

You can delegate the ability to do the following:

  • Create GPOs

  • Manage the settings of an individual GPO

  • Link GPOs to a site, domain, or OU

  • Create WMI filters

  • Manage an individual WMI filter

While the ability to delegate administration in this manner is quite simple to implement, it’s critical that you fully understand the security implications that it carries. For example, the ability to link GPOs to an entire site or domain should be granted only to highly trusted administrators as it can have far-reaching implications for the performance and behavior of your network.

See Also

MS KB 250842 (Troubleshooting Group Policy Application Problems); Applying a Security Filter to a GPO for more on using security filtering to control GPO behavior

Importing a Security Template

Problem

You want to import a security template into a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the GPO you want to target, and expand the Group Policy Objects container.

  3. Right-click on the target GPO and select Edit.

  4. Navigate to Computer Configuration→Policies→Windows Settings.

  5. Right-click on Security Settings and select Import Policy.

  6. Browse to the template you want to import and click Open.

Discussion

Rather than manually configuring the plethora of security settings available in Windows, you can use a template. Windows 2003 shipped with several templates, including templates for high-security workstations and high-security domain controllers. However, Windows 2008 and later have scaled back the number of default templates and now only include three templates: a default base template, a default domain controller template, and a default member server template. Each template is useful in a scenario where you need to reset security settings back to the default state.

Creating a WMI Filter

Problem

You want to create a WMI filter.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the target domain, and click the WMI Filters container.

  3. Right-click on the WMI Filters container and select New.

  4. Enter a name and description for the filter.

  5. Click the Add button.

  6. Select the appropriate namespace, enter a WQL query, and click OK.

  7. Repeat steps 5 and 6 for as many queries as you need to add.

  8. Click the Save button.

Discussion

WMI filters provide another way to filter how GPOs are applied to clients. WMI filters live in Active Directory as objects under the WMIPolicy container within the System container for a domain. A WMI filter consists of a WMI Query Language (WQL) query that, when linked to a GPO, will be run against all clients that the GPO applies to. If the WQL returns a true value (i.e., it returns nonempty results from the WQL query), the GPO will continue to process. If the WQL query returns false (nothing is returned from the query), the GPO will not be processed.

The great thing about WMI filters is that the vast amount of information that is available in WMI on a client becomes available to filter GPOs. You can query against CPU, memory, disk space, hotfixes installed, service packs installed, applications installed, running processes—the list goes on and on.

For example, creating a GPO that applies only to computers that are running a specific version of Windows would have been really difficult to accomplish without a WMI filter. Either you would have had to create a security group that contained all of those computers as members (and apply a security filter) or you would have had to move all of those workstations to a particular OU. With a WMI filter, this becomes trivial to create. Bear in mind, however, that there is client performance overhead associated with WMI queries, as each computer will need to process the WMI query to determine whether a particular GPO should or should not be applied. Here is a sample WQL query that would return true when run on a Windows Server 2012 Datacenter server:

select * from Win32_OperatingSystem↵
where Caption = "Microsoft Windows Server 2012 Datacenter"

The introduction of Group Policy Preferences created significant new options in terms of how GPOs can be targeted and filtered. Prior to the introduction of Group Policy Preferences, you were limited to filtering using only WMI filters to control whether the entire GPO is applied. With WMI filters, you cannot specify individual settings within a GPO. Group Policy Preferences, on the other hand, support item-level targeting, where individual settings can be targeted based on criteria such as IP address, whether that machine is a laptop or desktop, security group membership, and so on.

See Also

Applying a WMI Filter to a GPO for applying a WMI filter to a GPO; MSDN: Querying with WQL

Applying a WMI Filter to a GPO

Problem

You want to apply a WMI filter to a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the GPO you want to target, and expand the Group Policy Objects container.

  3. Click on the target GPO.

  4. At the bottom of the right pane, on the Scope tab, select a WMI filter from the list of WMI filters.

  5. After you’ve selected the WMI filter, click Yes to change the filter.

Discussion

You can link only one WMI filter to a GPO at any time. This is not an overly restrictive limitation, though, because you still can link more than one GPO to a site, domain, or OU. If you need multiple WMI filters to apply to a GPO, copy the GPO and apply a different WMI filter to it. See Creating a WMI Filter for more information on WMI filters.

Note

Keep in mind that requiring your clients to process multiple WMI filters will have an impact on their performance at logon time and during the GPO background refresh process.

Configuring Loopback Processing for a GPO

Problem

You want to configure a GPO to use loopback processing that will enforce consistent computer settings regardless of which user logs on to a computer.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. Navigate to the GPO that you want to configure. Right-click on the GPO and select Edit Settings.

  3. Navigate to Computer Configuration→Policies→Administrative→Templates System→Group Policy. Double-click on “Configure user Group Policy loopback processing mode”. Select the radio button next to Enabled.

  4. In the Mode drop-down box, select either Merge or Replace. (See this recipe’s for more information on these two options.)

  5. Click OK.

Discussion

GPOs are applied to user/computer combinations on an Active Directory network based on the site, domain, and OU that the user and computer objects belong to. If the user and computer are located in two separate locations, the user will receive the GPOs that apply to the user’s container combined with those that apply to the computer’s container. However, there may be cases where you want a user to receive GPOs based solely on the location of the computer objects. In this case, you will enable loopback processing in one of two modes:

Merge mode

In this mode, any GPOs that are associated with the user will be applied first. The GPOs associated with the computer object will be applied after the GPOs associated with the user object, thereby giving them a higher precedence than the user GPOs. In this case, the user will still receive any GPO settings associated with her user object, but settings configured for the computer will override in the case of any conflicts.

Replace mode

In this mode, only the list of GPOs that apply to the computer object will be applied.

See Also

MS KB 231287 (Loopback Processing of Group Policy)

Backing Up a GPO

Problem

You want to back up a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the GPO you want to back up, and expand the Group Policy Objects container.

  3. Right-click on the GPO you want to back up and select Back Up.

  4. For Location, enter the folder path to store the backup files.

  5. For Description, enter a descriptive name for the backup.

  6. Click the Back Up button.

  7. You will see a progress bar and status message that indicates whether the backup was successful.

  8. Click OK to exit.

Using a command-line interface

> backupgpo.wsf "<GPOName>" "<BackupFolder>" /comment:"<BackupComment>"

Using PowerShell

Backup-Gpo -Name <GPO Display Name> -Path <Path to Backup Folder> -Comment "<Backup Description>"

Discussion

The Group Policy Management snap-in and the Backup-Gpo cmdlet both provide a way to back up individual (or all) GPOs. A GPO backup consists of a set of folders and files that catalog the GPO settings, filters, and links, and is created in the backup location you specify. You can back up a GPO to a local drive or over the network to a fileserver. Restoring a GPO is just as easy and is described in Restoring a GPO.

In legacy versions of Windows, the only way to back up GPOs was by backing up the System State on a domain controller. The System State includes Active Directory and the SYSVOL share (both components are needed to completely back up a GPO). To restore a GPO using this method, you’d have to boot into DS Restore mode and perform an authoritative restore of the GPO(s) you were interested in. Needless to say, the methods are significantly easier now.

A good practice is to back up your GPO backups. Since all the backup information is captured in a series of files, you can back up that information to media, which provides two levels of restore capability. You could restore the last backup taken, which could be stored on a domain controller or fileserver, or you could go to tape and restore a previous version.

In the folder you specify to store the GPO backups is a list of folders that have GUIDs for names. This does not make it very easy to distinguish which backups are for which GPOs. A quick way to find that out is to use the querybackuplocation.wsf script. This will list each folder GUID name and the corresponding GPO it is for:

> querybackuplocation.wsf "c:gpmc backups"

Using PowerShell

The -Path switch allows you to back up GPOs to either a local file location such as C:GPOBackups or a remote UNC path such as \SERVER1GPOBackups.

See Also

Restoring a GPO for restoring a GPO; Backup-GPO cmdlet reference; and MSDN: GPMGPO.Backup

Restoring a GPO

Problem

You want to restore a GPO.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, expand the Forest container, expand the Domains container, expand the domain of the GPO you want to restore, and expand the Group Policy Objects container.

  3. Right-click on the GPO you want to restore and select Restore from Backup.

  4. Click Next.

  5. Select the backup folder location and click Next.

  6. Select the backup you want to restore and click Next.

  7. Click Finish.

  8. You will see the restore status window. After it completes, click OK to close the window.

Using a command-line interface

> restoregpo.wsf "<BackupFolder>" "<GPOName>"

Using PowerShell

Restore-GPO -Name "<GPO Display Name>" -Path <Backup Location>

Discussion

To restore a GPO using the Group Policy Management snap-in, you first need a valid backup of the GPO. The procedure for backing up a GPO is described in Backing Up a GPO. You can then restore the GPO, even if the GPO has been deleted. To restore a deleted GPO, use the following steps:

  1. Right-click on the Group Policy Objects container in the target domain and select Manage Backups.

  2. Highlight the GPO you want to restore and click the Restore button.

  3. Click Yes to confirm.

  4. Click OK after the restore completes.

If you don’t have a valid backup of the GPO, but you do have another GPO that is identical or similar to the one you want to restore (perhaps in another forest), you can copy that GPO to replace the one you want to restore.

Keep in mind that restoring a GPO does not restore the links that were associated with that GPO, since the gpLink attribute is configured on the container that the GPO was linked to and not the container itself. See Copying a GPO for more on copying GPOs.

See Also

Copying a GPO for copying a GPO; Backing Up a GPO for backing up a GPO; Restore-GPO cmdlet reference; MSDN: GPMDomain.RestoreGPO

Simulating the RSoP

Problem

You want to simulate the Resultant Set of Policies (RSoP) based on OU, site, and security group membership. This is also referred to as Group Policy Modeling.

Solution

Using a graphical user interface

  1. Open the Group Policy Management snap-in (gpmc.msc).

  2. In the left pane, right-click Group Policy Modeling and select Group Policy Modeling Wizard.

  3. Click Next.

  4. Select a domain controller to process the query and click Next.

  5. Under User Information and/or Computer Information, either select the container you want to simulate to contain the user or computer, or select a specific user or computer account, and click Next.

  6. Select a site if necessary, and specify whether you wish to simulate a slow network connection or loopback processing, and then click Next.

  7. If you selected a target user container or user account in step 5, you will be presented with an option to simulate different group membership. Click Next when you are done.

  8. If you selected a target computer container or computer account in step 5, you will be presented with an option to simulate different group membership. Click Next when you are done.

  9. If you selected a target user container or user account in step 5, you will be presented with an option to simulate any additional WMI filters. Click Next when you are done.

  10. If you selected a target computer container or computer account in step 5, you will be presented with an option to simulate any additional WMI filters. Click Next when you are done.

  11. Click Next to start the simulation.

  12. Click Finish.

  13. In the right pane of the Group Policy Management snap-in window, the results of the simulation will be displayed.

Discussion

You can simulate the RSoP based on user-defined OU, site, group, and domain membership. This is very powerful because it allows you to create one or more GPOs, simulate them being applied to a user and computer, and determine whether any changes are necessary before deployment.

See Also

Viewing the RSoP for viewing the RSoP

Viewing the RSoP

Problem

You want to view the actual RSoP for a user and computer. This is a great tool for determining whether policies are being applied correctly on a client.

Solution

Using a command-line interface

To display summary RSoP data to the screen, use the following command:

> gpresult /R

To generate an RSoP in HTML format, use the following command:

> gpresult /H RSoP.htm

You can specify a /S option and the name of a computer to target, which allows you to run the command remotely. For a complete list of options with either version, run gpresult /? from a command line.

Discussion

If you implement more than a few GPOs, it can get confusing as to what settings will apply to users. To address this problem, you can query the resultant set of policies on a client to determine which settings have been applied.

The registry on the target computer is another source of information. You can view the list of policies that were applied to the computer by viewing the subkeys under this key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistory

The settings that were applied are not stored in the registry, but you can obtain the GPO name, distinguished name, SYSVOL location, version, and where the GPO is linked.

Finally, you can also rely on the Windows Event Logs for troubleshooting. Since Windows Vista, the logs have been improved greatly and now include a Group Policy operational log. Additionally, the source name for events now uses “Group Policy,” which makes it easier to track down Group Policy events.

See Also

Simulating the RSoP for simulating the RSoP

Refreshing GPO Settings on a Computer

Problem

You’ve made some changes to a GPO and want to apply them to a computer by refreshing the group policies for the computer.

Solution

Using a command-line interface

On a Windows XP or later computer, use this command:

> gpupdate [/target:{Computer | User}]

Using PowerShell

Invoke-GPUpdate -Computer "<Machine FQDN>"

Discussion

By default, Group Policy settings will refresh automatically every five minutes on a domain controller and every 90 minutes (with an additional random offset between zero and 30 minutes) on clients and member servers. To force GPO settings to refresh sooner than that, you will need to run the gpupdate utility on the client computer. With gpupdate, you can force all settings to be applied with the /force option (the default is only changed settings). You can apply the computer or user settings of GPOs using the /target option, and you can force a logoff or reboot after the settings have been applied using the /logoff or /boot option. Windows Server 2012 introduced a remote Group Policy update feature built into the Group Policy Management snap-in. (Right-click on an OU and you can force a Group Policy update on all computers in the OU.)

Using PowerShell

The Invoke-GPUpdate cmdlet includes a number of optional switches that map to the gpupdate.exe command-line option, including -Computer, -User, -Force, -Logoff, -Boot, and -Sync.

See Also

Invoke-GPUpdate cmdlet reference

Restoring a Default GPO

Problem

You’ve made changes to the Default Domain Security Policy, Default Domain Controller Security Policy, or both, and now you want to reset them to their original configuration.

Solution

Using a command-line interface

The following command will replace both the Default Domain Security Policy and the Default Domain Controller Security Policy on a domain controller. You can specify Domain or DC instead of Both, to only restore one or the other:

> dcgpofix /target:Both

Note that this must be run from a domain controller in the target domain where you want to reset the GPO.

Discussion

If you’ve made changes to the default GPOs in the Windows Server 2003 or later version of Active Directory and would like to revert back to the original settings, the dcgpofix utility is your solution. dcgpofix works with a particular version of the schema. If the version it expects to be current is different from what is in Active Directory, it will not restore the GPOs. You can work around this by using the /ignoreschema switch, which will restore the GPO according to the version dcgpofix thinks is current. The only time you might experience this issue is if you install a service pack on a domain controller (DC1) that extends the schema but the changes have not yet replicated to a second domain controller (DC2). If you try to run dcgpofix from DC2, you will receive the error since a new version of the schema and the dcgpofix utility were installed on DC1. Note that this tool isn’t a panacea. It doesn’t always return permissions to the exact state after the domain controller promotion process. Because of this, backups of Group Policy should be relied on first.

Creating a Fine-Grained Password Policy

Problem

You want to create a Fine-Grained Password Policy (FGPP).

Solution

Using a graphical user interface (steps specific to Windows 7, Windows 8, and Windows Server 2012)

  1. Open Active Directory Administrative Center.

  2. At the top of the left pane, click the tree view icon.

  3. Browse to the desired domain and then expand the domain, expand System, and then highlight the Password Settings container.

  4. Right-click the Password Settings container in the left pane, click New, and then click Password Settings.

  5. Type in a name for the settings, enter a precedence value, and then fill in the desired password settings. Note that settings with a red asterisk are mandatory.

  6. In the Directly Applies To section near the bottom, click the Add button to specify users or groups to apply the password settings to.

  7. When finished, click OK to save the settings and apply the settings to the specified users or groups.

Using PowerShell

Fine-Grained Password Policy objects can also be created in PowerShell, as follows:

New-ADFineGrainedPasswordPolicy -Name "HighSec2" -Precedence 1 -ComplexityEnabled $true -Description "High Security Password Policy" -DisplayName "Domain Users PSO" -PasswordHistoryCount "12" -MinPasswordLength "15" -MinPasswordAge "1" -MaxPasswordAge "180" -LockoutDuration "30" -LockoutObservationWindow "1" -LockoutThreshold "999"

Discussion

Prior to Windows Server 2008, only one password and account lockout policy functioned per domain (note that we are only talking about domain user accounts); this has been updated since Windows Server 2008 once you reach the Windows Server 2008 domain functional level. Fine-Grained Password Policies are controlled by creating one or more msDS-PasswordSettingsObjects, or PSOs for short, in the cn=Password Settings Container,cn=System,cn=<Domain DN> container. Each PSO can apply to one or more user or group objects, and each is assigned a precedence that will allow Active Directory to determine which PSO to enforce if more than one can apply to a particular user.

Editing a Fine-Grained Password Policy

Problem

You want to modify a Fine-Grained Password Policy.

Solution

Using a graphical user interface

  1. Open Active Directory Administrative Center.

  2. At the top of the left pane, click the tree view icon.

  3. Browse to the desired domain, expand the domain, expand System, and then highlight the Password Settings container.

  4. In the right pane, right-click on the desired policy and then click Properties.

  5. Update the desired settings and click OK to save the new settings.

Using a command-line interface

The following command renames a PasswordSettingsObject:

psomgr -rename newname -pso oldname -forreal

The following modifies a PSO’s maximum password age to 60 days:

psomgr -mod -pso TestPSO -pwdlen 60 -forreal

The following adds the Marketing group to the list of groups that a PSO will apply to:

psomgr -applyto cn=Marketing,cn=Users,dc=ADATUM,dc=COM -pso TestPSO -forreal

The following removes the Marketing group from the list of groups that a PSO will apply to:

psomgr -unapplyto cn=Marketing,cn=Users,dc=ADATUM,dc=COM -pso TestPSO -forreal

Note

You can also use the DomainsAMAccountName syntax instead of a distinguished name.

Using PowerShell

The following modifies a PSO’s maximum password length:

Set-ADFineGrainedPasswordPolicy -Identity "<PSO Name>" -MinPasswordLength 20

To rename a PSO, use the following syntax:

Set-ADFineGrainedPasswordPolicy -Identity "<PSO Name>" -DisplayName "HighSec2"

Discussion

Once a PasswordSettingsObject has been created, you can modify the password and account lockout settings controlled by the object, as well as the users and groups that the PSO should apply to. Since the PasswordSettingsObject is an Active Directory object class, these modifications can be made using any interface that can modify objects.

When working from the command line, the psomgr tool allows you to modify one or multiple PSOs at a time, and can also create “starter” PSOs using the psomgr -quickstart -forreal syntax. The -quickstart switch creates a PSO that replicates the domain-linked password policy, as well as the following two PSOs:

cn=pwd_policy_admin

Creates a PSO with a minimum password length of 15, with passwords that expire every 35 days and that are subject to a 30-minute lockout after 25 bad-password attempts

cn=pwd_policy_serviceid

Creates a PSO with a minimum length of 15, with passwords that expire every 364 days and that are not subject to account lockout

The full syntax for psomgr.exe can be obtained by typing psomgr.exe /? at a command prompt, or by visiting the joeware website.

Viewing the Effective PSO for a User

Problem

You want to determine which PSO is in effect for a particular user.

Solution

Using a graphical user interface

  1. Open Active Directory Users and Computers. Click on View and confirm that there is a checkmark next to Advanced Features.

  2. Browse to the user or group in question; right-click on the object and click Properties.

  3. Click on the Attribute Editor tab. Click Filter and confirm that there is a checkmark next to “Show read-only attributes: Constructed and Backlinks”.

  4. Scroll to msDS-PSOApplied.

  5. Click OK.

Using a command-line interface

psomgr.exe -effective <User DN>

Using PowerShell

Get-ADUser -Identity "<UserDN>" -Properties msDS-ResultantPSO | FL Name, msDS-ResultantPSO

Discussion

Within a Windows Server 2008 or later domain, each user object contains a constructed backlink attribute called msDS-ResultantPSO that indicates which PasswordSettingsObject is in effect for that user. The precedence rules for PasswordSettingsObjects are as follows:

  1. If a PSO has been applied directly to the user object, it will take precedence. If multiple PSOs have been applied to a single user, the following tiebreakers will be used:

    • A PSO with a lower-numbered Precedence attribute (e.g., 5) will be applied over a higher-numbered one (e.g., 50).

    • If multiple PSOs have been configured with the same Precedence attribute, the PSO with the lowest GUID will take final precedence.

  2. If no PSOs have been applied directly to the user, any PSO that has been applied to a group that the user is a member of, whether directly or indirectly, will be applied. The same tiebreakers will be used here as in rule 1.

  3. If no PSOs have been applied to the user or any groups that the user is a member of, the default domain PSO will be applied.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.164.216