Chapter 6. Automating administrative tasks, policies, and procedures

Performing routine tasks day after day, running around policing systems, and walking users through the basics aren’t efficient uses of your time. You’d be much more effective if you could automate these chores and focus on issues that are more important. Support services are all about increasing productivity and allowing you to focus less on mundane matters and more on what’s important.

Windows Server 2012 R2 includes many roles, role services, and features that help you support server installations. You can easily install and use some of these components. If you need an administrative tool to manage a role or feature on a remote computer, you can select the tool to install as part of the Remote Server Administration Tools (RSAT) feature. If a server has a wireless adapter, you can install the Wireless LAN Service feature to enable wireless connections. Beyond these and other basic support components, you can use many other support features, including the following:

  • Automatic Updates. Ensures that the operating system is up to date and has the most recent security updates. If you update a server by using Microsoft Update instead of the standard Windows Updates, you can get updates for additional products. By default, Automatic Updates is installed but not enabled on servers running Windows Server 2012 R2. You can configure Automatic Updates by using the Windows Update utility in Control Panel. In Control PanelSystem And Security, tap or click Turn Automatic Updating On Or Off.

  • BitLocker Drive EncryptionProvides an extra layer of security for a server’s hard disks. This protects the disks from attackers who have physical access to the server. BitLocker Drive Encryption can be used on servers with or without a Trusted Platform Module (TPM). When you add this feature to a server by using the Add Roles And Features Wizard, you can manage the feature by using the BitLocker Drive Encryption utility in Control Panel. In Control PanelSystem And Security, tap or click BitLocker Drive Encryption. Windows Server 2008 R2 and later (such as Windows 7 and later) include BitLocker To Go, which allows you to encrypt USB flash drives. If your server doesn’t have BitLocker, run the BitLocker To Go Reader, which is stored in an unencrypted area of the encrypted USB flash drive.

  • Remote Assistance. Provides an assistance feature that allows an administrator to send a remote assistance invitation to a more senior administrator. The senior administrator can then accept the invitation to view the user’s desktop and temporarily take control of the computer to resolve a problem. When you add this feature to a server by using the Add Roles And Features Wizard, you can manage the feature by using options on the Remote tab of the System Properties dialog box. In Control PanelSystem And Security, under System, tap or click Allow Remote Access to view the related options.

  • Remote Desktop. Provides a remote connectivity feature that allows you to connect to and manage a server from another computer. By default, Remote Desktop is installed but not enabled on servers running Windows Server 2012 R2. You can manage the Remote Desktop configuration with the options on the Remote tab of the System Properties dialog box. In Control PanelSystem And Security, under System, tap or click Allow Remote Access to view the related options. You can establish remote connections by using the Remote Desktop Connection utility.

  • Task Scheduler. Allows you to schedule execution of one-time and recurring tasks, such as tasks for performing routine maintenance. Windows Server 2012 R2 makes extensive use of the scheduled task facilities. You can view and work with scheduled tasks in Computer Management. Expand the System Tools, Task Scheduler, and Task Scheduler Library nodes to view configured scheduled tasks.

  • Desktop Experience. This subfeature of User Interfaces And Infrastructure installs Windows desktop functionality on the server. You can use this feature when you use Windows Server 2012 R2 as your desktop operating system. When you add this feature by using the Add Roles And Features Wizard, the server’s desktop functionality is enhanced, and the following programs are also installed: Windows Media Player, Desktop Themes, Video for Windows (AVI support), Disk Cleanup, Sound Recorder, Character Map, and Snipping Tool.

  • Windows FirewallHelps protect a computer from attack by unauthorized users. Windows Server includes a basic firewall called Windows Firewall and an advanced firewall called Windows Firewall With Advanced Security. By default, the firewalls are not enabled on server installations. To access the basic firewall, tap or click Windows Firewall in Control Panel. To access the advanced firewall, on the Tools menu in Server Manager, click Windows Firewall With Advanced Security.

  • Windows Time. Synchronizes the system time with world time to ensure that the system time is accurate. You can configure computers to synchronize with a specific time server. The way Windows Time works depends on whether a computer is a member of a domain or a workgroup. In a domain, domain controllers are used for time synchronization, and you can manage this feature through Group Policy. In a workgroup, Internet time servers are used for time synchronization, and you can manage this feature through the Date And Time utility.

You can configure and manage these support components in the same way on computers running Windows 8.1 and Windows Server 2012 R2. You’ll find extensive coverage of these support components in Windows 8.1 Pocket Consultant: Essentials & Configuration by William R. Stanek (Microsoft Press, 2013).

Many other components provide support services. However, you need these additional support services only in specific scenarios. You can use IP Address Management (IPAM) servers when you want to manage your IP address space and track IP address usage trends. You can use Remote Desktop Services when you want to allow users to run applications on a remote server. You can use Windows Deployment Services when you want to enable automated deployment of Windows-based operating systems. The one always-on support service you must master, to succeed with Windows Server 2012 R2, is Group Policy.

Real World

The Start screen charms bar has a search option, which can have Everywhere, Settings, or Files as a focus. When you press the Windows key and then type, the text is entered into the search box. Because the default focus is for an Everywhere search, you can quickly search for installed programs, files, and settings.

Throughout this text, when I refer to entering something in the Everywhere search box, I’m referring to entering search text with Everywhere as a focus. As you enter text, matching results are displayed. When you press Enter, Windows runs the currently selected result. You can also use the Everywhere search to pass in commands with parameters and options. Simply type the command along with its parameters and options as you would at a command prompt.

Want to run Windows PowerShell commands from the Everywhere search box? Simply type powershell, and then enter your command.

Understanding group policies

Group policies simplify administration by giving administrators centralized control over privileges, permissions, and capabilities of both users and computers. Through group policies, you can do the following:

  • Control access to Windows components, system resources, network resources, Control Panel utilities, the desktop, and the Start screen.

  • Create centrally managed directories for special folders, such as a user’s Documents folder.

  • Define user and computer scripts to run at specified times.

  • Configure policies for account lockout and passwords, auditing, user rights assignment, and security. Many of these topics are covered in the “User account setup and organization” section in Chapter 9

The sections that follow explain how you can work with and apply group policies.

Group Policy essentials

You can think of a policy as a set of rules that helps you manage users and computers. You can apply group policies to multiple domains, individual domains, subgroups within a domain, or individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory data store.

To understand group policies, you need to know a bit about the structure of Active Directory. In Active Directory, sites represent the physical structure of your network. A site is a group of TCP/IP subnets, with each subnet representing a physical network segment. A domain is a logical grouping of objects for centralized management, and subgroups within a domain are called organizational units. Your network might have sites called NewYorkMain, CaliforniaMain, and WashingtonMain. Within the WashingtonMain site, you could have domains called SeattleEast, SeattleWest, SeattleNorth, and SeattleSouth. Within the SeattleEast domain, you could have organizational units called Information Services (IS), Engineering, and Sales.

Group policies apply only to systems running Windows-based operating systems. Group Policy settings are stored in a Group Policy object (GPO). You can think of a GPO as a container for the policies you apply and their settings. You can apply multiple GPOs to a single site, domain, or organizational unit. Because Group Policy is described by using objects, many object-oriented concepts apply. If you know a bit about object-oriented programming, you might expect the concepts of parent-child relationships and inheritance to apply to GPOs—and you’d be right.

A container is a top-level object that contains other objects. Through inheritance, a policy applied to a parent container is inherited by a child container. Essentially, this means that a policy setting applied to a parent object is passed down to a child object. For example, if you apply a policy setting in a domain, the setting is inherited by organizational units within the domain. In this case, the GPO for the domain is the parent object, and the GPOs for the organizational units are the child objects.

The order of inheritance is site, domain, organizational unit. This means that the Group Policy settings for a site are passed down to the domains within that site, and the settings for a domain are passed down to the organizational units within that domain.

As you might expect, you can override inheritance. To do this, you specifically assign a policy setting for a child container that is different from the policy setting for the parent. As long as overriding the policy is allowed (that is, overriding isn’t blocked), the child container’s policy setting will be applied appropriately. To learn more about overriding and blocking GPOs, see the “Blocking, overriding, and disabling policies” section later in this chapter.

In what order are multiple policies applied?

When multiple policies are in place, policies are applied in the following order:

  1. Local group policies

  2. Site group policies

  3. Domain group policies

  4. Organizational unit group policies

  5. Child organizational unit group policies

If policy settings conflict, the policy settings applied later have precedence and overwrite previously set policy settings. For example, organizational unit policies have precedence over domain group policies. As you might expect, there are exceptions to the precedence rule. These exceptions are discussed in the “Blocking, overriding, and disabling policies” section later in this chapter.

When are group policies applied?

As you’ll discover when you start working with group policies, policy settings are divided into two broad categories:

  • Those that apply to computers

  • Those that apply to users

Computer policies are normally applied during system startup, and user policies are normally applied during logon. The exact sequence of events is often important in troubleshooting system behavior. The events that take place during startup and logon are as follows:

  1. The network starts, and then Windows Server applies computer policies. By default, computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.

  2. Windows Server runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next one starts. Script execution isn’t displayed to the user unless specified.

  3. A user logs on. After the user is validated, Windows Server loads the user profile.

  4. Windows Server applies user policies. By default, user policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.

  5. Windows Server runs logon scripts. Logon scripts for Group Policy are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share run last in a normal command shell window.

  6. Windows Server displays the start shell interface configured in Group Policy.

  7. By default, Group Policy is refreshed when a user logs off or a computer is restarted automatically within a 90 to 120 minute period. You can change this behavior by setting a Group Policy refresh interval, as discussed in the “Refreshing Group Policy” section later in this chapter. To do this, open a command prompt and enter gpupdate.

Real World

Some user settings, such as Folder Redirection, can’t be updated when a user is logged on. The user must log off and then log back on for these settings to be applied. You can enter gpupdate /logoff at a command prompt or in the Everywhere search box to log off the user automatically after the refresh. Similarly, some computer settings can be updated only at startup. The computer must be restarted for these settings to be applied. You can enter gpupdate /boot at a command prompt or in the Everywhere search box to restart the computer after the refresh.

Group Policy requirements and version compatibility

Group policies apply only to systems running professional and server versions of Windows. As you might expect, each new version of the Windows operating system has brought with it changes to Group Policy. Sometimes these changes have made earlier policies obsolete on newer versions of Windows. In this case, the policy works only on specific versions of Windows, such as only on Windows Vista and Windows Server 2008.

Generally speaking, most policies are forward-compatible. This means that in most cases, policies introduced in a previous release of Windows can be used in the current release of Windows. It also means that policies for Windows 8.1 and Windows Server 2012 R2 usually aren’t applicable to earlier releases of Windows. If a policy isn’t applicable to a particular version of the Windows operating system, you can’t enforce the policy on computers running those versions of Windows.

How will you know if a policy is supported on a particular version of Windows? Easy. The Properties dialog box for each policy setting has a Supported On box. This text-only field lists the policy’s compatibility with various versions of Windows. You don’t have to open it if you select a policy in any of the Group Policy editors and also have selected the Extended tab (rather than the Standard tab). A Requirements entry is displayed that lists compatibility.

You can also install new policies when you add a service pack, install Windows applications, or add Windows components. This means a wide range of compatibility entries are available.

Microsoft provides the Group Policy Management Console (GPMC) as the centralized management console called for Group Policy. The GPMC is a feature you can add to any installation of Windows Server 2008 or later by using the Add Roles And Features Wizard. The GPMC is available on Windows desktops when you install the Remote Server Administration Tools (RSAT). After you add the GPMC to a computer, it is available on the Tools menu in Server Manager.

When you want to edit a GPO in the GPMC, the GPMC opens the Group Policy Management Editor, which you use to manage the policy settings. If Microsoft had stopped with these two tools, we’d have a wonderful and easy-to-use policy-management environment. Unfortunately, several other, nearly identical editors also exist:

  • Group Policy Starter GPO Editor. An editor you can use to create and manage starter policy objects. As the name implies, starter GPOs are meant to provide a starting point for policy objects you’ll use throughout your organization. When you create a policy object, you can specify a starter GPO as the source or basis of the object.

  • Local Group Policy Object Editor. An editor you can use to create and manage policy objects for the local computer. As the name implies, local GPOs are meant to provide policy settings for a specific computer as opposed to settings for a site, domain, or organizational unit.

If you’ve worked with earlier versions of Windows, you might also be familiar with the Group Policy Object Editor (GPOE). With earlier versions of Windows, the GPOE is the primary editing tool for policy objects. The Group Policy Object Editor, Group Policy Management Editor, Group Policy Starter GPO Editor, and Local Group Policy Object Editor are essentially identical except for the set of policy objects you have access to. For this reason, and because you use these tools to manage individual policy objects in the same way, I won’t differentiate between them unless necessary. As a matter of preference, I refer to these tools collectively as policy editors. Sometimes, I might use the acronym GPOE to refer to policy editors in general because it is more easily distinguished from the management console, the GPMC.

You can manage policy settings for Windows Vista and later only from computers running Windows Vista or later. The reason for this is that the GPOE and the GPMC for Windows Vista and later releases were updated to work with the XML-based administrative templates format called ADMX.

Note

You cannot use early versions of the policy editors with ADMX. You can edit GPOs by using ADMX files only on a computer running Windows Vista or later.

Microsoft had many reasons for going to the ADMX format. The key reasons were to allow greater flexibility and extensibility. Because ADMX files are created by using XML, the files are strictly structured and can be more easily and rapidly parsed during initialization. This can help to improve performance when the operating system processes Group Policy during the startup, logon, logoff, and shutdown phases, in addition to during policy refreshes. Further, the strict structure of ADMX files makes it possible for Microsoft to continue in its internationalization efforts.

ADMX files are divided into language-neutral files ending with the .admx file name extension and language-specific files ending with the .adml extension. The language-neutral files ensure that a GPO has identical core policies. The language-specific files allow policies to be viewed and edited in multiple languages. Because the language-neutral files store a policy’s core settings, policies can be edited in any language for which a computer is configured, thus allowing one user to view and edit policies in English and another to view and edit policies in Spanish, for example. The mechanism that determines the language used is the language pack installed on the computer.

Language-neutral ADMX files are installed on computers running Windows Vista or later in the %SystemRoot%PolicyDefinitions folder. Language-specific ADMX files are installed on computers running Windows 7 and later, and also on computers running Windows Server 2008 R2 and later in the %SystemRoot%PolicyDefinitionsLanguageCulture folder. Each subfolder is named by using the corresponding International Organization for Standardization (ISO) language/culture name, such as EN-US for US English.

When you start a policy editor, it automatically reads ADMX files from the policy definitions folders. Because of this, you can copy ADMX files you want to use to an appropriate policy definitions folder to make them available when you are editing GPOs. If the policy editor is running when you copy the file or files, you must restart the policy editor to force it to read the file or files.

In domains, ADMX files can be stored in a central store—the domainwide directory created in the SYSVOL directory (%SystemRoot%SysvolDomainPolicies). When you use a central store, administrative templates are no longer stored with each GPO. Instead, only the current state of the setting is stored in the GPO, and the ADMX files are stored centrally. This reduces the amount of storage space used as the number of GPOs increases and also reduces the amount of data being replicated throughout the enterprise.

When running in Windows Server 2008 or higher domain functional level, servers running Windows Server 2008 or later use Distributed File System (DFS) Replication Service for replicating Group Policy. With DFS replication, only the changes in GPOs are replicated, thereby eliminating the need to replicate an entire GPO after a change.

Current releases of Windows use the Group Policy client service to isolate Group Policy notification and processing from the Windows logon process. Separating Group Policy from the Windows logon process reduces the resources used for background processing of the policy while increasing overall performance and allowing delivery and application of new Group Policy files as part of the update process without requiring a restart.

Computers running Windows Vista or later don’t use the trace logging functionality in Userenv.dll and instead write Group Policy event messages to the System log. Further, the Group Policy operational log replaces previous Userenv logging. When you are troubleshooting Group Policy issues, you use the detailed event messages in the operational log rather than in the Userenv log. In Event Viewer, you can access the operational log under Applications And Services LogsMicrosoftWindowsGroupPolicy.

Computers running current versions of Windows use Network Location Awareness instead of Internet Control Message Protocol (ICMP, or ping). With Network Location Awareness, a computer is aware of the type of network it is connected to and can be responsive to changes in the system status or network configuration. By using Network Location Awareness, the Group Policy client can determine the computer state, network state, and available network bandwidth for slow-link detection.

Managing local group policies

Computers running current versions of Windows allow the use of multiple local Group Policy objects on a single computer (as long as the computer is not a domain controller). Previously, computers had only one local GPO. Windows allows you to assign a different local GPO to each local user or general user type. This allows the application of policy to be more flexible and supports a wider array of implementation scenarios.

Local Group Policy objects

When computers are being used in a stand-alone configuration rather than a domain configuration, you might find that multiple local GPOs are useful because you no longer have to explicitly disable or remove settings that interfere with your ability to manage a computer before performing administrator tasks. Instead, you can implement one local GPO for administrators and another local GPO for nonadministrators. In a domain configuration, however, you might not want to use multiple local GPOs. In domains, most computers and users already have multiple GPOs applied to them—adding multiple local GPOs to this already varied mix can make managing Group Policy confusing.

Computers running current versions of Windows have three layers of local Group Policy objects:

  • Local Group Policy. Local Group Policy is the only local Group Policy object that allows both computer configuration and user configuration settings to be applied to all users of the computer.

  • Administrators and Non-Administrators local Group Policy. Administrators and Non-Administrators Local Group Policy contain only user configuration settings. This policy is applied based on whether the user account being used is a member of the local Administrators group.

  • User-specific local Group Policy. User-Specific Local Group Policy contains only user configuration settings. This policy is applied to individual users and groups.

These layers of local Group Policy objects are processed in the following order: Local Group Policy, Administrators and Non-Administrators Local Group Policy, User-Specific Local Group Policy.

Because the available user-configuration settings are the same for all local GPOs, a setting in one GPO might conflict with a setting in another GPO. Windows resolves conflicts in settings by overwriting any previous setting with the last-read and mostcurrent settings. The final setting is the one that Windows uses. When Windows resolves conflicts, only the enabled or disabled state of settings matters. A setting set as Not Configured has no effect on the state of the setting from a previous policy application. To simplify domain administration, you can disable processing of local Group Policy objects on computers running Windows Vista or later releases by enabling the Turn Off Local Group Policy Objects Processing policy setting in a domain GPO. In Group Policy, this setting is located under Administrative Templates for Computer Configuration under SystemGroup Policy.

Accessing the top-level local policy settings

All computers running current releases of Windows have an editable local Group Policy object. Although a domain controller has a local Group Policy object, you shouldn’t edit its settings.

The quickest way to access the local GPO on a computer is to enter the following command in the Everywhere search box:

gpedit.msc

This command starts the GPOE in a Microsoft Management Console (MMC) with its target set to the local computer. To access the top-level local GPO on a remote computer, enter the following in the Everywhere search box:

gpedit.msc /gpcomputer:"RemoteComputer"

Here RemoteComputer is the host name or fully qualified domain name of the remote computer. Note that the double quotation marks are required and that there must not be a space between /gpcomputer: and the remote computer value, as shown in the following example:

gpedit.msc /gpcomputer:"corpsvr82"

When you are connected to a remote computer, the root node lists the name of the remote computer, as shown in Figure 6-1. Otherwise, the root node label is shown as Local Computer Policy.

Screen shot of the Local Group Policy Editor, showing the user is connected to CorpPC73.
Figure 6-1. Use the policy editor to manage local policy settings.

You can also manage the top-level local GPO on a computer by following these steps:

  1. At a command prompt or in the Everywhere search box, type mmc, and then press Enter.

  2. In the Microsoft Management Console, tap or click File, and then tap or click Add/Remove Snap-In.

  3. In the Add Or Remove Snap-Ins dialog box, tap or click Group Policy Object Editor, and then tap or click Add.

  4. In the Select Group Policy Object dialog box, tap or click Finish because the local computer is the default object, and then tap or click OK.

Whether you access the Local GPO directly or by adding GPOE to an MMC, you can now manage local policy settings by using the options provided (see Figure 6-2).

Tip

You can use the same MMC snap-in to manage more than one local Group Policy object. In the Add Or Remove Snap-Ins dialog box, you simply add one instance of the Local Group Policy Object Editor for each object you want to work with.

Screen shot of the Local Group Policy Management Editor, with the Prevent Changing Lock Screen Image policy selected.
Figure 6-2. Use the policy editor to manage local policy settings.

Local Group Policy object settings

Local group policies are stored in the %SystemRoot%System32GroupPolicy folder on each computer running Windows Server. In this folder, you’ll find the following subfolders:

  • Machine. Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file

  • User. Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file

Caution

You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of one of the Group Policy management tools. By default, these files and folders are hidden. If you want to view hidden files and folders in File Explorer, tap or click the View tab, and then select Hidden Items. You also might want to select File Name Extensions.

Accessing administrator, nonadministrator, and user-specific local Group Policy

By default, the only local policy object that exists on a computer is the Local Group Policy object. You can create and manage other local objects as necessary (except on domain controllers). You can create or access the Administrator Local Group Policy object, the Non-Administrator Local Group Policy Object, or a user-specific local Group Policy object by following these steps:

  1. At a command prompt or in the Everywhere search box, type mmc, and then press Enter. In the Microsoft Management Console, tap or click File, and then tap or click Add/Remove Snap-In.

  2. In the Add Or Remove Snap-Ins dialog box, tap or click Group Policy Object Editor, and then tap or click Add.

  3. In the Select Group Policy Object dialog box, tap or click Browse. In the Browse For A Group Policy Object dialog box, tap or click the Users tab.

  4. On the Users tab, as shown in Figure 6-3, the entries in the Group Policy Object Exists column specify whether a particular local policy object has been created. Do one of the following:

    • Select Administrators to create or access the Administrators Local Group Policy object.

    • Select Non-Administrators to create or access the Non-Administrators Local Group Policy object.

    • Select the local user whose user-specific local Group Policy object you want to create or access.

  5. Tap or click OK. If the selected object doesn’t exist, it will be created. Otherwise, the existing object opens for review and editing.

Screen shot of the Browse For A Group Policy Object dialog box, showing the local users and groups that can be managed.
Figure 6-3. Select the local user or group to manage.

Policy settings for administrators, nonadministrators, and users are stored in the %SystemRoot%System32GroupPolicyUsers folder on each computer running Windows Server. Because these local GPOs apply only to user configuration settings, user-specific policy settings under %SystemRoot%System32GroupPolicyUsers have only a User subfolder, and this subfolder stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER in the Registry.pol file.

Managing site, domain, and organizational unit policies

When you deploy Active Directory Domain Services (AD DS), you can use Active Directory–based Group Policy. Each site, domain, and organizational unit can have one or more group policies. Group policies listed higher in the Group Policy list have higher precedence than policies listed lower in the list. This ensures that policies are applied appropriately throughout the related sites, domains, and organizational units.

Understanding domain and default policies

When you work with Active Directory–based Group Policy, you’ll find that each domain in your organization has two default GPOs:

  • Default Domain Controllers Policy GPO. A default GPO created for and linked to the Domain Controllers organizational unit. This GPO is applicable to all domain controllers in a domain (as long as they aren’t moved from this organizational unit). Use it to manage security settings for domain controllers in a domain.

  • Default Domain Policy GPO. A default GPO created for and linked to the domain itself within Active Directory. Use this GPO to establish baselines for a wide variety of policy settings that apply to all users and computers in a domain.

Typically, the Default Domain Policy GPO is the highest-precedence GPO linked to the domain level, and the Default Domain Controllers Policy GPO is the highest-precedence GPO linked to the Domain Controllers container. You can link additional GPOs to the domain level and to the Domain Controllers container. When you do this, the settings in the highest-precedence GPO override settings in lower-precedence GPOs. These GPOs aren’t meant for general management of Group Policy.

The Default Domain Policy GPO is used to manage only the default Account Policies settings and, in particular, three specific areas of Account Policies: password policy, account lockout policy, and Kerberos policy. Several security options are also managed through this GPO. These include Accounts: Rename Administrator Account, Accounts: Administrator Account Status, Accounts: Guest Account Status, Accounts: Rename Guest Account, Network Security: Force Logoff When Logon Hours Expire, Network Security: Do Not Store LAN Manager Hash Value On Next Password Change, and Network Access: Allow Anonymous SID/Name Translation. One way to override these settings is to create a GPO with the overriding settings and link it with a higher precedence to the domain container.

The Default Domain Controllers Policy GPO includes specific User Rights Assignment and Security Options settings that limit the ways domain controllers can be used. One way to override these settings is to create a GPO with the overriding settings and link it with a higher precedence to the Domain Controllers container.

To manage other areas of policy, you should create a GPO and link it to the domain or to an appropriate organizational unit within the domain.

Site, domain, and organizational unit group policies are stored in the %SystemRoot%SysvolDomainPolicies folder on domain controllers. In this folder, you’ll find one subfolder for each policy you defined on the domain controller. The policy folder name is the policy’s globally unique identifier (GUID). You can find the policy’s GUID on the policy’s Properties page on the General tab in the Summary frame. Within these individual policy folders, you’ll find the following subfolders:

  • Machine. Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file

  • User. Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file

Caution

Do not edit these folders and files directly. Instead, use the appropriate features of one of the Group Policy management tools.

Using the Group Policy Management Console

You can run the GPMC from the Tools menu in Server Manager. At a prompt or in the Everywhere search box, type gpmc.msc, and then press Enter.

As shown in Figure 6-4, the console root node is labeled Group Policy Management, and below this node is the Forest node. The Forest node represents the forest to which you are currently connected and is named after the forest root domain for that forest. If you have appropriate credentials, you can add connections to other forests. To do this, press and hold or right-click the Group Policy Management node, and then tap or click Add Forest. In the Add Forest dialog box, enter the name of the forest root domain in the Domain box, and then tap or click OK.

Screen shot of the GPMC, with a domain selected in the console.
Figure 6-4. Use the GPMC to work with GPOs in sites, forests, and domains.

Expanding the Forest node displays the following nodes:

  • Domains. Provides access to the policy settings for domains in the related forest. You are connected to your logon domain by default. If you have appropriate credentials, you can add connections to other domains in the related forest. To do this, press and hold or right-click the Domains node, and then tap or click Show Domains. In the Show Domains dialog box, select the check boxes for the domains you want to add, and then tap or click OK.

  • Sites. Provides access to the policy settings for sites in the related forest. Sites are hidden by default. If you have appropriate credentials, you can add connections for sites. To do this, press and hold or right-click the Sites node, and then tap or click Show Sites. In the Show Sites dialog box, select the check boxes for the sites you want to add, and then tap or click OK.

  • Group Policy Modeling. Provides access to the Group Policy Modeling Wizard, which helps you plan policy deployment and simulate settings for testing purposes. Any saved policy models are also available.

  • Group Policy Results. Provides access to the Group Policy Results Wizard. For each domain you are connected to, all related GPOs and organizational units are available to work with in one location.

GPOs listed under the domain, site, and organizational unit containers in the GPMC are GPO links and not the GPOs themselves. You can access the actual GPOs through the Group Policy objects container of the selected domain. Note that the icons for GPO links have small arrows at the bottom left, similar to shortcut icons, whereas GPOs themselves do not.

When you start the GPMC, the console connects to Active Directory running on the domain controller that is acting as the PDC emulator for your logon domain and obtains a list of all GPOs and organizational units in that domain. It does this by using Lightweight Directory Access Protocol (LDAP) to access the directory store and the Server Message Block (SMB) protocol to access the SYSVOL directory. If the PDC emulator isn’t available for some reason, such as when the server is offline, the GPMC displays a prompt so that you can choose to work with policy settings on the domain controller you are currently connected to or on any available domain controller. To change the domain controller you are connected to, press and hold or right-click the domain node for which you want to set the domain controller focus, and then tap or click Change Domain Controller. In the Change Domain Controller dialog box, the domain controller you are currently connected to is listed under Current Domain Controller. Using the Change To options, specify the domain controller to use, and then tap or click OK.

Getting to know the policy editor

With the GPMC, you can edit a GPO by pressing and holding or right-clicking it and then selecting Edit on the shortcut menu. As Figure 6-5 shows, the policy editor has two main nodes:

  • Computer Configuration. Allows you to set policies that should be applied to computers, regardless of who logs on

  • User Configuration. Allows you to set policies that should be applied to users, regardless of which computer they log on to

Screen shot of the Group Policy Management Editor, showing Computer Configuration and User Configuration in the main pane.
Figure 6-5. The configuration of the policy editor depends on the type of policy you’re creating and the add-ons installed.

Under the Computer Configuration and User Configuration nodes, you’ll find the Policies and Preferences nodes. Settings for general policies are listed under the Policies node. Settings for general preferences are listed under the Preferences node.

Note

When I reference settings under the Policies node, I sometimes use a shortcut such as User ConfigurationAdministrative TemplatesWindows Components rather than User ConfigurationPoliciesAdministrative Templates: Policy DefinitionsWindows Components. This shortcut tells me that the policy setting being discussed is under User Configuration rather than Computer Configuration and can be found under Administrative TemplatesWindows Components.

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you’re creating. Still, you’ll usually find that both Computer Configuration and User Configuration have subnodes for the following:

  • Software Settings. Sets policies for software settings and software installation. When you install software, subnodes might be added to Software Settings.

  • Windows Settings. Sets policies for folder redirection, scripts, and security.

  • Administrative Templates. Sets policies for the operating system, Windows components, and programs. Administrative templates are configured through template files. You can add or remove template files whenever you need to.

Note

A complete discussion of all the available options is beyond the scope of this book. The sections that follow focus on using administrative templates. Security is covered in chapters later in this book.

Using administrative templates to set policies

Administrative templates provide easy access to registry-based policy settings that you might want to configure. A default set of administrative templates is configured for users and computers in the policy editor. You can also add or remove administrative templates. Any changes you make to policies available through administrative templates are saved in the registry. Computer configurations are saved in HKEY_ LOCAL_MACHINE, and user configurations are saved in HKEY_CURRENT_USER.

You can view the currently configured templates in the Administrative Templates node of the policy editor. This node contains policies you can configure for local systems, organizational units, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can add templates containing new policies in the policy editor when you install new Windows components.

You can use administrative templates to manage the following:

  • Control Panel. Determine the available options and configuration of Control Panel and Control Panel utilities.

  • Desktop. Configure the Windows desktop and the available options from the desktop.

  • NetworkConfigure networking and network client options for offline files, DNS clients, and network connections.

  • Printers. Configure printer settings, browsing, spooling, and directory options

  • Shared folders. Allow publishing of shared folders and Distributed File System (DFS) roots.

  • Start screen and taskbar. Control the available options and configuration of the Start screen and the taskbar.

  • System. Configure system settings for disk quotas, user profiles, user logon, system restore, error reporting, and so on.

  • Windows components. Determine the available options and configuration of various Windows components, including Event Viewer, Internet Explorer, Task Scheduler, Windows Installer, and Windows Updates.

The best way to get to know which administrative template policies are available is to browse the Administrative Templates nodes. As you browse the templates, you’ll find that policies are in one of three states:

  • Not Configured. The policy isn’t used, and no settings for it are saved in the registry.

  • Enabled. The policy is actively being enforced, and its settings are saved in the registry.

  • Disabled. The policy is turned off and isn’t enforced unless overridden. This setting is saved in the registry.

You can enable, disable, and configure policies by following these steps:

  1. In the policy editor, open the Administrative Templates folder in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set.

  2. In the left pane, select the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.

  3. Double-tap or double-click a policy to display its related Properties dialog box.

    You can read a description of the policy in the Help pane. The description is available only if one is defined in the related template file.

  4. To set the policy’s state, select one of the following options:

    • Not Configured. The policy isn’t configured.

    • Enabled. The policy is enabled.

    • Disabled. The policy is disabled.

  5. If you enable the policy, set any additional parameters, and then tap or click OK.

Note

Typically, computer policies have precedence in Windows Server. If there’s a conflict between a computer policy setting and a user policy setting, the computer policy is enforced.

Creating and linking GPOs

When you work with a policy object, creating an object and linking an object to a specific container within Active Directory are two different actions. You can create a GPO without linking it to any domain, site, or organizational unit. Then, as appropriate, you can link the GPO to a specific domain, site, or organizational unit. You can also create a GPO and link it automatically to a domain, site, or organizational unit. The technique you choose primarily depends on your personal preference and how you plan to work with the GPO. Keep in mind that when you create and link a GPO to a site, domain, or organizational unit, the GPO is applied to the user and computer objects in that site, domain, or organizational unit according to the Active Directory options governing inheritance, the precedence order of GPOs, and other settings.

You can create and then link a GPO to a site, domain, or organizational unit by following these steps:

  1. In the GPMC, expand the entry for the forest you want to work with, and then expand the related Domains node by double-tapping or double-clicking each node in turn.

  2. Press and hold or right-click Group Policy objects, and then tap or click New. In the New GPO dialog box, enter a descriptive name for the GPO, such as Secure Workstation GPO. If you want to use a starter GPO as the source for the initial settings, select the starter GPO to use in the Source Starter GPO list. When you tap or click OK, the new GPO is added to the Group Policy objects container.

  3. Press and hold or right-click the new GPO, and then tap or click Edit. In the policy editor, configure the necessary policy settings, and then close the policy editor.

  4. In the GPMC, select the site, domain, or organizational unit. Expand the site node you want to work with. In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected container (if any).

  5. Press and hold or right-click the site, domain, or organizational unit to which you want to link the GPO, and then tap or click Link An Existing GPO. In the Select GPO dialog box, select the GPO you want to link with, and then tap or click OK. When Group Policy is refreshed for computers and users in the applicable site, domain, or organizational unit, the policy settings in the GPO are applied.

You can create and link a GPO as a single operation by following these steps:

  1. In the GPMC, press and hold or right-click the site, domain, or organizational unit for which you want to create and link the GPO, and then tap or click Create A GPO In This Domain, And Link It Here.

  2. In the New GPO dialog box, enter a descriptive name for the GPO, such as Secure Workstation GPO. If you want to use a starter GPO as the source for the initial settings, select the starter GPO to use in the Source Starter GPO list. When you tap or click OK, the new GPO is added to the Group Policy Objects container and linked to the previously selected site, domain, or organizational unit.

  3. Press and hold or right-click the new GPO, and then tap or click Edit. In the policy editor, configure the necessary policy settings, and then close the policy editor. When Group Policy is refreshed for computers and users in the applicable site, domain, or organizational unit, the policy settings in the GPO are applied.

Creating and using starter GPOs

When you create a GPO in the GPMC, you can base the GPO on a starter GPO. The settings for the starter GPO are then imported into the new GPO, which allows you to use a starter GPO to define the base configuration settings for a new GPO. In a large organization, you should create different categories of starter GPOs based on the users and computers they will be used with or on the required security configuration.

You can create a starter GPO by following these steps:

  1. In the GPMC, expand the entry for the forest you want to work with, and then double-tap or double-click the related Domains node to expand it.

  2. Press and hold or right-click Starter GPOs, and then tap or click New. In the New Starter GPO dialog box, enter a descriptive name for the GPO, such as General Management User GPO. You can also enter comments describing the GPO’s purpose. Tap or click OK.

  3. Press and hold or right-click the new GPO, and then tap or click Edit. In the policy editor, configure the necessary policy settings, and then close the policy editor.

Delegating privileges for Group Policy management

In Active Directory, all administrators have some level of privileges for performing Group Policy management tasks. Through delegation, other individuals can be granted permissions to perform any or all of the following tasks:

  • Create GPOs and manage the GPOs they create.

  • View settings, modify settings, delete a GPO, and modify security.

  • Manage links to existing GPOs or generate Resultant Set of Policy (RSoP).

In Active Directory, administrators can create GPOs, and anyone who has created a GPO has the right to manage that GPO. In the GPMC, you can determine who can create GPOs in a domain by selecting the Group Policy Objects node for that domain and then tapping or clicking the Delegation tab. On the Delegation tab is a list of groups and users that can create GPOs in the domain. To grant GPO creation permission to a user or group, tap or click Add. In the Select User, Computer, Or Group dialog box, select the user or group, and then tap or click OK.

In the GPMC, you have several ways to determine who has access permissions for Group Policy management. For domain, site, and organizational unit permissions, select the domain, site, or organizational unit you want to work with, and then tap or click the Delegation tab in the right pane, as shown in Figure 6-6. In the Permission list, select the permission you want to check. The options are as follows:

  • Link GPOsLists users and groups that can create and manage links to GPOs in the selected site, domain, or organizational unit

  • Perform Group Policy Modeling Analyses. Lists users and groups that can determine RSoP for the purposes of planning

  • Read Group Policy Results Data. Lists users and groups that can determine RSoP that is currently being applied, for the purposes of verification or logging

Screen shot of the Group Policy Management console, showing permissions for Group Policy management in the Delegation tab for the selected domain.
Figure 6-6. Review permissions for Group Policy management.

To grant domain, site, or organizational unit permissions, complete the following steps:

  1. In the GPMC, select the domain, site, or organizational unit you want to work with, and then tap or click the Delegation tab in the right pane.

  2. In the Permission list, select the permission you want to grant. The options are Link GPOs, Perform Group Policy Modeling Analyses, and Read Group Policy Results Data.

  3. Tap or click Add. In the Select User, Computer, Or Group dialog box, select the user or group, and then tap or click OK.

  4. In the Add Group Or User dialog box, specify how the permission should be applied. To apply the permission to the current container and all child containers, select This Container And All Child Containers. To apply the permission only to the current container, select This Container Only. Tap or click OK.

For individual GPO permissions, select the GPO you want to work with in the GPMC, and then tap or click the Delegation tab in the right pane. One or more of the following permissions are displayed for individual users and groups:

  • Read. Indicates that the user or group can view the GPO and its settings.

  • Edit Settings. Indicates that the user or group can view the GPO and change its settings. The user or group cannot delete the GPO or modify security.

  • Edit Settings, Delete, Modify Security. Indicates that the user or group can view the GPO and change its settings. The user or group can also delete the GPO and modify security.

To grant permissions for working with the GPO, complete the following steps:

  1. In the GPMC, select the GPO you want to work with, tap or click the Delegation tab in the right pane, and then tap or click Add.

  2. In the Select User, Computer, Or Group dialog box, select the user or group, and then tap or click OK.

  3. In the Add Group Or User dialog box, select the permission level, and then tap or click OK.

Blocking, overriding, and disabling policies

Inheritance ensures that every computer and user object in a domain, site, or organizational unit is affected by Group Policy. Most policies have three configuration options: Not Configured, Enabled, or Disabled. Not Configured is the default state for most policy settings. If a policy is enabled, the policy is enforced and is applied directly or through inheritance to all users and computers that are subject to the policy. If a policy is disabled, the policy is not enforced or applied.

You can change the way inheritance works in four key ways:

  • Change the link order and precedence.

  • Override inheritance (as long as there is no enforcement).

  • Block inheritance (to prevent inheritance completely).

  • Enforce inheritance (to supersede and prevent overriding or blocking).

For Group Policy, the order of inheritance goes from the site level to the domain level and then to each nested organizational unit level. Keep the following in mind:

  • When multiple policy objects are linked to a particular level, the link order determines the order in which policy settings are applied. Linked policy objects are always applied in link-ranking order. Lower-ranking policy objects are processed first, and then higher-ranking policy objects are processed. The policy object processed last has priority, so any policy settings configured in this policy object are final and override those of other policy objects (unless you use inheritance blocking or enforcing).

  • When multiple policy objects can be inherited from a higher level, the precedence order shows exactly how policy objects are being processed. As with link order, lower-ranking policy objects are processed before higher-ranking policy objects. The policy object processed last has precedence, so any policy settings configured in this policy object are final and override those of other policy objects (unless you use inheritance blocking or enforcing).

When multiple policy objects are linked at a specific level, you can change the link order (and thus the precedence order) of policy objects by following these steps:

  1. In the GPMC, select the container for the site, domain, or organizational unit with which you want to work.

  2. In the right pane, select the Linked Group Policy Objects tab (as shown in Figure 6-7). Tap or click the policy object you want to work with.

    Screen shot of the Group Policy Management console, showing the processing order and precedence of GPOs for the selected domain on the Linked Group Policy Objects tab.
    Figure 6-7. Change the link order to modify processing order and precedence.
  3. Tap or click the Move Link Up or Move Link Down buttons as appropriate to change the link order of the selected policy object.

  4. When you are finished changing the link order, confirm that policy objects are being processed in the expected order by checking the precedence order on the Group Policy Inheritance tab.

Overriding inheritance is a basic technique for changing the way inheritance works. When a policy is enabled in a higher-level policy object, you can override inheritance by disabling the policy in a lower-level policy object. When a policy is disabled in a higher-level policy object, you can override inheritance by enabling the policy in a lower-level policy object. As long as a policy is not blocked or enforced, this technique achieves the effects you want.

Sometimes you will want to block inheritance so that no policy settings from higher-level containers are applied to users and computers in a particular container. When inheritance is blocked, only configured policy settings from policy objects linked at that level are applied, and settings from all high-level containers are blocked (as long as there is no policy enforcement).

Domain administrators can use inheritance blocking to block inherited policy settings from the site level. Organizational unit administrators can use inheritance blocking to block inherited policy settings from both the domain and the site level. By using blocking to ensure the autonomy of a domain or organizational unit, you can ensure that domain or organizational unit administrators have full control over the policies that apply to users and computers under their administration.

Using the GPMC, you can block inheritance by pressing and holding or right-clicking the domain or organizational unit that should not inherit settings from higher-level containers, and then selecting Block Inheritance. If Block Inheritance is already selected, selecting it again removes the setting. When you block inheritance in the GPMC, a blue circle with an exclamation point is added to the container’s node in the console tree. This notification icon provides a quick way to tell whether any domain or organizational unit has the Block Inheritance setting enabled.

To prevent administrators who have authority over a container from overriding or blocking inherited Group Policy settings, you can enforce inheritance. When inheritance is enforced, all configured policy settings from higher-level policy objects are inherited and applied regardless of the policy settings configured in lower-level policy objects. Thus, enforcement of inheritance is used to supersede the overriding and blocking of policy settings.

Forest administrators can use inheritance enforcement to ensure that configured policy settings from the site level are applied and to prevent the overriding or block-ing of policy settings by domain and organizational unit administrators. Domain administrators can use inheritance enforcement to ensure that configured policy settings from the domain level are applied and to prevent the overriding or blocking of policy settings by organizational unit administrators.

Using the GPMC, you can enforce policy inheritance by expanding the top-level container from which to begin enforcement, pressing and holding or right-clicking the link to the GPO, and then tapping or clicking Enforced. For example, if you want to ensure that a domain-level GPO is inherited by all organizational units in the domain, expand the domain container, press and hold or right-click the domain-level GPO, and then tap or click Enforced. If Enforced is already selected, selecting it again removes the enforcement. In the GPMC, you can easily determine which policies are inherited and which policies are enforced. Simply select a policy object anywhere in the GPMC, and then view the related Scope tab in the right pane. If the policy is enforced, the Enforced column under Link Enabled will display Yes, as shown in Figure 6-8.

After you select a policy object, you can press and hold or right-click a location entry on the Scope tab to display a shortcut menu that allows you to manage linking and policy enforcement. Enable or disable links by selecting or clearing the Link Enabled option, respectively. Enable or disable enforcement by selecting or clearing the Enforced option.

Screen shot of the Group Policy Management console, showing policy inheritance on the Scope tab.
Figure 6-8. Enforce policy inheritance to ensure that settings are applied.

Maintaining and troubleshooting Group Policy

Group Policy is a broad area of administration that requires careful management. Like any area of administration, Group Policy must also be carefully maintained to ensure proper operation, and you must diagnose and resolve any problems that occur. To troubleshoot Group Policy, you need a strong understanding of how policy is refreshed and processed. You also need a strong understanding of general maintenance and troubleshooting tasks.

Refreshing Group Policy

When you make changes to a policy, those changes are immediate. However, they aren’t propagated automatically. Client computers request policies at the following times:

  • When the computer starts

  • When a user logs on

  • When an application or user requests a refresh

  • When a refresh interval is set for Group Policy and the interval has elapsed

Computer configuration settings are applied during startup of the operating system. User configuration settings are applied when a user logs on to a computer. Typically, if there is a conflict between computer and user settings, computer settings have priority and take precedence.

After policy settings are applied, the settings are refreshed automatically to ensure that they are current. The default refresh interval for domain controllers is 5 minutes. For all other computers, the default refresh interval is 90 minutes, with up to a 30-minute variation to avoid overloading the domain controller with numerous concurrent client requests. This means that an effective refresh window for nondomain-controller computers is 90 to 120 minutes.

During a Group Policy refresh, the client computer contacts an available domain controller in its local site. If one or more of the policy objects defined in the domain have changed, the domain controller provides a list of the policy objects that apply to the computer and to the user who is currently logged on, as appropriate. The domain controller does this regardless of whether the version numbers on all the listed policy objects have changed. By default, the computer processes the policy objects only if the version number of at least one of the policy objects has changed. If any one of the related policies has changed, all the policies have to be processed again because of inheritance and the interdependencies between policies.

Security settings are a notable exception to the processing rule. By default, these settings are refreshed every 16 hours (960 minutes) regardless of whether policy objects contain changes. A random offset of up to 30 minutes is added to reduce the impact on domain controllers and the network during updates (making the effective refresh window 960 to 990 minutes). Also, if the client computer detects that it is connecting over a slow network connection, it informs the domain controller, and only the security settings and administrative templates are transferred over the network. This means that by default, only the security settings and administrative templates are applied when a computer is connected over a slow link. You can configure the way slow-link detection works in Group Policy.

You must carefully balance the update frequency with the actual rate of policy change. If policy is changed infrequently, you might want to increase the refresh window to reduce resource usage. For example, you might want to use a refresh interval of 20 minutes on domain controllers and 180 minutes on other computers.

Configuring the refresh interval

You can change the Group Policy refresh interval on a per-policy object basis. To set the refresh interval for domain controllers, follow these steps:

  1. In the GPMC, press and hold or right-click the Group Policy object you want to modify, and then tap or click Edit. This GPO should be linked to a container that contains domain controller computer objects.

  2. In the Administrative Templates for Computer Configuration under SystemGroup Policy, double-tap or double-click the Set Group Policy Refresh Interval For Domain Controllers policy. This displays a Properties dialog box for the policy, shown in Figure 6-9.

  3. Define the policy by selecting Enabled. Set the base refresh interval in the first Minutes box. You usually want this value to be between 5 and 59 minutes.

  4. In the other Minutes box, set the minimum or maximum time variation for the refresh interval. The variation effectively creates a refresh window with the goal of avoiding overload resulting from numerous clients simultaneously requesting a Group Policy refresh. Tap or click OK.

Note

A faster refresh rate increases the likelihood that a computer has the most current policy configuration. A slower refresh rate reduces the frequency of policy refreshes, which can reduce overhead with regard to resource usage but also increase the likelihood that a computer won’t have the most current policy configuration.

Screen shot of the Set Group Policy Refresh Interval For Domain Controllers dialog box, with the policy set to enabled, and the refresh interval set to the default value of 5 minutes.
Figure 6-9. Configure the refresh interval for Group Policy.

To set the refresh interval for member servers and workstations, follow these steps:

  1. In the GPMC, press and hold or right-click the Group Policy object you want to modify, and then tap or click Edit. This GPO should be linked to a container that contains computer objects.

  2. In the Administrative Templates for Computer Configuration under SystemGroup Policy, double-tap or double-click the Set Group Policy Refresh Interval For Computers policy. This displays a dialog box similar to the one in Figure 6-9.

  3. Define the policy by selecting Enabled. In the first Minutes box, set the base refresh interval. You usually want this value to be between 60 and 240 minutes.

  4. In the other Minutes box, set the minimum or maximum time variation for the refresh interval. The variation effectively creates a refresh window with the goal of avoiding overload resulting from numerous clients simultaneously requesting a Group Policy refresh. Tap or click OK.

Real World

You want to be sure that updates don’t occur too frequently yet are timely enough to meet expectations or requirements. The more often a policy is refreshed, the more traffic is generated over the network. In a large installation, you typically want to set a refresh rate that is longer than the default to reduce network traffic, particularly if the policy affects hundreds of users or computers. In any installation where users complain about their computers periodically being sluggish, you also might want to increase the policy refresh interval. Consider that a once-a-day or once-a-week update might be all that it takes to keep policies current enough to meet your organization’s needs.

As an administrator, you might often need or want to refresh Group Policy manually. For example, you might not want to wait for Group Policy to be refreshed at the automatic interval, or you might be trying to resolve a problem with refreshes and want to force a Group Policy refresh. You can refresh Group Policy manually by using the Gpupdate command-line utility.

You can initiate a refresh in several ways. Entering gpupdate at a prompt or in the Everywhere search box refreshes settings in both Computer Configuration and User Configuration on the local computer. Only policy settings that have changed are processed and applied when you run Gpupdate. You can change this behavior by using the /force parameter to force a refresh of all policy settings.

You can refresh user and computer configuration settings separately. To refresh only computer configuration settings, enter gpupdate /target:computer at the command prompt. To refresh only user configuration settings, enter gpupdate /target:user at the command prompt.

You can also use Gpupdate to log off a user or restart a computer after Group Policy is refreshed. This is useful because some group policies are applied only when a user logs on or when a computer starts. To log off a user after a refresh, add the /Logoff parameter. To restart a computer after a refresh, add the /Boot parameter.

Modeling Group Policy for planning purposes

Modeling Group Policy for planning is useful when you want to test various implementation and configuration scenarios. For example, you might want to model the effect of loopback processing or slow-link detection. You can also model the effect of moving users or computers to another container in Active Directory, or the effect of changing security group membership for users and computers.

All domain and enterprise administrators have permission to model Group Policy for planning, as do those who have been delegated the Perform Group Policy Modeling Analyses permission. To model Group Policy and test various implementation and update scenarios, follow these steps:

  1. In the GPMC, press and hold or right-click the Group Policy Modeling node, select Group Policy Modeling Wizard, and then tap or click Next.

  2. On the Domain Controller Selection page, select the domain you want to model in the Show Domain Controllers In This Domain list. By default, you will simulate policy on any available domain controller in the selected domain. If you want to use a specific domain controller, select This Domain Controller, and then tap or click the domain controller to use. Tap or click Next.

  3. On the User And Computer Selection page, shown in Figure 6-10, you have the option of simulating policy based on containers or individual accounts. Use one of the following techniques to choose accounts, and then tap or click Next:

    • Use containers to simulate changes for entire organizational units or other containers. Under User Information, select Container, and then tap or click Browse to display the Choose User Container dialog box. Use the dialog box to choose any of the available user containers in the selected domain. Under Computer Information, select Container, tap or click Browse to display the Choose Computer Container dialog box, and then choose any of the available computer containers in the selected domain.

    • Select specific accounts to simulate changes for a specific user and computer. Under User Information, select User, tap or click Browse to display the Select User dialog box, and then specify a user account. Under Computer Information, select Computer, tap or click Browse to display the Select Computer dialog box, and then specify a computer account.

    Screen shot of the User And Computer Selection page, where you can specify a container or account to use in the simulation.
    Figure 6-10. Select containers or accounts to use in the simulation.
  4. On the Advanced Simulation Options page, select any advanced options for Slow Network Connections, Loopback Processing, and Site as necessary, and then tap or click Next.

  5. On the User Security Groups page, you can simulate changes to the security group membership of the applicable user or users. Any changes you make to group membership affect the previously selected user or user container. For example, to simulate what happens if a user in the designated user container is a member of the CorpManagers group, add this group to the Security Groups list. Tap or click Next.

  6. On the Computer Security Groups page, you can simulate changes to the applicable security group membership for a computer or computers. Any changes you make to group membership affect the previously selected computer or computer container. For example, to simulate what happens if a computer in the designated computer container is a member of the RemoteComputers group, add this group to the Security Groups list. Tap or click Next.

  7. You can link Windows Management Instrumentation (WMI) filters to Group Policy objects. By default, the selected users and computers are assumed to meet all the WMI filter requirements, which is what you want in most cases for planning purposes. Tap or click Next twice to accept the default options.

  8. Review the selections you made, and then tap or click Next. After the wizard gathers policy information, tap or click Finish. When the wizard finishes generating the report, the report is selected in the left pane and the results are displayed in the right pane.

  9. When you select the Details tab in the right pane as shown in Figure 6-11, you can determine the settings that would be applied by browsing the report. Computer policy information is listed under Computer Details. User policy information is listed under User Details.

Screen shot of the Group Policy Management console, showing the report of the modeling.
Figure 6-11. Review the report to determine the effects of modeling.

Copying, pasting, and importing policy objects

The GPMC features built-in copy, paste, and import operations. Using the copy and paste features is fairly straightforward. The Copy and Paste options are available when you press and hold or right-click a GPO in the GPMC. You can copy a policy object and all its settings in one domain and then browse to the domain into which you want to paste the copy of the policy object. The source and target domains can be any domains you can connect to in the GPMC and for which you have permission to manage related policy objects. In the source domain, you need Read permission to create a copy of a policy object. In the target domain, you need Write permission to write (paste) the copied policy object. Administrators have this privilege, as do those who have been delegated permission to create policy objects.

Copying policy objects between domains works well when you have connectivity between domains and the appropriate permissions. If you are an administrator at a remote office or have been delegated permissions, however, you might not have access to the source domain to create a copy of a policy object. In this case, another administrator can make a backup copy of a policy object for you and then send you the related data. When you receive the related data, you can import the backup copy of the policy object into your domain to create a policy object with the same settings.

Anyone with the Edit Settings Group Policy management privilege can perform an import operation. The import operation overwrites all the settings of the policy object you select. To import a backup copy of a policy object into a domain, follow these steps:

  1. In the GPMC, press and hold or right-click Group Policy Objects, and then tap or click New. In the New GPO dialog box, enter a descriptive name for the new GPO, and then tap or click OK.

  2. The new GPO is now listed in the Group Policy Objects container. Press and hold or right-click the new policy object, and then tap or click Import Settings. This starts the Import Settings Wizard.

  3. Tap or click Next twice to bypass the Backup GPO page. You don’t need to create a backup of the GPO at this time because it’s new.

  4. On the Backup Location page, tap or click Browse. In the Browse For Folder dialog box, select the folder containing the backup copy of the policy object you want to import, and then tap or click OK. Tap or click Next to continue.

  5. If multiple backups are stored in the designated backup folder, a list of them will be displayed on the Source GPO page. Tap or click the one you want to use, and then tap or click Next.

  6. The Import Settings Wizard scans the policy object for references to security principals and Universal Naming Convention (UNC) paths that might need to be migrated. If any are found, you are given the opportunity to create migration tables or use existing migration tables.

  7. Continue through the wizard by tapping or clicking Next, and then tap or click Finish to begin the import process. When importing is complete, tap or click OK.

Backing up and restoring policy objects

As part of your periodic administration tasks, you should back up GPOs to protect them. You can use the GPMC to back up individual policy objects in a domain or all policy objects in a domain by following these steps:

  1. In the GPMC, expand and then select the Group Policy Objects node. If you want to back up all policy objects in the domain, press and hold or right-click the Group Policy Objects node, and then tap or click Back Up All. If you want to back up a specific policy object in the domain, press and hold or right-click the policy object, and then select Back Up.

  2. In the Back Up Group Policy Object dialog box, tap or click Browse. In the Browse For Folder dialog box, set the location where the GPO backup should be stored.

  3. In the Description box, enter a description of the contents of the backup. Tap or click Back Up to start the backup process.

  4. The Backup dialog box shows the progress and status of the backup. Tap or click OK when the backup is complete. If a backup fails, check the permissions on the policy and the folder to which you are writing the backup. You need Read permission on a policy and Write permission on the backup folder to create a backup. By default, members of the Domain Admins and Enterprise Admins groups should have these permissions.

Using the GPMC, you can restore a policy object to the state it was in when it was backed up. The GPMC tracks the backup of each policy object separately, even if you back up all policy objects at one time. Because version information is also tracked according to the backup time stamp and description, you can restore the last version of each policy object or a particular version of any policy object.

You can restore a policy object by following these steps:

  1. In the GPMC, press and hold or right-click the Group Policy Objects node, and then tap or click Manage Backups. This displays the Manage Backups dialog box.

  2. In the Backup Location box, tap or click Browse. In the Browse For Folder dialog box, find the backup folder, and then tap or click OK.

  3. All policy object backups in the designated folder are listed under Backed Up GPOs. To show only the latest version of the policy objects according to the time stamp, select Show Only The Latest Version Of Each GPO.

  4. Select the GPO you want to restore. If you want to confirm its settings, tap or click View Settings, and then use Internet Explorer to verify that the settings are as expected. When you are ready to continue, tap or click Restore. Confirm that you want to restore the selected policy object by tapping or clicking OK.

  5. The Restore dialog box shows the progress and status of the restore operation. If a restore operation fails, check the permissions on the policy object and the folder from which you are reading the backup. To restore a GPO, you need Edit Settings, Delete, and Modify Security permissions on the policy object and Read permission on the folder containing the backup. By default, members of the Domain Admins and Enterprise Admins groups should have these permissions.

Determining current Group Policy settings and refresh status

You can use Group Policy modeling for logging Resultant Set of Policy (RSoP). When you use Group Policy modeling in this way, you can review all the policy objects that apply to a computer and the last time the applicable policy objects were processed (refreshed). All domain and enterprise administrators have permission to model Group Policy for logging, as do those who have been delegated the permission Read Group Policy Results Data. In the GPMC, you can model Group Policy for the purpose of logging RSoP by pressing and holding or right-clicking the Group Policy Results node, and then clicking Group Policy Results Wizard. When the Group Policy Results Wizard starts, follow the prompts.

Disabling an unused part of Group Policy

Another way to disable a policy is to disable an unused part of the GPO. When you do this, you block computer configuration or user configuration settings, or both, and don’t allow them to be applied. When you disable part of a policy that isn’t used, the application of GPOs will be faster.

You can enable and disable policies partially or entirely by following these steps:

  1. In the GPMC, select the container for the site, domain, or organizational unit with which you want to work.

  2. Select the policy object you want to work with, and then tap or click the Details tab in the right pane.

  3. Choose one of the following status settings from the GPO Status list, and then tap or click OK when prompted to confirm that you want to change the status of this GPO:

    • All Settings Disabled. Disallows processing of the policy object and all its settings.

    • Computer Configuration Settings Disabled. Disables processing of computer configuration settings. This means that only user configuration settings are processed.

    • Enabled. Allows processing of the policy object and all its settings.

    • User Configuration Settings Disabled. Disables processing of user configuration settings. This means that only computer configuration settings are processed.

Changing policy processing preferences

In Group Policy, computer configuration settings are processed when a computer starts and accesses the network. User configuration settings are processed when a user logs on to the network. In the event of a conflict between settings in Computer Configuration and User Configuration, the computer configuration settings win. It is also important to remember that computer settings are applied from the computer’s GPOs, and user settings are applied from the user’s GPOs.

In some special situations, you might not want this behavior. On a shared computer, you might want the user settings to be applied from the computer’s GPOs, but you might also want to allow user settings from the user’s GPOs to be applied. In a secure lab or kiosk environment, you might want the user settings to be applied from the computer’s GPOs to ensure compliance with strict security rules or guidelines for the lab. By using loopback processing, you can allow for these types of exceptions and obtain user settings from a computer’s GPOs.

To change the way loopback processing works, follow these steps:

  1. In the GPMC, press and hold or right-click the Group Policy object you want to modify, and then tap or click Edit.

  2. In the Administrative Templates for Computer Configuration under SystemGroup Policy, double-tap or double-click the Configure User Group Policy Loopback Processing Mode policy. This displays a Properties dialog box for the policy.

  3. Define the policy by selecting Enabled, selecting one of the following processing modes from the Mode list, and then tapping or clicking OK:

    • Replace. Select the Replace option to ensure that user settings from the computer’s GPOs are processed and that user settings in the user’s GPOs are not processed. This means that the user settings from the computer’s GPOs replace the user settings normally applied to the user.

    • Merge. Select the Merge option to ensure that the user settings in the computer’s GPOs are processed first, then user settings in the user’s GPOs, and then user settings in the computer’s GPOs again. This processing technique serves to combine the user settings in both the computer’s and the user’s GPOs. In the event of a conflict, the user settings in the computer’s GPOs take precedence and overwrite the user settings in the user’s GPOs.

Slow-link detection is used by Group Policy clients to detect increased latency and reduced responsiveness on the network and to take corrective action to reduce the likelihood that processing of Group Policy will further saturate the network. After a slow link is detected, Group Policy clients reduce their network communications and requests, thereby reducing the overall network traffic load by limiting the amount of policy processing they do.

By default, if the connection speed is determined to be less than 500 kilobits per second (which could also be interpreted as high latency/reduced responsiveness on a fast network), the client computer interprets this as a slow network connection and notifies the domain controller. As a result, only security settings and administrative templates in the applicable policy objects are sent by the domain controller during a policy refresh.

You can configure slow-link detection by using the Configure Group Policy Slow Link Detection policy, which is stored in the Administrative Templates for Computer Configuration under SystemGroup Policy. If you disable this policy or do not configure it, clients use the default value of 500 kilobits per second to determine whether they are on a slow link. If you enable this policy, you can set a specific slow-link value, such as 384 kilobits per second. You also can specify that 3G connections should always be treated as slow links. Alternatively, if you want to disable slow-link detection completely, set the Connection Speed option to 0. This setting effectively tells clients not to detect slow links and to consider all links to be fast.

Real World

Microsoft refers to connections on cellular and broadband as costed networks. Several policies are designed to help specify how networking should be used with mobile devices on costed networks. You can:

  • Control offline file synchronization on costed networks by using the Enable File Synchronization On Costed Networks policy found under Computer ConfigurationAdministrative TemplatesNetworkOffline Files.

  • Control background transfers on costed networks by using the Set Default Download Behavior For BITS Jobs On Costed Networks policy found under Computer ConfigurationAdministrative TemplatesNetworkBackground Intelligent Transfer Services (BITS).

  • Specify that costed broadband networks have fixed, variable, or unrestricted usage charges by using the Set Cost policy found under Computer ConfigurationAdministrative TemplatesNetworkWLAN ServiceWLAN Media Cost.

  • Specify that costed cellular networks have fixed, variable, or unrestricted usage charges by using the Set 3G Cost and Set 4G Cost policies found under Computer ConfigurationAdministrative TemplatesNetworkWWAN ServiceWWAN Media Cost.

You can optimize slow-link detection for various areas of Group Policy processing as necessary. By default, policy areas that are not processed when a slow link is detected include the following:

  • Disk Quota Policy Processing

  • EFS Recovery Policy Processing

  • Folder Redirection Policy Processing

  • Scripts Policy Processing

  • Software Installation Policy Processing

Security Policy Processing is always enabled automatically for slow links. By default, security policy is refreshed every 16 hours even if security policy has not changed. The only way to stop the forced refresh is to configure security policy processing so that it is not applied during periodic background refreshes. To do this, select the policy setting Do Not Apply During Periodic Background Processing. However, because security policy is so important, the Do Not Apply setting means only that security policy processing is stopped when a user is logged on and using the computer. One of the only reasons you’ll want to stop security policy refreshes is applications failing during refresh operations.

You can configure slow-link detection and related policy processing by following these steps:

  1. In the GPMC, press and hold or right-click the policy object you want to modify, and then tap or click Edit.

  2. In the Administrative Templates for Computer Configuration under SystemGroup Policy, double-tap or double-click the Configure Group Policy Slow Link Detection policy.

  3. Select Enabled to define the policy, as shown in Figure 6-12. In the Connection Speed box, specify the speed that should be used to determine whether a computer is on a slow link. You also can specify that WWAN connections should always be treated as slow links. Tap or click OK.

Screen shot of the Configure Group Policy Slow Link Detection dialog box, with the connection speed set to 500 Kbps and the Always Treat WWAN Connections As A Slow Link check box selected.
Figure 6-12. Configure slow-link detection.

To configure slow-link and background policy processing of key areas of Group Policy, follow these steps:

  1. In the GPMC, press and hold or right-click the policy object you want to modify, and then tap or click Edit.

  2. Expand Computer ConfigurationAdministrative TemplatesSystemGroup Policy.

  3. Double-tap or double-click the processing policy you want to configure. Click Enabled to define the policy, as shown in Figure 6-13, and then make your configuration selections. The options differ slightly depending on the policy selected and might include the following:

    • Allow Processing Across A Slow Network Connection. Ensures that the related policy settings are processed even on a slow network

    • Do Not Apply During Periodic Background Processing. Overrides refresh settings when related policies change after startup or logon

    • Process Even If The Group Policy Objects Have Not Changed. Forces the client computer to process the related policy settings during a refresh even if the settings haven’t changed

    Screen shot of the Configure Disk Quota Policy Processing dialog box, with the policy set to Enabled.
    Figure 6-13. Configure policy processing for slow links.
  4. Tap or click OK to save your settings.

In the GPMC, you can stop using a linked GPO in two ways:

  • Remove a link to a GPO but not the GPO itself.

  • Permanently delete the GPO and all links to it.

Removing a link to a GPO stops a site, domain, or organizational unit from using the related policy settings but does not delete the GPO. Because of this, the GPO remains linked to other sites, domains, or organizational units as appropriate. In the GPMC, you can remove a link to a GPO by pressing and holding or right-clicking the GPO link in the container that it is linked to, and then clicking Delete. When prompted to confirm that you want to remove the link, tap or click OK. If you remove all links to the GPO from sites, domains, and organizational units, the GPO continues to exist in the Group Policy Objects container, but its policy settings have no effect in your organization.

Permanently deleting a GPO removes the GPO and all links to it. The GPO will not exist in the Group Policy Objects container and will not be linked to any sites, domains, or organizational units. The only way to recover a deleted GPO is to restore it from a backup (if one is available). In the GPMC, you can remove a GPO and all links to the object from the Group Policy Objects node. Press and hold or right-click the GPO, and then select Delete. When prompted to confirm that you want to remove the GPO and all links to it, tap or click Yes.

Troubleshooting Group Policy

When you are trying to determine why policy is not being applied as expected, one of first things you should do is examine the Resultant Set of Policy for the user and computer experiencing problems with policy settings. You can determine the GPO that a setting is applied from by following these steps:

  1. In the GPMC, press and hold or right-click the Group Policy Results node, and then tap or click Group Policy Results Wizard. When the wizard starts, tap or click Next.

  2. On the Computer Selection page, select This Computer to view information for the local computer. To view information for a remote computer, select Another Computer, and then tap or click Browse. In the Select Computer dialog box, enter the name of the computer, and then tap or click Check Names. After you select the correct computer account, tap or click OK, and then tap or click Next.

  3. On the User Selection page, select the user whose policy information you want to view. You can view policy information for any user who has logged on to the previously selected computer. Tap or click Next.

  4. Review the selections you made, and then tap or click Next. After the wizard gathers policy information, tap or click Finish. When the wizard finishes generating the report, the report is selected in the left pane, and the results are displayed in the right pane.

  5. To determine the settings that are being applied, browse through the report. Computer and user policy information is listed separately. Computer policy information is listed under Computer Configuration Summary. User policy information is listed under User Configuration Summary.

Using the Gpresult command-line utility, you can also view RSoP. Gpresult provides details about the following:

  • Special settings applied for folder redirection, software installation, disk quota, IPsec, and scripts

  • The last time Group Policy was applied

  • The domain controller from which policy was applied, and the security group memberships for the computer and user

  • The complete list of GPOs that were applied, and the complete list of GPOs that were not applied because of filters

Gpresult has the following basic syntax:

gpresult /s ComputerName /user DomainUserName

Here ComputerName is the name of the computer you want to log policy results for, and DomainUserName indicates the user you want to log policy results for. For example, to view the RSoP for CorpPC85 and the user Tedg in the Cpandl domain, you would enter the following command:

gpresult /s corppc85 /user cpandl	edg

You can view more detailed output by using one of the two verbose options. The /v parameter turns on verbose output, and results are displayed only for policy settings in effect. The /z parameter turns on verbose output with settings for policy settings in effect and all other GPOs that have the policy set. Because Gpresult output can be fairly long, you should create an HTML report by using the /h parameter, or an XML report by using the /x parameter. The following examples use these parameters:

gpresult /s corppc85 /user cpandl	edg /h gpreport.html
gpresult /s corppc85 /user cpandl	edg /x gpreport.xml

Fixing default Group Policy objects

The Default Domain Policy and Default Domain Controller Policy GPOs are vital to the health of Active Directory Domain Services. If for some reason these policies become corrupted, Group Policy will not function properly. To resolve this, you must use the GPMC to restore a backup of these GPOs. If you are in a disaster-recovery scenario and do not have any backups of the Default Domain Policy or the Default Domain Controller Policy, you can use Dcgpofix to restore the security settings in these policies. The state that Dcgpofix restores these objects to depends on how you modified security and on the security state of the domain controller before you ran Dcgpofix. You must be a member of Domain Admins or Enterprise Admins to run Dcgpofix.

When you run Dcgpofix, both the Default Domain Policy and Default Domain Controller Policy GPOs are restored by default, and you lose any base changes made to these GPOs. Some policy settings are maintained separately and are not lost, including Windows Deployment Services (Windows DS), Security Settings, and Encrypting File System (EFS). Nondefault Security Settings are not maintained, however, which means that other policy changes could also be lost. All other policy settings are restored to their previous values, and any changes you’ve made are lost.

To run Dcgpofix, log on to a domain controller in the domain in which you want to fix default Group Policy, and then enter dcgpofix at an elevated prompt. –Dcgpofix checks the Active Directory schema version number to ensure compatibility between the version of Dcgpofix you are using and the Active Directory schema configuration. If the versions are not compatible, Dcgpofix exits without fixing the default Group Policy objects. By specifying the /ignoreschema parameter, you can enable Dcgpofix to work with different versions of Active Directory. However, default policy objects might not be restored to their original state. Because of this, you should always be sure to use the version of Dcgpofix that is installed with the current operating system.

You also have the option of fixing only the Default Domain Policy or only the Default Domain Controller Policy GPO. If you want to fix only the Default Domain Policy, enter dcgpofix /target:domain. If you want to fix only the Default Domain Controller Policy, enter dcgpofix /target:dc.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.43.136