CHAPTER 7
DESIGNING GROUP POLICY
Chapter Scenario:
World Wide Importers
You need to design a Group Policy deployment for the installation of application software that
enforces specific restrictions of the Microsoft Windows 2000 desktop settings.
Tasks to Perform:
Design Group Policy deployment for the installation of applications software that enforces
specific restrictions of the Microsoft Windows 2000 desktop settings.
Each site is assigned its own addresses and the site information for each computer will be
determined by its IP address.
Regional offices will be assigned a subnet of the sites IP address range to ensure that they
connect to a Domain Controller at the nearest Regional Office. WWI wants to use GP to
assign Microsoft Office to all full-time employees. Limited licenses for the software so the
Office software must be available only on the Accounting Department computers.
Engineering Departments own requirements for account policies so they must have a separate
GPO to address this. The Engineering department needs to have office automatically
installed on the desktop computer of all users, including full-time and contingent staff.
Lesson 1:
Planning Deployment of Group Policy
When designing Group Policy for an organization, consider the default inheritance model
to ensure that you take full advantage of Group Policy inheritance.
Group Policy Overview
Group Policy allows centralized control of user and computer configuration settings. Rather
than applying security settings at each computer in an organization, Group Policy uses Active
Directory to centralize management and standardize security settings.
Planning Group Policy Inheritance
Inheritance simplifies Group Policy administration by allowing administrators to apply widespread
policy settings only to higher-level OUs. You can apply Group Policy at different levels within
Active Directory by defining Group Policy objects that are linked to sites, domains, or OUs.
======================================================================
winsec7.html PAGE
2 2002/04/24
If you define Group Policy using the default inheritance model; Group Policies are applied in this
order:
Local Group Policies. If you apply local Group Policies first, centralized Group Policy
settings always take precedence, since they are applied later.
Site Group Policies. Shouldn’t be defined. If you define a site Group Policy, the
Windows 2000 client must connect to the DC where the site Group Policy was defined in
order to download the Group Policy.
Domain Group Policy. Standard settings that apply to all computers in the
Domain.
OU Group Policies. The effective range of OU Group Policies is greater when you apply
them higher up the OU structure.
Sub-OU Group Policies. You apply Sub-OU Group Policies last.
In general, the lower in the OU structure, the more specific the Group Policy settings will be, as
the Group Policy settings will affect a smaller number of users or computer objects.
Assessing Group Policy Application
Disable unused portions of Group Policy. If the Group Policy object defines only computer settings,
disable the user portion of Group Policy to ensure that the user settings aren’t processed.
Minimize the levels at which you apply Group Policy. The more Group Policies that you apply to a
user or computer, the slower the logon process will be.
Avoid cross-domain Group Policy object assignments. If the policy is created in a different domain,
the user or computer must contact the DC from the Domain containing the Group Policy object. If
the domain is accessible only over a slow WAN link, logon performance suffers.
Block Policy Inheritance
You can block a policy from the higher-level group policies. For example, a policy that enables the
auditing of directory service access to a parent OU may not be desired for computers located in an
OU under the parent OU.
======================================================================
winsec7.html PAGE
3 2002/04/24
Use the Block Policy Inheritance attribute sparingly because it complicates the troubleshooting of
Group Policy application problems.
Configuring NO Override
Sometimes an administrator doesn’t want administrators of lower-level OUs to be able to block
critical Group Policy settings. For example, if a standard has been developed that all computers in
the domain must enable success and failure auditing for account logon events, an administrator could
enable the No Override attribute on the Group Policy object so that lower-level OUs can’t block
inheritance.
When you apply the No Override attribute, lower-level Group Policy objects can’t override
higher-level Group Policy settings. When you configure No Override Group Policies, include
only those settings that you specifically wish to prevent Block Policy Inheritance from affecting.
A recommended best
practice is to create a separate Group Policy object containing only those
settings that you
wish to apply to all objects within the container structure.
Making the Decision
Use the decision matrix shown to assist in designing Group Policy application for your
organization.
*** See page 220 ***
Applying the Decision
This is how you can apply it to the WWI:
wideworldimporters.tld domain. You will have better performance for logons if they are
not linked.
domain and the engineering.wideworldimporters.ltd domain.
cityname is the name of the city represented by the OU).
Remove the user component of the accounting software installation Group Policy object.
======================================================================
winsec7.html PAGE
4 2002/04/24
The above ensure that all required computers or users have the necessary software that
Group Policy applies. Also, you do not have to implement the No Override or Block Policy
Inheritance settings.
Filtering Group Policies by Using Security Groups
Group Policy isn’t applied to security groups. Instead, Group Policy is based on the location
of objects within the Active Directory hierarchy. By default, Group Policies apply to all users
and computers within a site, domain or OU.
NOTE: If you want to apply a Group Policy to a user or computer, that user or computer must
belong to a security group that has both the Read permission and the Apply Group Policy
permission.
A common misconception is that the security group must be located in the OU where the
Group Policy is applied. In fact, the security group can exist anywhere in the Active Directory
structure.
Another Use for Group Policy Filtering
How can you prevent OU administrators from implementing the Block Policy Inheritance attribute?
See the diagrams page 222 and 223 ***
Designing Group Policy Filtering
=====================================================================
To Incorporate the following into your
Design Plan
=====================================================================
Ensure that a Group Assign Both the Read and Apply Group Policy permissions
Policy is applied to to the security group.
a Security group
Prevent an OU Don’t assign the OU administrator the Write permission for
Administrator from the Group Policy object.
Blocking inheritance
Apply the Group Policy object at the parent OU and filter
the Group Policy object so that it’s applied to only the
computers or users in the child OU.
Prevent application Create a security group with those users or computers as
of a Group Policy members.
object to a specific
group of users or
computers Assign the security group the Deny permission for
apply Group Policy. This security assignment pre-
vents the Group Policy object from being applied
to the security group.
======================================================================
winsec7.html PAGE
5 2002/04/24
Applying the Decision
You can meet the requirements to install Office software only on the desktop computers of full-time
employees by using Group Policy filtering. Include the following procedures in your Group Policy
deployment plan:
Apply Group Policy permissions to these domain local groups.
full-time staff and all contingent staff.
has Read and Apply Group Policy permissions. This ensures that only the full-time staff has the
Office software assigned by using Group Policy.
Lesson Summary:
Your Group Policy design allows for the default Group Policy object inheritance model.
The default behavior changes only when you apply the Block Policy Inheritance or No Override
attributes.
======================================================================
winsec7.html PAGE
6 2002/04/24
Lesson 2:
Troubleshooting Group Policy
Sometimes the application of Group Policy doesn’t occur as expected. For example, the Group
Policy object might apply unexpected restrictions to a computer or user.
Assessing Group Policy Troubleshooting
One common reason that Group Policy application doesn’t always work as expected is that
there’s been a misapplication of the Block Policy Inheritance or No Override attributes to
Group Policy objects that affect the user or computer.
Inspect the Active Directory hierarchy.
Inspect applied Group Policies by using Gpresult. The Gpresult utility from the Microsoft
Windows 2000 Server Resource Kit shows which Group Policies were applied to the
computer or user.
Using Gpresult
The Gpresult utility shows which Group Policy objects were applied to a user or a computer.
The Gpresult utility uses the following parameters:
Gpresult /v
/s /c /u /?
/V Verbose Mode
/S super verbose mode
/C displays only the Group Policy objects applied to the computer.
/U displays only the Group Policy objects applied to the user.
@echo off
gpresult^>C:\lab\gpresult\%username%.gpr
Create the above in notepad file. Gp.bat is in the SYSVOL folder where it is shared! The
Everyone Group must have more than read, they need to modify because they need to create
the file. The above command will place the results of the users policies into the C:\lab folder
and put their name on it.
>> makes each successive logon append to the created file.
Making the
Decision ** See the chart page 227 **
Applying the Decision
As a member of the Accounting Department, Don Funk should have the accounting software
assigned to his computer and should have had Office assigned to his user account.
======================================================================
winsec7.html PAGE
7 2002/04/24
Assuming that Don is now a member of the Accounting
department in
following tasks:
may exist that could affect Don’s user account for application of Group Policy.
at logon.
object is applied only to full-time employees in the wideworld importers.ltd domain.
Lesson Summary:
methodology for determining the reason.
determine where Group Policy objects have been applied to a user or computer.
***** DO THE
EXERCISES PAGE 229-238 ****