CHAPTER 7

DESIGNING GROUP POLICY

Chapter Scenario: World Wide Importers

You need to design a Group Policy deployment for the installation of application software that

enforces specific restrictions of the Microsoft Windows 2000 desktop settings.

Tasks to Perform:

Design Group Policy deployment for the installation of applications software that enforces

specific restrictions of the Microsoft Windows 2000 desktop settings.

Each site is assigned its own addresses and the site information for each computer will be

determined by its IP address.

Regional offices will be assigned a subnet of the sites IP address range to ensure that they

connect to a Domain Controller at the nearest Regional Office. WWI wants to use GP to

assign Microsoft Office to all full-time employees. Limited licenses for the software so the

Office software must be available only on the Accounting Department computers.

Engineering Departments own requirements for account policies so they must have a separate

GPO to address this. The Engineering department needs to have office automatically

installed on the desktop computer of all users, including full-time and contingent staff.

Lesson 1: Planning Deployment of Group Policy

When designing Group Policy for an organization, consider the default inheritance model

to ensure that you take full advantage of Group Policy inheritance.

Group Policy Overview

Group Policy allows centralized control of user and computer configuration settings. Rather

than applying security settings at each computer in an organization, Group Policy uses Active

Directory to centralize management and standardize security settings.

Planning Group Policy Inheritance

Inheritance simplifies Group Policy administration by allowing administrators to apply widespread

policy settings only to higher-level OUs. You can apply Group Policy at different levels within

Active Directory by defining Group Policy objects that are linked to sites, domains, or OUs.

======================================================================

winsec7.html PAGE 2 2002/04/24

If you define Group Policy using the default inheritance model; Group Policies are applied in this

order:

Local Group Policies. If you apply local Group Policies first, centralized Group Policy

settings always take precedence, since they are applied later.

Site Group Policies. Shouldn’t be defined. If you define a site Group Policy, the

Windows 2000 client must connect to the DC where the site Group Policy was defined in

order to download the Group Policy.

Domain Group Policy. Standard settings that apply to all computers in the

Domain.

OU Group Policies. The effective range of OU Group Policies is greater when you apply

them higher up the OU structure.

Sub-OU Group Policies. You apply Sub-OU Group Policies last.

In general, the lower in the OU structure, the more specific the Group Policy settings will be, as

the Group Policy settings will affect a smaller number of users or computer objects.

Assessing Group Policy Application

Disable unused portions of Group Policy. If the Group Policy object defines only computer settings,

disable the user portion of Group Policy to ensure that the user settings aren’t processed.

Minimize the levels at which you apply Group Policy. The more Group Policies that you apply to a

user or computer, the slower the logon process will be.

Avoid cross-domain Group Policy object assignments. If the policy is created in a different domain,

the user or computer must contact the DC from the Domain containing the Group Policy object. If

the domain is accessible only over a slow WAN link, logon performance suffers.

Block Policy Inheritance

You can block a policy from the higher-level group policies. For example, a policy that enables the

auditing of directory service access to a parent OU may not be desired for computers located in an

OU under the parent OU.

======================================================================

winsec7.html PAGE 3 2002/04/24

Use the Block Policy Inheritance attribute sparingly because it complicates the troubleshooting of

Group Policy application problems.

Configuring NO Override

Sometimes an administrator doesn’t want administrators of lower-level OUs to be able to block

critical Group Policy settings. For example, if a standard has been developed that all computers in

the domain must enable success and failure auditing for account logon events, an administrator could

enable the No Override attribute on the Group Policy object so that lower-level OUs can’t block

inheritance.

When you apply the No Override attribute, lower-level Group Policy objects can’t override

higher-level Group Policy settings. When you configure No Override Group Policies, include

only those settings that you specifically wish to prevent Block Policy Inheritance from affecting.

A recommended best practice is to create a separate Group Policy object containing only those

settings that you wish to apply to all objects within the container structure.

Making the Decision

Use the decision matrix shown to assist in designing Group Policy application for your

organization.

*** See page 220 ***

Applying the Decision

This is how you can apply it to the WWI:

Create separate Group Policy objects for the engineering.wideworldimporters.tld and

wideworldimporters.tld domain. You will have better performance for logons if they are

not linked.

Apply the Group Policy that assigns Office to all employees at the wideworldimporters.tld

domain and the engineering.wideworldimporters.ltd domain.

Remove the computer component of the Office installation Group Policy object.
Apply the Group Policy object to assign the accounting software at the OU=Computers,
OU=Account, OU= cityname, DC=Wideworldimporters, DC=tld containers (where

cityname is the name of the city represented by the OU).

Remove the user component of the accounting software installation Group Policy object.

======================================================================

winsec7.html PAGE 4 2002/04/24

The above ensure that all required computers or users have the necessary software that

Group Policy applies. Also, you do not have to implement the No Override or Block Policy

Inheritance settings.

Filtering Group Policies by Using Security Groups

Group Policy isn’t applied to security groups. Instead, Group Policy is based on the location

of objects within the Active Directory hierarchy. By default, Group Policies apply to all users

and computers within a site, domain or OU.

NOTE: If you want to apply a Group Policy to a user or computer, that user or computer must

belong to a security group that has both the Read permission and the Apply Group Policy

permission.

A common misconception is that the security group must be located in the OU where the

Group Policy is applied. In fact, the security group can exist anywhere in the Active Directory

structure.

Another Use for Group Policy Filtering

How can you prevent OU administrators from implementing the Block Policy Inheritance attribute?

See the diagrams page 222 and 223 ***

Designing Group Policy Filtering

=====================================================================

To Incorporate the following into your Design Plan

=====================================================================

Ensure that a Group Assign Both the Read and Apply Group Policy permissions

Policy is applied to to the security group.

a Security group

Prevent an OU Don’t assign the OU administrator the Write permission for

Administrator from the Group Policy object.

Blocking inheritance

Apply the Group Policy object at the parent OU and filter

the Group Policy object so that it’s applied to only the

computers or users in the child OU.

Prevent application Create a security group with those users or computers as

of a Group Policy members.

object to a specific

group of users or

computers Assign the security group the Deny permission for

apply Group Policy. This security assignment pre-

vents the Group Policy object from being applied

to the security group.

======================================================================

winsec7.html PAGE 5 2002/04/24

Applying the Decision

You can meet the requirements to install Office software only on the desktop computers of full-time

employees by using Group Policy filtering. Include the following procedures in your Group Policy

deployment plan:

Create two custom domain local groups named FullTimeGP and ContingentGP. Assign Read and

Apply Group Policy permissions to these domain local groups.

Create two custom global groups named FullTimeEmployees and ConteingentStaff that contain all

full-time staff and all contingent staff.

Configure the security for the Office Group Policy so that only the FullTimeGP domain local group

has Read and Apply Group Policy permissions. This ensures that only the full-time staff has the

Office software assigned by using Group Policy.

Lesson Summary:

Your Group Policy design allows for the default Group Policy object inheritance model.

The default behavior changes only when you apply the Block Policy Inheritance or No Override

attributes.

======================================================================

winsec7.html PAGE 6 2002/04/24

Lesson 2: Troubleshooting Group Policy

Sometimes the application of Group Policy doesn’t occur as expected. For example, the Group

Policy object might apply unexpected restrictions to a computer or user.

Assessing Group Policy Troubleshooting

One common reason that Group Policy application doesn’t always work as expected is that

there’s been a misapplication of the Block Policy Inheritance or No Override attributes to

Group Policy objects that affect the user or computer.

Inspect the Active Directory hierarchy.

Inspect applied Group Policies by using Gpresult. The Gpresult utility from the Microsoft

Windows 2000 Server Resource Kit shows which Group Policies were applied to the

computer or user.

Using Gpresult

The Gpresult utility shows which Group Policy objects were applied to a user or a computer.

The Gpresult utility uses the following parameters:

Gpresult /v /s /c /u /?

/V Verbose Mode

/S super verbose mode

/C displays only the Group Policy objects applied to the computer.

/U displays only the Group Policy objects applied to the user.

@echo off

gpresult^>C:\lab\gpresult\%username%.gpr

Create the above in notepad file. Gp.bat is in the SYSVOL folder where it is shared! The

Everyone Group must have more than read, they need to modify because they need to create

the file. The above command will place the results of the users policies into the C:\lab folder

and put their name on it.

>> makes each successive logon append to the created file.

Making the Decision ** See the chart page 227 **

Applying the Decision

As a member of the Accounting Department, Don Funk should have the accounting software

assigned to his computer and should have had Office assigned to his user account.

======================================================================

winsec7.html PAGE 7 2002/04/24

Assuming that Don is now a member of the Accounting department in Toronto, perform the

following tasks:

Verify the location of Don’s user account in Active Directory. Determine where Group Policies

may exist that could affect Don’s user account for application of Group Policy.

Run Gpresult to determine all user Group Policies that were applied to Don’s user account

at logon.

Determine if filtering is affecting the Group Policy application. The Office Group Policy

object is applied only to full-time employees in the wideworld importers.ltd domain.

Lesson Summary:

When Group Policy application doesn’t take place as expected, you must have a

methodology for determining the reason.

Using the Gpresult utility and inspecting the Active Directory hierarchy allows you to

determine where Group Policy objects have been applied to a user or computer.

***** DO THE EXERCISES PAGE 229-238 ****