You are on page 1of 106

This guide introduces the concepts

that drive GPOs, as well as essential


knowledge for implementing them
for your organization. Key concepts
such as precedence, inheritance, and
permissions are covered in-depth.
You will also be introduced to
controlling software and security for
every computer in the enterprise
using GPOs.

IT Influencer Series

Implementing Group
Policy Objects

2004

Your in-depth guide to understanding GPOs and how to implement them in


your organization.

Contents

GPO

Introduction

Group Policy Fundamentals

GPO and Active Directory Design


Considerations
Controlling GPO Inheritance
Default GPOs and Their Shortcuts
Group Policy User and Computer
Configurations
The Final Word

Implementing Group
Policy Objects
by Derek Melber

About the Author:DerekMelberrunsandoperates


http://www.auditingwindows.com,thefirstdedicatedWebsitefor
WindowsAuditingandSecurity.Thereyouwillfindtheonlybookson
AuditingWindows.DerekisacontributingeditorforRedmondMagazine,
aswellasprovidingcolumnsforsomeofthemostdistributedInternal
Auditornewslettersandjournalsonthemarket.Thisishisfirstinaseries
ofthreeGPObooksheswritingforMCPMag.com.YoucanreachDerekat
derekm@braincore.net.

PublishedJuly2004

PublishedbyMCPMag.com

Publisher:HenryAllain

a101communicationsLLCpublication

Editor:DianSchaffhauser

16261LagunaCanyonRd,Suite130

Production:BeckyNagel

Irvine,Calif.,92618

MarketingManager:MicheleImgrund

http://MCPMag.com

SeniorWebDeveloper:RitaZurcher

Copyright(c)2004101communicationsLLC.Allrightsreserved.Exceptas
permittedbylaw,thispublicationmaynotbereproducedorredistributedinany
meansinpartorwholewithouttheexpresswrittenpermissionof
101communications.

Table of Contents
Introduction ........................................................................................................................... 7
GroupPolicyFundamentals ............................................................................................... 8
WhatIsaGPO? .................................................................................................................. 8
WhatDoesaGPODo? ...................................................................................................... 8
WhatCanaGPODo? ........................................................................................................ 9
TheGPOv.SystemPolicy .............................................................................................. 11
SystemPolicy.................................................................................................................. 11
GroupPolicyObjects...................................................................................................... 12
WhatsUniquetoaGPO................................................................................................. 13
WhereaGPOCanReside ............................................................................................... 14
GPOLink........................................................................................................................ 15
WhataGPOAffects......................................................................................................... 17
BasicGPOFunctions ....................................................................................................... 19
CreatingaNewGPO...................................................................................................... 20
LinkinganExistingGPO............................................................................................... 22
GPOPrecedence ............................................................................................................... 24
LSDOU........................................................................................................................... 24
GPOswithinSite,DomainorOU ................................................................................. 26
AppendingandConflictingSettings .............................................................................. 27
ResultantSetofPolicies .................................................................................................. 30
GPOApplication.............................................................................................................. 32

2004101communicationsLLChttp://mcpmag.com

GPOsvs.SystemPolicyApplication ............................................................................. 32
MoreonActiveDirectoryReplication............................................................................ 33
GPOApplicationtoComputerAccounts..................................................................... 34
ComputerAccount:AutomaticRefresh.......................................................................... 36
ComputerAccount:RestartingComputer ..................................................................... 36
ComputerAccount:ManualMethod ............................................................................. 37
GPOApplicationtoUserAccounts............................................................................... 38
UserAccount:AutomaticRefresh .................................................................................. 40
UserAccount:LoggingOffandBackOn....................................................................... 40
UserAccount:ManualMethod...................................................................................... 41
GPOFundamentalsSummary ....................................................................................... 42
GPOandActiveDirectoryDesignConsiderations...................................................... 44
CommonOUDesignsforGPOs .................................................................................... 45
WhereToLinktheGPO.................................................................................................. 47
GPOsLinkedtoSites...................................................................................................... 47
GPOsLinkedtotheDomain........................................................................................... 48
GPOsLinkedtoOUs...................................................................................................... 49
ControllingGPOInheritance ........................................................................................... 50
BlockPolicyInheritance.................................................................................................. 51
NoOverride ...................................................................................................................... 54
GPOPermissionFiltering ............................................................................................... 57
GPOWMIFiltering.......................................................................................................... 60

2004101communicationsLLChttp://mcpmag.com

DefaultGPOsandTheirShortcuts.................................................................................. 63
DefaultGPOs .................................................................................................................... 63
DefaultDomainPolicy .................................................................................................... 63
DefaultDomainControllerPolicy ................................................................................. 65
AccountPoliciesBreaktheRule .................................................................................... 67
AccountPoliciesattheDomainLevel ............................................................................ 68
AccountPoliciesattheOULevel ................................................................................... 68
GPOShortcuts .................................................................................................................. 69
ADUC............................................................................................................................. 69
Default<Domain/DomainController>SecurityPolicy................................................. 70
LocalSecurityPolicy ...................................................................................................... 71
MicrosoftManagementConsole ..................................................................................... 74
Gpedit.msc ...................................................................................................................... 76
GroupPolicyUserandComputerConfigurations....................................................... 77
ComputerConfiguration ................................................................................................ 77
SoftwareSettings.............................................................................................................. 78
WindowsSettings ............................................................................................................ 79
Scripts(Startup/Shutdown) ............................................................................................ 80
SecuritySettings ............................................................................................................... 81
AccountPolicies.............................................................................................................. 81
LocalPolicies................................................................................................................... 81
EventLog ........................................................................................................................ 83

2004101communicationsLLChttp://mcpmag.com

RestrictedGroups ........................................................................................................... 83
SystemServices............................................................................................................... 85
Registry........................................................................................................................... 86
FileSystem...................................................................................................................... 87
WirelessNetwork(IEEE802.11)Policies ...................................................................... 87
PublicKeyPolicies.......................................................................................................... 88
SoftwareRestrictionPolicies .......................................................................................... 88
IPSecurityPoliciesonActiveDirectory ....................................................................... 90
AdministrativeTemplates .............................................................................................. 91
WindowsComponents.................................................................................................... 92
System................................................................................................................................ 93
Network............................................................................................................................. 95
Printers .............................................................................................................................. 96
UserConfiguration .......................................................................................................... 96
SoftwareSettings ............................................................................................................ 96
WindowsSettings ............................................................................................................ 97
RemoteInstallationServices........................................................................................... 97
Scripts(Logon/Logoff) .................................................................................................... 98
SecuritySettings............................................................................................................. 98
PublicKeyPolicies.......................................................................................................... 98
SoftwareRestrictionPolicies .......................................................................................... 98
FolderRedirection........................................................................................................... 98

2004101communicationsLLChttp://mcpmag.com

InternetExplorerMaintenance .................................................................................... 100


AdministrativeTemplates ............................................................................................ 101
WindowsComponents .................................................................................................. 101
StartMenuandTaskbar............................................................................................... 102
Desktop ......................................................................................................................... 103
ControlPanel ................................................................................................................ 103
SharedFolders............................................................................................................... 103
Network ........................................................................................................................ 104
System........................................................................................................................... 104
TheFinalWord.................................................................................................................. 105

2004101communicationsLLChttp://mcpmag.com

Introduction
AsyougetstartedwithGroupPolicy(andGroupPolicyObjectsorGPOs),
youllsoonfindoutthatwhilethereisquiteabitofdocumentation
availableonthetopic,muchofitishardtoreadorincorrect,missingkey
facts,orhitandmisswithitsinformation.Afterspendingthepastfourand
ahalfyearsworkingwithGPOsandthepreviousfiveyearstothatwith
WindowsNTSystemPolicies,Ihavedevelopedamethodicalapproachto
thinkingabout,designing,implementingandtroubleshootingGPOs.In
thisdigitalreportIcoverthebasics.Inthenextvolume,Illcrankitupa
notchandaddressmoreadvancedtopics.Inthethirdvolume,Illprovide
insightsabouthowtotroubleshootGroupPolicies.Imgladyourecoming
alongfortheride!
ThereisnodebatethatGPOsareavitalaspectofanyWindowsActive
Directoryenterpriseandnetwork.Thisdigitalreportdiscussestheessential
aspectsofGPOstogiveyouunderstandingandconfidencetoimplement
theminyourActiveDirectoryenvironment.Thebookhasfoursections.
First,youneedtogetagoodsolidfoundationofGPOs,whichwillbe
coveredintheopeningsection,GroupPolicyFundamentals.Wethen
expandonhowtocontroldifferentaspectsofGPOs,especiallythe
inheritanceofGPOswithinActiveDirectory.Yougetthesedetailsin
ControllingGPOInheritance.Then,wemoveontodiscussthefactthat
thereareplentyofdefaultsettings,GPOs,andaccesspointsbuiltintothe
interfaceanddomain.Wegooverwhateachshortcutandsettingcontrols,
soyouknowwhatyouregettingoutofthebox.WecoverthisinDefault
GPOsandtheirShortcuts.Thefinalsection,KeyGroupPolicy
Configurations,givesyouinsightintosomeofthemorecomplex,yet
important,configurationswithinaGPO.

2004101communicationsLLChttp://mcpmag.com

Group Policy Fundamentals


What Is a GPO?
AGPOisagroupofsettings.ThenameGroupPolicyObjectissomewhat
confusing,ifyouattempttousethewordsinthetermtotrytofigureout
whatitdoes.SomecallaGPOagroupofpolicysettingsoragroupof
policies.Thismorecloselyrepresentswhatitactuallyis.Theword
objectontheendofthetermisntallthatconfusing,untilyoutryto
figureouthowanobjectinActiveDirectorycanconfigureotherobjectsin
ActiveDirectory.
IliketothinkofaGPOasasetofrulesthatconfigurelikecomputers
orusers.Anexamplewouldbethatallcomputersinthehumanresources
(HR)departmenthavethesamesecuritysettings.Theoptimalwayto
implementthesamesecuritysettingsontheseHRdepartmentcomputers
istouseaGPO.
AnotheraspectofaGPOthatisimportanttounderstandisthatitis
meanttoautomatethesettingsofacomputer.Mostofthesettingsthat
controlthedesktop,securityandapplicationswithinaGPOcanbedone
manually.ItisjustthattheGPOdoesallofthisworkautomaticallyforthe
administrator.Somesettingslikeserviceaccesscontrollists(ACLs)and
detailedIPSecurityconfigurationsarehardertoconfiguremanually,sothe
GPOisjustabouttheonlymethodforconfiguringthesesettings.

What Does a GPO Do?


ThesettingswithinaGPOcontrolavarietyofdifferentareaswithina
computer.AsyouinvestigatethestructureofaGPO,youcanclearlysee
thedifferentareasthatitaffects.SomesettingsupdatetheRegistry,some
configurefilesonthetargetcomputer,somemodifyoperatingsystem

2004101communicationsLLChttp://mcpmag.com

variables,andothersettingscontrolprotectedareasoftheoperating
system.
AllofthedifferentareasofaGPOwillmodifythetargetcomputer
settingsautomatically.ThesesettingsfromtheGPOareinitiallyappliedto
thecomputerwhenthecomputerisstartedandwhentheuserlogson.The
benefittothisstrategyistohavethesettingsinplacebeforeanyactivity
occurs,sothattheenvironmentcanbeestablishedandsecuredbeforethe
userstartstowork.
Fromtheusersstandpoint,theydontseemuchofanythinggoingon.
Thelogonscreensshowthatthingsarehappening,butitisreallyjusta
waitingperiodfortheusers.Whenusersreceivetheirdesktops,allofthe
settingshavebeenappliedbasedontherulestheadministratorconfigured
intheGPOs.

What Can a GPO Do?


Itmightbeeasiertoaskthequestion,WhatcantaGPOdo?AGPOcan
configuremanydifferentaspectsofacomputeroruserenvironment.Each
areaisbrokendownintocategoriesintheGPOinterface.Thisallowsyou
toconfigureeachsettinglogically,independentlyandeffectively.The
followingisthelistofareasthatarecontrolledbyaGPO:

Applicationmanagement.Deploy,manage,update,control,and
removesoftwareapplicationsonindividualcomputers,orfor
specificuserswithinthedomain.GPOscaneitheruseMSIor
ZAPpackagestodeploysoftware.Thiscanbeconfiguredfor
bothaUserandComputerobject.

DiskQuotas.Thesecontrolhowmuchdataausercanstoreona
volumelocatedonaserver.Althoughthissettingcantcontrol
thedetailedconfigurationsonthevolume,itdoescontrol
whetherornotdiskquotascanbeused.Diskquotasare
configuredforComputerobjectsonly.

2004101communicationsLLChttp://mcpmag.com

EFSRecovery.EncryptingFileSystem(EFS)providestheability
foruserstoencryptdatastoredonservers.Afterencryption,
onlyanarrowsetofuserscanaccessthedata.Bydefaultits
onlytheuserthatperformedtheencryption.Torecoverfroma
problemwiththislimitedaccess,theEFSRecoveryagentcan
decryptthedata.EFSRecoveryagentsareconfiguredfor
Computerobjectsonly.

FolderRedirection.Thisprovidesanoutletforadministratorsto
redirectfolderstypicallystoredonthelocalcomputerofauser.
Theredirectionistoacentralserver,sothedatacanbesecured
andbackedupregularly.Therearealimitednumberoffolders
thatcanberedirected:theApplicationDatafromtheusers
profile,theDesktop,MyDocuments,andtheStartMenu.
FolderredirectionisonlyavailableforUserobjects.

InternetExplorerSettings.IEhasnumeroussettingsthatneedto
beconfiguredforsecureandefficientInternetaccess.This
includesSecurityZones,ProxyServersettings,URLFavorites,
etc.AllofthesesettingsandmorecanbecompletedviaGPOs.
BothComputerandUserobjectshaveIEpolicysettings.

IPSecurity.Thisencryptsdatathatissentoverthenetwork,
fromthesourcetothetarget.TheIPSecuritysettingsprovide
detailedcontroloverhowthesecuritywillbeimplemented.IP
SecuritysettingsareonlyavailableforComputerobjects.

RegistrySettings(AdministrativeTemplates).Almostevery
RegistrysettingcanbecontrolledthroughGPOs.Thisspans
InternetExplorer,Desktopsettings,StartMenu,andmore.The
defaultAdministrativeTemplatesconfigureabroadrangeof
settings,butcanalsobecustomizedtomeetalmostanysetting.
BothComputerandUserobjectscanbecontrolledwith
AdministrativeTemplatesettings.

10

2004101communicationsLLChttp://mcpmag.com

Scripts.TherearefourdifferenttypesofscriptsthroughGPOs.
StartupandShutdownscriptsareassociatedwithacomputer
beingturnedonoroff.LogonandLogoffscriptsareassociated
withauserloggingonoroffthedomain.Almostanytaskcan
beperformedthroughascript,includingestablishingnetwork
printers,mappingnetworkdrivesandschedulingtasks.

Security.SecurityinaGPOspansauthentication,network
access,logon,securecommunicationandmore.Thereare
settingsforbothComputerandUserobjects,butthemajorityof
thesecuritybasedsettingsarefortheComputerobjects.

Asyoucansee,therearenumerousareasthataGPOcanaffect.Allin
all,therearealmostathousandGPOsettingsthroughouttheseareas.
Combinethatwiththealmostendlesscustomizationoptionsthatapplyto
anyGPOandyoucanseethatGPOsareextremelypowerful,plushighly
complicated.

The GPO v. System Policy


IfyourecomingfromaWindowsNTdomain,itisimportantto
understandthedifferencesbetweentheoldstyleSystemPolicyandthe
newGPOsinWindowsActiveDirectory.Thechangesseemsubtle,butin
realitytheyrequitedifferent.

SystemPolicy
Tostartoff,letsreviewquicklywhatanoldworldSystemPolicyconsists
of:

ThereisonlyoneSystemPolicyperdomain.

TheSystemPolicywasatthedomainlevel,affectingallobjects
inthedomainbydefault.

11

2004101communicationsLLChttp://mcpmag.com

TheSystemPolicyisstoredintheNETLOGONshareonthe
domaincontrollers.

TheSystemPolicyisnamedntconfig.pol.

TheSystemPolicycanaffectuser,computerandgroup
accounts.

TheSystemPolicycanbecustomizedwithADMtemplates.

SystemPoliciesareonlyappliedatstartupforcomputersand
logonforusers.

AllSystemPolicysettingstattootheRegistry.

TheonlysettingsthatwereincludedinaSystemPolicywerefor
theRegistry.

ToeditaSystemPolicy,youwouldrunthePOLEDIT.EXE
command.

GroupPolicyObjects
Incomparison,GPOshavethefollowingcharacteristics:

TherecanbenumerousGPOs.

GPOscanbeappliedattheSite,DomainandOUlevelswith
ActiveDirectory.ThereisalsoaGPOatthelocallevelforall
computersthatrunWindows2000orhigher.

GPOsarestoredinbothSYSVOLandActiveDirectory.

GPOsstoreGPOswithacomplexarrayoffilesandfolders.

GPOscanonlyaffectuserandcomputeraccounts.

12

2004101communicationsLLChttp://mcpmag.com

GPOscanbecustomizedwithADMtemplates,security
templatesandmodificationstothesecuritysettingswitha
defaultGPO.

GPOsareappliedtocomputersatstartupandusersatlogon.
Also,bothportionsoftheGPOareappliedataperiodicrefresh
interval,aswellastheycanbeappliedbyrunningacommand
onthetargetcomputer.

MostoftheGPOsettingsdonttattootheRegistry.

GPOsprovidesettingsthatmodifytheRegistry,system
variables,softwareinstallationandoperatingsystemsettings.

ToeditaGPO,youruntheGPEDIT.MSCorMicrosoft
ManagementConsole.

Whats Unique to a GPO


ThisisjustaquickcomparisonoftheoverlappingareasthataSystem
PolicyandGPOhaveincommon.However,therearemanyotherareas
thatareuniquetoaGPO,whichneedtobeconfiguredinalmostevery
environmenttospecifysecurityandothersettingsonthecomputersinthe
environment.ThesespecialGPOsettingsinclude:

AccountPolicies.AccountPoliciesincludePassword,Account
LockoutandKerberos.ThesesettingsweremovedtoGPOsin
ActiveDirectory,whereasinWindowsNTtheywereconfigured
usingtheUserManagerforDomainstool.

UserRights.Userrightscontrolwhatausercandoona
computer.Manytimesuserrightscontrolservers.Thesesettings
weremovedtoGPOsinActiveDirectory,whereinWindows
NTtheywereconfiguredusingtheUserManagerforDomains
tool.

13

2004101communicationsLLChttp://mcpmag.com

AuditPolicy.Auditingprovidestrackingofsecurityrelated
eventswithintheoperatingsystem.Auditingcanbedoneon
logons,accountmanagement,useofuserrightsandmore.
ThesesettingsweremovedtoGPOsinActiveDirectory,
whereasinWindowsNTtheywereconfiguredusingtheUser
ManagerforDomainstool.

InternetExplorer.Thereisalmostnothingyoucantcontrol,
configureandlockdowninIEusingGPOs.Althoughthese
settingswerenotpartofthestandardSystemPolicy,theywere
anextensionoftheSystemPolicyifyouusedtheInternet
ExplorerAdministrationKit(IEAK).

Security.ManyofthesecurityrelatedRegistrymodifications
thatwereusedinWindowsNTdomainsweremovedtoGPOs.
Thesesettingsnowallowthecontrolofnetworkaccess,local
access,authentication,andmoretoallcomputersintheActive
Directorydomain.

OthersettingsuniquetoaGPOarentevenavailableinNT.Settings
likeSoftwareInstallation,IPSecurity,Certificates,EncryptingFileSystem,
andRemoteInstallationServicesprovideevenmoreflexibilityand
capabilitiestoaGPO,whereastheSystemPolicywasnotcapableof
supportingsuchsettings.

Where a GPO Can Reside


OneofthebasicsofunderstandingGPOsistograspwheretheycanreside
withintheenterprise.BecausetherecanbemorethanoneGPO,keeping
trackofthemcanbeafulltimejob,unlessyoufullyunderstandwhere
theycanbelocated.Thetermresideisreallynottheidealchoiceof
wording,butitisbetterthantheactualtermoflinking.

14

2004101communicationsLLChttp://mcpmag.com

GPOLink
TheconceptofaGPOlinkisrathersimple,butdifficulttocomprehend
becauseitishardtoseethelinks.Remember,aGPOisagroupof
settings.ThisgroupofsettingsisstoredintheGPOstructure.TheGPO
doesnotdoanythingbyitself;itmustbetargetedtootherobjectsbeforeit
canmakeanychanges.So,inorderforaGPOtotargetuserandcomputer
accounts,itmustbelinkedtotheobjectsthatcontaintheuserand
computeraccounts.InActiveDirectory,objectsthatcontainuserand
computeraccountsincludesites,domainsandorganizationalunits(OUs).
Note:Granted,sitesreallydontcontainuserandcomputeraccounts,
butconsideringthehierarchyofActiveDirectory,sitesdocontainthese
objects.Inthesamelight,domainstypicallydontcontainuserand
computerobjectsdirectly,rather,userandcomputerobjectsarelocatedin
OUs,whichareallunderthedomainlevel.
HerearesomethingstoconsiderwhenworkingwithGPOsandlinks:

AGPOcanexistwithouthavinganylinks.Thiswillresultina
GPOthathasnoeffectonanyobjectinActiveDirectory.

AGPOcanexistandhavenumerouslinks.However,thereis
stillonlyoneGPOinthiscase.

YoumightthinkabouttheGPOsthemselvesaslivinginacentral
location.ThelocationisseparatefromanyotherobjectsinActiveDirectory.
Then,whenaGPOneedstoaffectuserorcomputeraccounts,itislinkedto
theOUwherethoseaccountsreside.Ifmoreuserandcomputeraccounts
needtobeaffectedbytheGPO,adifferentlinkiscreatedtoanotherOU.
ThismatrixoflinksiscreatedtocontrolwhatobjectstheGPOsaffect.
ToseealistingofwhereGPOsarelinkedto,youcangotothe
followingpath:
1. OpenActiveDirectoryUsersandComputers.

15

2004101communicationsLLChttp://mcpmag.com

2. RightclickontheDomainControllersOU(youcouldpickanother
OUorthedomaintogetthesameresults)andselectProperties
fromthemenu.
3. SelecttheGroupPolicytabintheDomainControllersProperties
window.
4. ClicktheAddbutton.
5. SelecttheAlltabintheAddaGroupPolicyObjectLinkwindow.
6. RightclickontheGPOthatyouwanttoseethelinksforandselect
Propertiesfromthemenu.
7. SelecttheLinkstabinthe<GPOname>Propertieswindow.
8. ClicktheFindNowbuttontoshowallofthelinkstothedomain
objects,asshowninFigure1,below

16

2004101communicationsLLChttp://mcpmag.com


Figure1.YoucanseealistingofallofthelinkstoaGPOfromtheLinkstab
onthePropertiessheetoftheGPO.
AkeyitemtorememberwithregardtoGPOsandlinks,isthatifyou
gotoalinkandedittheGPOfromthatlocation,yourereallyeditingthe
GPO.ThisincludesACLsettingsandpolicysettings.Forexample,ifyou
hadaGPOlinkedtoboththeSalesOUandtheManagersOU,youdgoto
theSalesOUandseetheGPOlistedundertheGroupPolicytabonthe
SalesOUPropertiessheet.IfyouselectedtheGPOandthenselectedEdit,
youwouldbeeditingtheGPO,notthelink.AnychangesmadetotheGPO
herewouldbereflectedintheGPOthatisalsolinkedtotheManagersOU.

What a GPO Affects


LikemanyotheraspectsoftheMicrosoftenvironment,thenamingof
GPOscanbeconfusing.Thenameimpliessomethingtodowitha

17

2004101communicationsLLChttp://mcpmag.com

Group.Yet,actually,GPOshavelittletodowithgroupsatall.Thereare
onlytwoobjectsthataGPOcanapplyto:useraccountsandcomputer
accounts.GroupPolicyobjectsdontapplytogroups!Youcanseethisin
theinterfaceoftheGPOEditor.WhenyouopenuptheGPOEditor,you
seetwomajorsections:ComputerConfigurationandUserConfiguration,
asshowninFigure2,below.Ifyouburnamentalpictureofthisintoyour
memory,itwillgoalongwaytounderstanding,implementingand
troubleshootingGPOs.

Figure2.IntheGPOEditoritsclearthatGPOswillonlyaffectComputer
andUseraccounts.ThereisnomentionofgroupaccountswithintheGPOEditor.
Nowthatisit100percentclearandobviousthatGPOsaffectuserand
computeraccountsonly,weneedtotakeourunderstandingonestep
further.ThenextconceptisthefactthatGPOsonlyaffectobjectsthatarein
itspath.WhatdoImeanbypath?Herepathreferstoobjectsthatinherit
theGPO,downthroughtheActiveDirectorystructure.Letslookatan
example.AssumetherearetwoOUs,namedSalesandMarketing,directly
belowthedomainlevel.Alloftheuseraccountsarelocatedinthedefault
Userscontainerandallofthecomputeraccountsarelocatedinthedefault
Computerscontainer.IfaGPOthatremovestheRunCommandfromthe
StartMenuislinkedtotheSalesOU,whichobjectswillbeaffected?The

18

2004101communicationsLLChttp://mcpmag.com

answerisnone.Thisexampleillustratesthatifnoobjectisinthepathof
theGPO,thennoobjectisaffected.
IfwetaketheexampleonestepfurtherandlinktheGPOtothedomain
levelinsteadoftheSalesOUlevel,wehaveacompletelydifferentscenario.
Ifthisisthenewstructure,whichobjectswouldbeaffected?Theanswer
hereisthatalloftheuserobjectsareaffected.Thereasonisthatalluser
objectsareinthedomain.TheyarealllocatedintheUserscontainerunder
thedomain.WhydidInotindicatetheComputerobjectswereaffected?
ThereasonisthattheRunCommandisaUserConfiguration,nota
ComputerConfiguration,asFigure3illustrates.

Figure3.GPOsettingsfallundereithercomputeraccountsoruseraccounts.

Basic GPO Functions


WhenitcomestoadministeringGPOs,youneedtoconsidertwobasic
functions.GPOsmustbecreatedfirst.Thisincludestheadministrator
establishingthenewGPOaltogether,thenmakingthedesired
configurationsintheGPO.Then,theGPOmustbelinkedtothesite,
domainorOU.

19

2004101communicationsLLChttp://mcpmag.com

CreatingaNewGPO
CreatinganewGPOissomethingthatalladministratorsshouldhavethe
abilitytodo.GPOscancausewidespreaddisastersiftheyrenot
configuredproperly.Bydefault,onlytheAdministratorcancreateGPOsin
ActiveDirectory.ForanActiveDirectorythatdoesnthavetheGroup
PolicyManagementConsole(GPMC)installed,thisisgiventothe
AdministratorbyplacingtheaccountintheGroupPolicyCreatorOwners
group.
Note:ThereasonthattheGPMCismentionedhereisthatitofferssome
newfeaturesthatthestandardmethodofGPOadministrationdoesnot.
However,wearentgoingtofocusontheGPMCinthisbook.Instead,
wearefocusingonthebuiltinmethodofadministeringGPOshere.In
thenextdigitalreport,AdvancedGroupPolicyObjects,wellgointothe
GPMCinfulldetail.
WeneedtobeclearexactlywhatcreatingaGPOprovides,comparedto
whatmostadministratorsdowhentheycreateaGPO.Ifyourelikemost
administrators,youopenupADUCandgototheOUwhereyouwantthe
newGPO.Then,ontheGroupPolicytabontheOUPropertiessheet,you
selecttheNewbutton,asshowninFigure4,below.

20

2004101communicationsLLChttp://mcpmag.com


Figure4.TheNewbuttonontheGroupPolicytaballowsyoutocreatenew
GPOs,aswellaslinkthemtotheOU.
Whenyouperformthisact,youredoingmorethanjustcreatingthe
GPO;yourealsolinkingittotheOU.IfyouhavenotbeengivenLink
GPOpermission,youwontevenhavetheNewbuttonavailablewhen
youlookontheGroupPolicytab.
IftheNewbuttonisnolongeravailable,thenhowdonewGPOsget
created?Theanswerissomewhatconvoluted.TocreateanewGPO
withoutusingtheNewbutton,youneedtogoacoupleofstepspastthe
GroupPolicytab.FollowthesestepstocreateanewGPOwithoutlinking
ittoanobject:
1. OpenActiveDirectoryUsersandComputers.

21

2004101communicationsLLChttp://mcpmag.com

2. RightclickontheDomainControllersOU(youcouldpickanother
OUorthedomaintogetthesameresults)andselectProperties
fromthemenu.
3. SelecttheGroupPolicytabintheDomainControllersProperties
window.
4. ClicktheAddbutton.
5. SelecttheAlltabintheAddaGroupPolicyObjectLinkwindow.
6. Selectthe

tocreateanewGPO.

7. ProvideanewnamefortheGPO.
ThismethodcreatesanewGPO,butitwontlinkittoanyobject.Ifyou
wanttoseethis,justrightclickonthenewGPOandselectPropertiesfrom
themenu.Then,selecttheLinkstabinthepropertywindowfortheGPO.
ClicktheLinkNowbuttontoseethattherearenolinksfortheGPO.

LinkinganExistingGPO
Aswejustsaw,whenyoucreateanewGPOfromthesite,domainorOU,
itislinkedautomaticallytotheobjectwheretheGPOwascreated.
However,itisntalwayspossibletodothis,sincemanycompaniesrequire
separationofprivilegeswhenitcomestocreatingandlinkingGPOs.
Forthecompanythatrequiresseparationofdutiesorifthereisjustan
existingGPOthatneedstobelinkedtothesite,domainorOU,thereisan
optiontojustlinkaGPO,insteadofhavingtocreateanewonein
conjunctionwiththelink.Inanutshell,linkingaGPOtoanobjectisonly
availableiftheGPOexists.
OneofthemorecommondelegationofadministrationtasksforActive
DirectoryislinkingGPOs.ItisoneofthestandardtasksintheDelegation

22

2004101communicationsLLChttp://mcpmag.com

Wizard.InordertodelegatethelinkingofGPOstoaparticularOU,follow
thesesteps:
1. RightclickontheOUwherethedelegationoflinkingGPOswillbe
given.
2. SelecttheDelegationControlmenuoption.
3. SelecttheNextbuttonattheDelegationofControlWizard
window.
4. SelecttheAddbuttonontheUsersandGroupspage.
5. Selectthegrouporgroupsthatyouwanttohavetheabilitytolink
GPOstothisOU.
6. SelecttheOKbutton.
7. SelecttheNextbutton.
8. SelecttheManageGroupPolicylinkscheckbox.
9. SelecttheNextbutton.
10. SelecttheFinishbutton.
Thiswillgivetheusersinthegroupthatwereconfiguredusingthe
wizardtheabilitytolinkGPOstothisOUandthechildOUstothisOU.
Thisworksoutideallyforbranchoffices,divisionsofthecompanythat
havelocaladministratorsandseparationofprivilege.
Inthiscase,theusersinthegroupwillhavetheAddbuttonavailable
ontheGroupPolicytab,butwonthavetheNewbuttonavailable.Ireferto
theAddandNewbuttonontheGroupPolicytab,becauseitiscommonto
usetheGroupPolicytabtolinkGPOs;butadditionallinkscanbemadeto
aGPObygoingintotheGroupPolicyPropertiessheet.

23

2004101communicationsLLChttp://mcpmag.com

GPO Precedence
GPOprecedenceisanextremelyimportantaspectofputtingtogethera
GPOdesign.IftheprecedenceofGPOsisnttakenintoconsideration,there
isnotellingwhattheresultwillbeforthecomputeranduserenvironment.
YouwillquicklyseethattheprecedenceofGPOswilldrivetheGPO
design,aswellasthedesignoftheOUs.Ofcourse,wemightaswellgoall
thewayandsaythatthedesignoftheGPOsmanytimesdrivestheentire
ActiveDirectorydesign.
Therearefourdifferentareasthatneedtobeaddressedwithregardto
GPOprecedence.First,welltalkaboutthehierarchyoftheGPOsandin
whichordertheyapplytousersandcomputers.Wewillthentalkabout
thesituationwheretherearemultipleGPOslinkedtoasinglesite,domain,
orOU.Next,ifwehavealloftheseGPOsandtheyhavesomeorderof
precedence,whathappensiftwodifferentGPOshavethesamesetting?
Whowinstheconflict?Finally,takingintoaccountGPOprecedenceand
GPOconflictsmustresultinanendstate.So,welltacklehowthisend
stateisdeterminedaswellaswhatyoucandotohelpyourselfdesignand
troubleshootforallGPOissues.

LSDOU
BeforewetalkabouttheprecedenceofGPOs,wemustknowallofthe
differentlocationsthatareconsideredwhenapplyingGPOstocomputer
anduseraccounts.ThereisalwaysalocalGPOtobeconsidered.Every
computerhasalocalGPO.Bydefault,thereisalwaysadomainGPO,
namedtheDefaultDomainPolicy.Thistoomustbeconsidered.Theother
twolocationsthatcanhaveaGPOlinkedtoitarethesiteandOUlevels.
So,allofthesedifferentlocationsconsistoflocal,site,domain,andOU.
TheacronymweusetorefertoalloftheseisLSDOU.
Therefore,ifyouhaveaGPOlinkedtothesite,domain,andOU,you
wouldneedtoconsiderallfourlocationsinyourdesignandresultofthe
GPOonthetargetobject.TheorderthatGPOsapplystartswiththelocal
GPO.ThesiteGPOsapplynext,thenthedomain,andthentheOUs.The

24

2004101communicationsLLChttp://mcpmag.com

precedenceisthelastGPOtoapplyhasprecedenceoverthepreviousones.
ThisholdstrueallthewaydownthelineofalloftheGPOstoo.So,the
GPOslinkedtothedomainhaveprecedenceoverthesiteandlocalGPOs.
Figure5illustrateswhatGPOsattheselocationsmightlooklike
graphically.

Figure5.HowGPOslinkhierarchicallythroughthelocalcomputer,domain,
andOUs.
FromFigure5,thefollowingwouldbetheorderoftheGPO
applicationforXPPro1:
1. LocalGPO
2. DefaultDomainPolicy

25

2004101communicationsLLChttp://mcpmag.com

3. HR_GPO
4. West_GPO

GPOswithinSite,DomainorOU
NowthatweunderstandthatthelocalGPOappliesfirst,followedupby
thesite,domainandfinallytheOUGPOs,wecanmovetothenextlevelof
GPOprecedence.WedontneedtoworryaboutthelocalGPOatthislevel,
sincetherecanonlybeonelocalGPO.However,therecanbemultiple
GPOslinkedtothesite,domainandOU,sowemustconsiderhowthe
GPOsareapplied.Figure6showswhatthismightlooklike.

Figure6.TherecanbemultipleGPOslinkedtoanyoneOUorsiteorthe
domain.

26

2004101communicationsLLChttp://mcpmag.com

Whenyouhaveasituationlikethis,youneedtounderstandhowthe
GPOswillbeapplied,whichwillindicatetheirprecedence.Eventhough
thetexttellsyouclearlyhowtheprecedenceworks,itseemstobe
overlookedquiteoftenbyadministrators.Thetextclearlystates,Group
PolicyObjectshigherinthelisthavethehighestpriority.
So,thewaytheprecedenceworksisthattheoperatingsystemwill
comeinatthebottomofthelist,thenworkitswayuptothetopofthelist
toapplytheGPOs.Youmightthinkthattheoperatingsystemdoesthe
oppositestartingandthetopandworkingdownbutthisiswhere
manyadministratorsgettrippedup.
Thereasonthisissoimportantisthatthereareusuallymorethanone
GPOatanygivenlevelwithinActiveDirectory.Itisntoftenthattwo
differentGPOshaveconflictingsettings,butitispossible,whichmakes
thisdiscussionhighlyimportant.
Tosummarize,wenowknowthatGPOsapplyintheorderofLSDOU.
WithintheSDOUstructure,therecanbemultipleGPOsatanyonelevel.
Ateachlevel,theGPOswillbeappliedstartingatthebottomofthelistand
workingtothetop.

AppendingandConflictingSettings
NowthatweunderstandtheprecedenceofGPOsfromLSDOUandGPO
ordering,wefinallygettothefinale.Youmightbewonderingwhyweare
evendiscussingGPOprecedenceatall.Youmightbethinkingthatyour
GPOsallhavedifferentGPOsettings,whichwillappendtooneanotherto
configuretheuserorcomputeraccount.Andyouwouldbepartially
correct.Ifyouhave25GPOs,allconfiguringdifferentGPOdetailedpolicy
settings,thenallofthesettingswillappendtooneanothertoapplytothe
userorcomputeraccount.Letslookatasmallexample.
AssumeyouhaveauseraccountlocatedinanOUnamedHR.You
havethelocalGPOontheWindowsXPProfessionalcomputerconfigured
toenabletheRemoveRunmenufromStartMenupolicy.Ofcourse,this

27

2004101communicationsLLChttp://mcpmag.com

willremovetheRuncommandfromtheStartMenu.Then,youhavea
differentGPOlinkedtothedomain,whichenablestheRemoveHelp
menufromStartMenupolicy.ThiswillremovetheHelpandSupport
optionfromtheStartMenu.Finally,youhaveanotherGPOlinkedtothe
HROU.ThisGPOdisablestheRemoveMyDocumentsiconfromStart
Menupolicy.ThiswillforcetheMyDocumentsmenuoptiontoshowup
ontheStartMenu.Figure7illustratesourGPOsandtheirsettings.

Figure7.WhenGPOsareatLSDOUlocations,theyappendifthereareno
conflicts.
WecanprobablyallagreethatthissummaryofGPOsettingsiseasy.
However,thisisntascommonasyoumightthink.Mostorganizations
haveGPOsettingsthatdoconflictwithoneanotheraseachGPOis
applied.Granted,thisisntthatcommonatthesamelevelintheActive
Directorystructure,butfromleveltolevel,itisverycommon.Letslookat
anexampletogetthefullunderstandingofhowconflictsaretakencareof
bytheoperatingsystem.
AssumeyouhaveauseraccountlocatedintheBenefitsOU,whichisa
childOUtotheHROU.ThelocalGPOontheWindowsXPProfessional
computerisconfiguredtodisabletheRemoveRunmenufromStart

28

2004101communicationsLLChttp://mcpmag.com

Menupolicy.ThiswilladdtheRuncommandtotheStartMenu.Then,
youhaveanotherGPOlinkedtothedomain,whichenablestheRemove
RunmenufromStartMenupolicy.ThiswillremovetheRuncommand
fromtheStartMenu.Then,youhaveadifferentGPOlinkedtotheHROU.
ThisGPOdisablestheRemoveHelpiconfromStartMenupolicy.This
willaddtheHelpandSupportmenuoptiontotheStartMenu.Finally,you
haveaGPOlinkedtotheBenefitsOU.ThisGPOenablestheRemove
HelpiconfromtheStartMenupolicy.ThiswillremovetheHelpand
SupportmenuoptionfromtheStartMenu.Figure8illustratesourGPOs
andtheirsettings.

Figure8.WhenGPOsconflict,thelastGPOappliedwins.
ThisonlyillustratestheconflictsthatcanarisefromGPOsatdifferent
levels.ConflictscanarisefromGPOsthatarelocatedatthesamelevel,
suchasthesameOU.Gooddesignsdonthavetheseconflicts,andyou
shouldtakeprecautionstonotforcethesetypesofissues.

29

2004101communicationsLLChttp://mcpmag.com

Resultant Set of Policies


Whetheryounoticeditornot,wehavealreadytouchedonthistopic
slightly.InthelastsectionwhenweweredealingwithGPOapplication
andconflictresolution,thegraphicshintedattheconceptofResultantSet
ofPolicies,orRSoPasitiscommonlyreferred.TheRSoPisthefinalsetof
policiesthatapplytoeithertheuserorcomputeraccount.Inthedaysof
Windows2000,thiswasadifficultthingtodetermine.Asanadministrator
youcouldusetoolslikegpresultorFAZAMtohelpcompilewhatthe
resultingpolicieswereforauserorcomputer.
WiththeadventofWindowsXPProfessionalandWindowsServer
2003,theissuesrelatedtotheRSoParentnearlyascomplex.Todetermine
theRSoPnow,youhaveamyriadoftoolstoassistyou.Herearesomeof
thetoolsthatyouhaveatyourdisposaltodeterminetheRSoPforalmost
anysituation:

RSoPsnapinusedwiththeMicrosoftManagementConsole

HelpandSupportCenter

LocalSecurityPolicy

GroupPolicyManagementConsole

Figure9illustratestheHelpandSupportCentersRSoPfunction.

30

2004101communicationsLLChttp://mcpmag.com

Figure9.ManytoolscanhelpdeterminetheResultantSetofPolicies,whichis
essentialforadministratorstodowhatifscenarios.
WhatexactlyistheRSoPusedfor?IftheGPOsarentapplying
correctlytoeithertheuserorcomputeraccount,RSoPprovidesawayto
determinewhatisapplyingtothedifferentobjectsandfromwhatlocation
intheActiveDirectory.WithhundredsofGPOsinalargeorganization,the
RSoPisabouttheonlywaytodeterminewhatisapplyingonthetarget
computer.

31

2004101communicationsLLChttp://mcpmag.com

Note:IwillcoverRSoPanditsrelatedtoolsindepthinthethirdvolume
ofthisseries,TroubleshootingGroupPolicyObjects.

GPO Application
OncetheGPOisconfiguredandyouhavethecorrectGPOprecedencein
place,itisnowtimetohavetheGPOtakeeffect.Eventhoughwewould
liketohavethistakeeffectimmediately,thatisntthecase.GPOstakesome
timetogetallthewaytothetargetobject,duetothetechnologythatis
drivingthem.Beforewestarttodiveintothedifferenttechnologiesthatare
behindtheGPOapplication,letstakeaquicktripbackdownmemorylane
totheworldofWindowsNTSystemPolicies.

GPOsvs.SystemPolicyApplication
InordertoappreciatetheimprovementsthatGPOsprovide,weneedto
comparetheGPOapplicationprocesstotheapplicationofSystemPolicies.
GPOsaremuchdifferentthantheirpredecessorsSystemPolicies.A
SystemPolicywaslimitedtoonlyapplyingtoauserorcomputeratanew
logonorrestart,respectively.Thiswastroublingandtimeconsuming.The
mostannoyingissuewiththeSystemPolicieswasthattherewasalmostno
waytoforcetheusertologofforthecomputertorestartinordertogetthe
policiestotakeeffect.
EventhoughtherewasonlyonewaytogetaSystemPolicytoapply,
therearenumerousmethodstogetGPOstoapply.Thefollowingisalistof
waysthataGPOcanbeappliedtoatargetobject.
Computer:

Restartcomputer.

WaitforautomaticrefreshofGPOs.

ManuallyforceGPOapplication.

32

2004101communicationsLLChttp://mcpmag.com

User:

Logoffandthenbackon.

WaitforautomaticrefreshofGPOs.

ManuallyforceGPOapplication.

Ofcourse,theGPOsmustbeonthecorrectdomaincontrollersinorder
foranyofthesemethodstobevalid.TheideaisthattheGPOsmust
replicatefromthedomaincontrollerthatmadetheinitialchangetoall
otherdomaincontrollersinthedomain.Thiswillensurethatwhenthe
computeroruseraccountattemptstoapplytheGPO,thedomain
controllerhasthelatestandgreatestGPOtoapply.IftheGPOhas
replicated,thentheGPOapplicationshouldbesuccessful.

MoreonActiveDirectoryReplication
ActiveDirectoryreplicationhastwodifferentforms:Intrasiteand
Intersite.Intrasitereplicationiswhendomaincontrollersreplicatewith
otherdomaincontrollersinthesamesite.Intersiteisreplicationbetween
sites.Mostlargeorganizationshavesites,sothisiscertainlysomethingto
consider.ForIntrasitereplication,thereplicationscheduleissettopush
changesbetweendomaincontrollerseveryfiveminutes.Thishasa
maximumconvergencetimeof15minutestoalldomaincontrollersinthe
samesite.
Forreplicationbetweensites,intersitereplication,thescheduleis
muchdifferent.Thedefaultreplicationscheduleissettoeverythreehours!
Thiscanbechangedandmanytimesischanged.Sometimesthechangeis
toreplicatelessoften,butusuallyitissettoreplicatemoreoften.

Tocalculatethemaximumconvergencetime,youmustconsiderthe
timetheprocesswilltaketoreplicateinthesitewheretheGPOwas
originallychanged.Then,considerthetimetoreplicatetotheothersite(s).

33

2004101communicationsLLChttp://mcpmag.com

Thismightbetricky,dependingonthesitetopologythatyouhave
implemented.Sometimessitescanbelinkedtooneanother,soyoumight
needtotakethreehoursandmultiplyitbythenumberofhopsbetween
sites.Finally,oncethechangeisreceivedonthedestinationsite,there
mustbeanothercalculationtoaccommodatethetimeneededtoreplicateto
alldomaincontrollersinthedestinationsite.

Allinall,thiscantotalhours,maybedays.So,considerationofthesite
convergenceforGPOsisextremelyimportantwhentesting,implementing
andtroubleshootingGPOs.

GPO Application to Computer Accounts


AsyouinvestigateandlearnhowGPOsapplytotargetobjects,makesure
youconsiderwhichobjectyouretargeting.Here,welltalkabouthow
GPOsapplytocomputeraccounts,whichisquiteabitdifferentfromuser
accounts.
BeforeyouconsiderhowtheGPOwillapplythetargetobject,make
sureyoulookatthecorrectobjecttype.Whenyoufocusonacomputer
object,youllknowforsurewhenyouconfiguretheComputer
ConfigurationportionoftheGPO,asshowninFigure10.

34

2004101communicationsLLChttp://mcpmag.com

Figure10.GPOsthattargetcomputeraccountswillhavetheComputer
Configurationportionconfigured.
AfteryouconfiguretheGPO,youhavethreeoptionsinorderforthe
GPOtoapplytotheobjectasImentionedearlier:

Restartcomputer.

WaitforautomaticrefreshofGPOs.

ManuallyforceGPOapplication.

35

2004101communicationsLLChttp://mcpmag.com

ComputerAccount:AutomaticRefresh
Thedefaultbehaviorformostorganizationsistojusttoletthedefault
behaviorforGPOapplicationtakeitsnormalcourse.UnlikeWindowsNT
SystemPolicies,GPOswillautomaticallyrefreshthetargetcomputeratan
intervalof90minutes.ThisensuresthatifanyGPOchangehasoccurred,it
willshowuponthetargetcomputerwithoutanyrequirementofarestart
orcommandlinetool.
Therefreshintervalisevery90minutes,butifallcomputerswere
tryingtorefreshattheexactsametime,itwouldcausetoomuchnetwork
trafficaswellaspunishthedomaincontroller.Therefore,whenthefirst
refreshisdetermined,thereisanoffsetofatmost30minutes,togetthe
computersstaggeredfortheirrefreshschedule.Therefreshwilltherefore
beginwithanywherefrom90to120minutes.

ComputerAccount:RestartingComputer
ThisisafoolproofmethodtogetaGPOtoapply.Ifyoureeverstuckwith
gettingaGPOtoapply,usethismethod.Ofcoursethereasonyoudont
wanttousethismethodisthatittakesalongtimetorestartthecomputer.
(Wearenttalkingaboutalogoffhere;thisisacompleterestartofthe
operatingsystem.)
Whenthecomputerrestarts,youcanseewhenthenewGPOsettings
areapplyinginmanycases,dependingonwhatoperatingsystemyoure
workingwithandwhatGPOsettingisbeingapplied.Ifyoureapplyinga
lotofGPOsoralotofGPOsettings,thebootprocessmighttakealong
time.
ForsomeGPOs,itmighttaketworestartstogetthesettingstoshow
up.ThisisduetohowtheGPOswork.Forexample,ifyouwanttoremove
theusernamefromthelogonscreen,thiswilltaketworestartsforitto
showup.ThefirstrestartconfigurestheRegistry,buttheRegistryisnt
changedinenoughtimetoshowupwhenthelogonscreenappears.So,

36

2004101communicationsLLChttp://mcpmag.com

afterthesecondrestart,theRegistrysettingisnowcorrect,whichwillbe
indicatedonthelogonscreenbynotshowingthelastloggedonuser.
Therearesomesettingsthatrequirethismethodofapplyingthe
policies.Youwontbeabletoautorefreshormanuallyapplythem;you
needtorestartthecomputerforthemtoapply.Thesesettingsinclude:

Softwaredeployment.

IPSecconfigurations.

ComputerAccount:ManualMethod
Boththeautomaticrefreshandrestartmethodsarenthorribletheyare
justslow!IfyouwanttoseeafasterapplicationoftheGPOsettings,you
canrunamanualcommandagainstthetargetcomputertogettheGPOto
applyimmediately.Thecommanddiffersbetweenoperatingsystems,
althoughtheoutcomeisidentical.
ForWindows2000computers,youllusethesecedit.execommand.
Thisisabuiltincommandthatcanberunfromthecommandline.The
syntaxforapplyingaGPOtoacomputeraccountisasfollows:
Secedit /refreshpolicy machine_policy
Youcanalsothrowinthe/enforceswitch,topushdownALLGPO
settings,eventhosethatarealreadyappliedtothecomputer.
IfyourerunningWindowsXPProfessionalorWindowsServer2003,
youhaveamucheasierpath.Youcanusethebuiltintoolgpupdate.exe.
Thistooliseasierbecausetherearenoswitchesneeded,youjustrunthe
followingfromthecommandline:
Gpupdate

37

2004101communicationsLLChttp://mcpmag.com

Liketheseceditcommand,youcanincludethe/forceswitchtopush
downallGPOsettings,eventhosethatarealreadyappliedtothecomputer.
Thegpupdatecommandwillupdateboththecomputeranduser
portionsoftheGPO.So,ifyouwanttotargetonlythecomputerportionof
theGPO,youcanaddsomeswitches.Thisistypicallynotdone,sincethe
timetoapplythecomputerandusersettingsisntmuchlongerthanjust
thecomputer,buttheoptionisherenonetheless.Ifyouwanttotargetjust
thecomputerconfiguration,youwouldrunthefollowingcommand:
Gpupdate /target:computer
Anothernicefeatureofthegpupdatecommandisthatyoucanforce
thecomputertorestart,aftertheGPOisapplied.Thisisrequiredforafew
oftheGPOsthatdontapplyuntilthecomputerisrestarted.Ifyouwantto
targetonlythecomputerobjectandhavethecomputerrestart
automatically,youwouldrunthefollowingcommand:
Gpupdate /target:computer /boot

GPO Application to User Accounts


AsIemphasizedforthecomputeraccounts,youneedtomakesureyoure
lookingatthecorrectobjecttypeforapplyingyourGPOsettings.When
yourefocusingonauserobject,youllknowforsurewhenyouconfigure
theUserConfigurationportionoftheGPO,asshowninFigure11.

38

2004101communicationsLLChttp://mcpmag.com

Figure11.GPOsthattargetuseraccountswillhavetheUserConfiguration
portionconfigured.
AfteryouconfiguretheGPO,youhavethreeoptionsinorderforthe
GPOtoapplytotheobjectasweintroducedabove.

Logoff,thenlogbackon.

WaitforautomaticrefreshofGPOs.

ManuallyforceGPOapplication.

39

2004101communicationsLLChttp://mcpmag.com

UserAccount:AutomaticRefresh
Evenforuseraccounts,thedefaultbehaviorformostorganizationsisto
justletthedefaultbehaviorforGPOapplicationtakeitsnormalcourse.
GPOsforuseraccountsactthesameaswithcomputeraccounts,inthat
theywillautomaticallyrefreshthetargetuseraccountsatanintervalof90
minutes,ensuringthatifanyGPOchangehasoccurred,itwillshowupon
thetargetcomputerwithoutanyrequirementofarestartorcommandline
tool.
Theautomaticrefreshisntsplitbetweenthecomputeranduser
portionsoftheGPO.TheautomaticrefreshisfortheGPOsasawhole.So,
whenthe90minuterefreshintervalhits,boththecomputeranduser
portionswillbeapplied.

UserAccount:LoggingOffandBackOn
Ifyouwanttoensurethatallsettingsaregoingtoapplyregardlessofthe
applicationmethod,thenthisisthemethodforyou!Loggingoffandback
onwillensurethattheuserportionoftheGPOapplies.
Whentheuserlogsbackon,youcanseewhenthenewGPOsettings
applyinmanycasesbythelogonwindow.Likethecomputeroptions,if
youreapplyingalotofGPOsoralotofGPOsettings,thelogonprocess
mighttakealongtime.
TheuserportionoftheGPOswillalsobehaveinsuchawaythatit
takestwologoff/logoncyclestogetthesettingintheRegistryandonyour
screen.Also,somesettingsjustdontapplyuntiltheuserlogsoffandback
on.Thesewouldinclude:

Softwaredeployment

Folderredirection

40

2004101communicationsLLChttp://mcpmag.com

UserAccount:ManualMethod
TheuseraccountGPOmethodsofautorefreshandloggingoffandonare
muchslowerthanjustusingthemanualcommandlineoption.Likethe
computercommandline,thecommandsaredifferentdependingonthe
operatingsystemthatyouretargetingtheGPOat.
ForWindows2000computers,youllusethesecedit.execommand.
Thisisabuiltincommandthatcanberunfromthecommandline.The
syntaxforapplyingaGPOtoauseraccountisasfollows:
Secedit /refreshpolicy user_policy
Youcanalsothrowinthe/enforceswitch,topushdownallGPO
settings,eventhosethatarealreadyappliedtotheuser.
IfyourerunningWindowsXPProfessionalorWindowsServer2003,
youhaveamucheasierpath.Youcanusethebuiltintoolgpupdate.exe.
Thistooliseasierbecausetherearenoswitchesneeded;youjustrunthe
followingfromthecommandline:
Gpupdate
Liketheseceditcommand,youcanincludethe/forceswitchtopush
downALLGPOsettings,eventhosethatarealreadyappliedtotheuser.
Ifyouwanttotargetjusttheuserconfiguration,youwouldrunthe
followingcommand:
Gpupdate /target:user
Forthesoftwaredeploymentandfolderredirection,youllneedtolog
offandbackon.Thegpupdatecommandcanautomaticallydothisforyou
ifyouusethecorrectswitch.Ifyouwanttotargetonlytheuserobjectand
havetheuserautomaticallylogoff,youwouldrunthefollowing
command:

41

2004101communicationsLLChttp://mcpmag.com

Gpupdate /target:computer /logoff

GPO Fundamentals Summary


Asyoucansee,thefundamentalsofGPOsarentasbadasitseems.Yes,
GPOscanbecomplex,hardtoconfigure,anddifficulttotroubleshoot;but
ifyoubreakdowntheconceptsintosmallbites,itiseasytofigureout.
Withallofthesefundamentals,thereseemtobeacoupleofkeyconcepts
thatgetlostinthetranslationfromtheorytoimplementation.Tohelpyou
keeptrackofthesefundamentals,alwaysrememberthefollowing
concepts:

GPOsinheritdownthroughtheActiveDirectorystructure.This
meansthatanyGPOthatislinkedhighintheActiveDirectory
structure,suchasthedomainorahighlevelOU,willaffect
moreobjectsthanaGPOthatislinkedlowintheActive
Directorystructure,suchasalowlevelOU.

Example:IfthereisacomputeraccountlocatedintheComputers
container,itwouldreceivethesettingsconfiguredinaGPOlinkedto
thedomain.

GPOsonlyapplytouseraccountsandcomputeraccounts.You
cantapplyGPOstogroups!

Example:ThereisagroupnamedSales.Saleshastwouseraccounts
asmembers,JoeandSally.JoesuseraccountislocatedintheOU
namedSales_staff.SallysuseraccountislocatedintheUsers
container.ThereisaGPOlinkedtoSales_staff,whichremovesthe
RuncommandfromtheStartMenu.TheGPOACLischangedto
onlyallowtheSalesgrouppermissiontoapplytheGPO.Whenthe
GPOapplies,itwillonlyaffectJoe,notSally!

GPOscanonlyapplytoanobject,iftheobjectislocatedinthe
pathoftheGPO.Thismeansthatcomputeroruserobjectsmust
belocatedintheOUwheretheGPOislinked.Couplethisrule

42

2004101communicationsLLChttp://mcpmag.com

withrule#1andthecomputeroruseraccountcanalsoexistina
childOUandreceivetheGPOsettingthroughinheritance.

Example:TherearetwoOUsnamedAPandAR.BettyworksinAP
andhasauseraccountintheAPOU.TomworksinARandhasa
useraccountintheAROU.TheAPOUhasaGPOnamed
All_accountantslinkedtoit.WhentheGPOapplies,itwillonlyaffect
Betty!

GPOscantapplytocomputeranduseraccountsthroughgroup
membership.Combining#2and#3fromthislistwillgetyouto
this#4tip,butmanyadministratorsstilltrytohaveGPOsapply
toaccounts,basedongroupmembershiponly.(Thisdoesnot
contradictthefactthatyoucanfilterongroups;thisisstating
thatyoucanthaveONLYthegroupintheOUandhavethe
membersofthegroupreceivetheGPOsettings.)

Example:SeeExamplein#2.

43

2004101communicationsLLChttp://mcpmag.com

GPO and Active Director y Design


Considerations
Althoughthisbookisntwrittentobeadesignaide,thereisalmostnoway
tododgetheconceptsofdesigningGPOswhenyoutalkaboutthebasicsof
GPOs.Withanygooddesigndiscussion,weneedtodiscussallofthe
considerationsthatneedtogointothedesignandimplementation.
Tostart,considerthatmostGPOsarelinkedtoOUs.Yes,youcanlink
GPOstothedomainandsites,butthemajority,90percentpluswillbe
linkedtotheOUs.So,weneedtoconsiderthedesignoftheOUswhenwe
talkaboutthedesignoftheGPOs.WhenconsideringtheOUdesign,there
aretwomainissuestokeepinmind.Oneisfordelegationof
administration.TheotherisforGPOapplication.Manyliketoleaveout
theconceptofGPOdesignwhenconsideringtheOUs,butitismandatory
thatyouthinkaboutyourGPOsduringthistime.
Ifyouarentfamiliarwithdelegationofadministration,thinkofitlike
this:Itistheconceptthatyouregoingtogiveotheradministrators,junior
leveladminsorhelpdeskpersonnelasubsetofprivilegetotheobjectsin
anOU.ThemostcommondelegatedtaskistheResetPassword
permission.Forexample,assumeyouhaveanOUnamedHRthathasall
oftheuseraccountsfortheHRemployeeslocatedinit.YouwantJuly,the
HRManager,tohavetheabilitytoresetpasswordsforalloftheHR
employees.Tomakethiswork,yougiveJulytheResetPassword
permissionfortheHROU.Sincethepermissionsinheritdown,itmeans
thatJulycanresetpasswordsforallHRemployees.However,sinceJuly
wasonlygivenprivilegetotheHROU,shecantresetthepasswordfor
anyotheruserinthedomain.

44

2004101communicationsLLChttp://mcpmag.com

Common OU Designs for GPOs


GPOdesignneedstheconsiderationofwhowillgetwhat
configuration.Remember,thewhocaneitherbeacomputerorauser
account.AsyouthinkabouttheOUdesign,considersomecommon
examplesofhowyoumightwanttoorganizeandnameyourOUsfor
GPOs.

Serverrole(IIS,Exchange,SQL,etc.).GPOscaneasilyconfigure
services,soyoumighthaveaspecialOUforeachservertype.
Thiswillgiveyoutheopportunitytocontrolwhichservicesare
runningontheservers.Itmightbetoensureaservicealways
startswhenthecomputerstarts,oritmightbethatyouwantto
ensurethatservicesdontstartwhenthecomputerstarts.

Clientcomputers.Itiscommontocontrolmanyaspectsofclient
computersfromthescreensaver,tothelocationoftheMy
Documentsfolder,towhichapplicationsareinstalledforeach
typeofuser.Somecompaniesorganizeclientcomputersintoa
singleOU,whereothercompaniesmighthaveatoplevel
ClientComputersOUandchildOUsforeachdepartmentin
thecompany.Thecomputeraccountsforeachdepartmentwill
belocatedaccordingtotheirdepartment,andGPOswillbe
linkedtothedepartmentalOUs.TheremightalsobeaGPO
linkedtotheClientComputersOU,whicharethecommon
GPOsettingsthatneedtoaffectallcomputersinthecompany.

ITStaffclientcomputers.IthinkitisfairlyclearthattheITstaff
needsdifferentsecurityandfunctionalityontheircomputers.
Forexample,ITstaffcomputersneedtohavetheRun
command,wheretypicalemployeecomputersdontneedthat
function.Anotherexamplewouldbetheconfigurationof
InternetExplorer.TheITstafftypicalisresponsiblefor
downloadingapplicationsandtestingtools.Inthiscase,IE
wouldneedtohavedownloadcapabilities,wherethetypical
usermightnothavethiscapability.

45

2004101communicationsLLChttp://mcpmag.com

Developers.Manytimesdevelopersneedtohavespecial
configurationsontheircomputer,duetotheapplicationsthey
develop.Also,manydevelopersneedtohaveuniqueaccessto
networkresources,whichmightrequirespeciallogonscriptsto
givethemaccesstohiddennetworkshares.Thedeveloper
computermightgivethedevelopersuseraccountlocal
administrativeprivilege,whichisntcommonformostother
usersinthecompany.

Serviceaccounts.ServiceaccountsareuseraccountsinActive
Directory.Theseaccountsshouldnotbesubjecttocertain
securityorotherrestrictiveGPOsettings,duetotheirneedto
haveadministrativeaccesstotheapplicationtheyare
controllingor,inmanycases,theservertheapplicationrunson.

Securedclientcomputers.Ifyourcompanyhaskiosks,shared
computersorcomputersthatrunapplicationsthatcontrol
essentialcompanydata,youmightwanttocreateaspecialOU
forthesecomputeraccounts.Thiswillallowyoutocontrol
themmoresecurelythanothercomputers.Youmightalsowant
tohavethesecomputersusedifferentSoftwareUpdateService
Servernodestodownloadthemajorityofthesecurityupdates
fromMicrosoft.

HRServers.Thisisjustanexampleofaspecializedtypeof
serverthatmightneedadditionalattentionforsecurityreasons.
WiththeadventofIPSecurity,youcanlockdownacomputer
quitesecurely.However,youneedtocreatespecialOUsforthis,
sincemanynetworkscanhaveallcomputersusingIPSecurity,
duetocompatibilityandnetworkoverheadreasons.

BranchOffice.Dependingonhowyourorganizationis
administeredandcontrolled,youmighthaveaspecialOUfor
theBranchOffice.Thiswouldincludeallclientcomputers,user
accounts,andserversforthatoffice.YoucanthencreateanOU
hierarchytocontrolhowtheGPOsareassigned,usingsomeof

46

2004101communicationsLLChttp://mcpmag.com

theothercategoriesinthislist.ManytimestheBranchOffice
hasmorelimitationsforIE,desktop,andnetworkresources,
becausetheyareremovedfromthemainofficeandthe
administratorsthatlivethere.
ThesearejustsomeexamplesofwhatyourOUsmightlooklike.As
youreadovertheexamples,youcanseethatsomeoftheOUscouldalso
beusedfordelegationofadministrationpurposes.Thereisusuallyquitea
bitofoverlapbetweendelegationandGPOapplication,whichprovidesfor
areductioninthecomplexityoftheoverallOUandActiveDirectory
design.

Where To Link the GPO


EventhoughGPOsareprimarilylinkedtoOUs,thatdoesnotruleout
linkingthemtothesitesanddomain.Thereareusuallydistinctreasonsfor
linkingthemornotlinkingthemtotheseotherobjects.Whatfollowsare
somerulesofthumbconceptsforwhyyoumightlinkGPOstoother
objectsinActiveDirectory.

GPOsLinkedtoSites
ItisntcommontolinkGPOstosites.Byfar,itistheleastusedfeaturefrom
theLSDOUoptionlist.However,therearesomekeybenefitstolinking
GPOstosites.Beforewecoverthosebenefits,letsdiscussthe
disadvantagesfirst.
AkeydisadvantagetousingGPOsthatarelinkedtositesisthefact
thatmostadministrationofsecurityandcontrolisntdonesitebysite.If
youthinkaboutwhatisinvolvedinasite,youshouldenvisionclient
computers,serversanddomaincontrollers.IfyouweretolinkaGPOtoa
site,allofthesecomputerswouldbeaffectedbytheGPOlinkedtothesite.
This,ofcourse,cancausesomecatastrophicresults.
Youcould,however,useGPOfilteringtohelpreducetheexposureto
theeffectsoftheGPO,butthereareotherdesignoptionstoeliminatethis

47

2004101communicationsLLChttp://mcpmag.com

need.IwilltalkaboutGPOfilteringshortly,butitisimportantformeto
mentionhere.Inshort,GPOfilteringiscontrollingwhatobjectswill
receivetheGPOsettings.
Onthebenefitside,whatgoodcancomefromlinkingaGPOtoasite?
Thereareacoupleofsolutionsthatarefairlycommon.First,youcanuse
GPOslinkedtositestocontrolyourremoteaccessclients.Thisisagood
idea,sincemostremoteaccesssolutionshaveadedicatednetworkofIP
addressesforthedialupandVPNclients.Here,youcanlockdownthese
clientswithmorerobustsecuritysettings.Youcanalsodirectthemtoa
shorterlistofnetworkshares,whichwillreduceyourexposurefromthe
outsidenetworks.
TheotheruseforGPOsatthesitelevelisfordirectingclientcomputers
tothelocalSoftwareUpdateService(SUS),orWindowsUpdateService
(WUS).(Thesearethesametechnology,butatthetimeofthiswriting,
MicrosoftwasjustmakingtheswitchfromSUStoWUS).
IfyouarentfamiliarwithWUS,itistheoptiontohavealocalized
serverfunctionastheWindowsUpdateServicefromMicrosoft.Theideais
tohavethelocalserverdelivertheupdates,whicharefirstapprovedbythe
administrator.Itisntagoodideatohaveusersattemptingtodownload
andinstallupdatesfromtheInternet,duetocompatibilityandsecurity
issues.
WiththeGPOlinkedtothesite,youcancontrolwhichWUSserverthe
clientcomputerandserverusetoreceivetheirupdates.Thisisidealsince
theupdatescanbelarge,andyouwanttodirecttheclientcomputersand
serverstoalocalWUSserver,notonethatislocatedacrossthenetworkor
WAN.

GPOsLinkedtotheDomain
ThedomainhasadefaultGPOlinkedtoit,buttheGPOthatislinkedto
thedomaindoesnotconfiguremuchmorethantheAccountPolicies.The

48

2004101communicationsLLChttp://mcpmag.com

reasonforthisisthesamereasonthatitissohardtolinkGPOstosites.A
GPOlinkedtothedomainwillaffecteverycomputeroruseraccount.
Thisisntjustacoupleofcomputeranduseraccounts;bydefaultthis
wouldincludeeverysingleaccount.Frommyexperience,thereareonlya
fewGPOsettingsthatcansurviveatthedomainlevel.Someofthesettings
include:

Screensaver.

Screensaverpasswordtimeout.

InternetExplorersettings.

IPSecurityconfigurations.

Beyondthislist,thesettingsneedtodifferfordifferentcomputertypes
andusertypes.LiketheexamplewiththesiteGPOs,therearetoomany
differenttypesofobjectstohavesuchawidesweepingeffectonthe
objects.

GPOsLinkedtoOUs
ThisiswhereActiveDirectoryshinesinregardstoGPOs.WhenaGPOis
designedalongwiththeOUdesign,thepoweroftheGPOcanbeusedto
thefullestextent.ThereisonlyoneOUbydefault,andithasadefaultGPO
linkedtoit.TheDomainControllersOUhastheDefaultDomain
ControllersPolicylinkedtoit.ThisGPOprimarilyconfigurestheUser
Rightsforthedomaincontrollers,butyoucanseehowimportantaGPO
linkedtoanOUcanbe.

49

2004101communicationsLLChttp://mcpmag.com

Controlling GPO Inheritance


BydefaultGPOsinheritdownthroughtheActiveDirectorystructure.Also
rememberthatthelocationsandapplicationorderthatGPOsadhereto
playakeyroleintheinheritanceandResultantSetofPoliciesonthetarget
object.Experienceshowsthatmostcompaniestakefulladvantageofthe
builtininheritancethatGPOsexhibit.Mostpurists(likeme)feelthat99
percentofallGPOapplicationscanbedesignedintotheOUdesign.
TheotheronepercentoftheGPOdesignjustwontfitintotheActive
Directorydesign,duetoalimitationofthedelegationofadministration
designconsiderations.WhenthereisaconflictbetweendelegationorGPO
application,thedelegationwillwinmostoften.Thereasonforthisisthat
delegationcanonlybeaccomplishedoneway.GPOscaneitheruse
inheritance,oryoucanbreaktheinheritanceandcontrolwhatobjectsin
thepathoftheGPOwillreceivethesettings.
BreakingtheinheritanceofGPOsisaratherheftytask.Notthatthe
breakingstepisthattough,butifanythingneedstobefixedduetoan
incorrectsetting,configurationorotherwise,itcantakealongtimetotrack
downwheretheinheritancestartsandstops.Forthesereasons,itis
recommendedthatyoudonotuseanyinheritancealteringmethods,
unlessthereisanabsoluteneed.
Therearethreecommonmethodsusedtobreaktheinheritanceof
GPOs:

BlockInheritance

NoOverride

ACLFiltering

50

2004101communicationsLLChttp://mcpmag.com

Eachsettinghasaslightlydifferentapproachandresult,butallare
effectiveinchangingthedefaultGPOinheritancebehavior.

Block Policy Inheritance


Thefirstmethodwellinvestigateistheoptiontoblockpolicyinheritance.
Thismethoddoesexactlywhatyouwouldthinkitwould,basedonits
name:Itblocksallpolicyinheritance.Thebigquestioniswheredoesit
blockthepolicyinheritance?
BlockpolicyinheritanceisasettingthatcanbeconfiguredonanOU
andatthedomainlevel.Thelocalcomputercantblockpolicyinheritance,
sinceitisthefirstonetoapply.Therewouldbenothingtoblock.Thesite
levelwouldonlybeblockingthelocalGPO,ifthatwerepossible.However,
itisntpossibleforthesiteleveltoblockpolicyinheritance.
IfyoureusingthedefaultGPOinterfacestoadministerGPOs,the
settingtoblockpolicyinheritanceislocatedontheGroupPolicytabforthe
objectpropertiesofthesite,domain,orOUwheretheGPOislinked.You
canseethisinFigure12,below.

51

2004101communicationsLLChttp://mcpmag.com


Figure12.BlockPolicyinheritancecanbeconfiguredattheOUanddomain
levelonly.
ThinkofblockpolicyinheritanceasashieldthatblocksallGPOsthat
wouldapplytothedomainorOU.Forexample,iftherewereanOU
namedSalesthathadtheblockpolicyinheritanceconfigured,itwould
blockthelocalGPO,thesiteGPOs,andthedomainGPOs.Then,theGPOs
configuredontheSalesOUwouldapply.TheseGPOswouldthenbethe
onlyonestocontinuealongtheActiveDirectorystructure,alltheway
downtowheretheobjectsreside.
InthegraphicalrepresentationinFigure13youcanseethatthereisa
configurationontheWestOUthatisblockingthepolicyinheritance.

52

2004101communicationsLLChttp://mcpmag.com


Figure13.BlockPolicyinheritancewillblockallotherGPOsfurtherupinthe
hierarchy.
Welearnedearlierthatthedefaultinheritanceforthisconfiguration
wouldbe:

LocalGPO

DefaultDomainPolicy

HR_GPO

West_GPO

XPPro1computerwouldreceivetheresultantsetofpoliciesthatallof
theGPOsdevelop.However,Figure13blocksthestandardinheritance,

53

2004101communicationsLLChttp://mcpmag.com

whichaltersthenormalflowandapplicationoftheGPOs.Thenewresult
wouldbetheapplicationofthefollowingGPOsonXPPro1:

LocalGPO

West_GPO

NoticethattheLocalGPOcantbeblocked.Anotherpointtonoticeis
thattheDefaultDomainPolicyisbeingblocked,whichiswherethe
AccountPoliciesareconfigured.Thisisanimportantfactor,sincemost
companiesrelyontheAccountPoliciesatthedomainleveltocontrolnot
onlythedomainuseraccounts,butalsothelocalSAMaccountsonall
domainmembers.
Ifyoureanadministratorincontroloftheoverallsecurityand
configurationofyourenterprise,youmightbeconcernedatthispoint.This
exampleillustratesthepowerthatajuniorleveladmincanhave,ifgiven
powerovertheGPOsinanyway.Imaginethatyouhavedelegated
administrativeprivilegetoajunioradminattheWestOUlevel.Withthe
rightpermissions,theadminwithdelegatedprivilegecouldconfigurethis
inheritanceblock.You,astheenterpriseadministrator,wouldnotbeaware
ofthechangeuntilitwastoolate.Themostlikelywayyouwouldfindout
aboutthechangeisthatacomputerwouldbeattacked,becausethe
securityconfigurationsyouhadimplementedatthedomainorHROU
levelwouldbeblocked.

No Override
Ifyoureaworriedadministrator,thissectionisforyou.Theblockpolicy
inheritancesettingcancauseproblemsforadministratorshigherinthe
ActiveDirectory,becausetheblockpolicyinheritancesettingdoesnot
showupanywhereintheinterface,butontheobject(domainorOU)
whereitisconfigured.
Ihadabossoncewhousedtosay,Ifyouhavetriedtofixit,butitis
stillbroke,getabiggerhammer!.Althoughthiswayofthinkinghas

54

2004101communicationsLLChttp://mcpmag.com

causedmesomegriefovertheyears,thesayingworkshere.If
administratorslowerintheActiveDirectoryhierarchyarecausing
problemsbyconfiguringblockpolicyinheritance,thenyou,asthehigher
leveladministrator,canusethenooverridesettingtofixtheproblem.Yes,
nooverrideisabiggerhammerthanblockpolicyinheritance,becauseit
ignoresanyblockedconfigurations.
Figure14illustrateswhataconfigurationofnooverridemightlooklike
graphically.

Figure14.Nooverridecanbeappliedatthesite,domainorOUlevels.No
overrideignoresblockpolicyinheritancesettings.
NooverrideisaperGPOsetting,whichcanbeconfiguredatany
levelintheActiveDirectorystructure.However,nooverridecantbe
configuredatthelocalGPOlevel.InourexampleinFigure14,wecan

55

2004101communicationsLLChttp://mcpmag.com

rememberwhattheGPOsettingswereforXPPro1whenjusttheblock
policyinheritancesettingwasinplace:
1. LocalGPO
2. West_GPO
Now,withthenooverridesettingconfiguredattheHR_GPO,thenew
setofpoliciesthatwillaffectXPPro1are:
1. LocalGPO
2. HR_GPO
3. West_GPO
ThenooverridesettingontheHR_GPOhasmoreeffectthanjust
forcingitswaydowntheActiveDirectoryhierarchy.Whenthesettingis
madeonaGPOfornooverride,italsospecifiesthatthesettingsinthe
GPOcantbechangedbyadifferentGPOthathasahigherprecedence.
So,iftheHR_GPOremovestheRuncommandfromtheStartMenu
andtheWest_GPOaddstheRuncommandtotheStartMenu,theno
overridesettingontheHR_GPOwillenforcetheremovaloftheRun
commandfromtheStartMenu.ThiscontradictsthestandardGPO
inheritanceandprecedenceorder,butitisnecessarywhenjunior
administratorshavefreereignoverGPOsandsettingslowerintheActive
Directorystructure.
ToconfigurethenooverridesettingforaGPOataSDOUlevel,you
accesstheGroupPolicytabonthesite,domainorOUpropertysheet,as
showninFigure15,below.

56

2004101communicationsLLChttp://mcpmag.com


Figure15.Nooverridecanbeappliedatthesite,domainorOUlevels.No
overrideignoresblockpolicyinheritancesettings.
Eventhoughnooverrideisagreatfeature,withplentyofpower,it
shouldbeusedsparingly.Insteadoffearingthatajunioradministratorwill
causeproblems,mysuggestionistojustnotgivethemthepowertomake
theseconfigurationstoGPOslowerintheActiveDirectorystructure.Like
theblockpolicyinheritancefeature,thenooverridesettingsaredifficultto
trackandseeintheinterface.EventhoughtheycontrollowerlevelGPO
settings,theyonlyshowupatthelevelatwhichtheyareconfigured.

GPO Permission Filtering


TheconceptofGPOfilteringissimple.Anobjectmusthavepermissionto
applytheGPO.GPOpermissionfilteringisdonebyalteringtheACLon

57

2004101communicationsLLChttp://mcpmag.com

theGPOitself.ThinkofGPOfilteringjustlikeyoudocontrollingaccessto
afile.
Ifyouwanttoaccessafile,youneedpermissiontothefile.For
example,assumeyouwanttobeabletomodifydatacontainedinafile.If
youonlyhadReadpermission,youcouldnotactuallychangethedatain
thefile.Instead,youwouldneedtohavebothReadandWritepermission.
ThesameconceptappliestoGPOs.InordertohaveaGPOaffectauseror
computeraccount,thetargetobjectneedstohavebothReadandApply
GroupPolicypermission.Bydefault,thisisaccomplishedbyhavingthe
AuthenticatedUsersgroupontheACLpossessthesepermissions.Of
course,alluserandcomputerobjectshavemembershipinthisgroup.
KeepinmindthattheAuthenticatedUsersgroupincludesallUser
accountsandComputeraccounts.Thiswouldincludealladministrator
useraccountstoo,eventhebuiltindefaultAdministratoraccount.
EveryobjectinthepathoftheGPOwillreceivethesettingsintheGPO
bydefault,duetotheAuthenticatedUsersgroup.Well,whatifyouwant
allbutafewobjectstoreceivetheGPOsettings?Ofcourse,youcould
alwaysmovetheaccountfromtheOU,buttheremightbefourotherGPOs
attheOUthattheaccountneeds.ThisiswhereweusetheconceptofGPO
Filtering.
SinceobjectsneedbothReadandApplyGroupPolicyinordertoapply
theGPOsettings,allyouneedtodoistakeawayoneofthesepermissions
fortheobjectanditwontapplytheGPO.Letslookataquickexample:
TherearethreeuseraccountsintheHROU:Joe,BettyandSally.There
isaGPOlinkedtotheHROU.TheGPOconfigurestheStartMenuto
removetheRunCommand.However,yourealizethatSallyneedstohave
theRunCommand,andyouneedherinthisOUfordelegationof
administration.So,youhaveauseraccountintheOUthatshouldnothave
theabilitytoapplytheGPOfortheRunCommand.

58

2004101communicationsLLChttp://mcpmag.com

Tocontinuewithourexample,weneedbothJoeandBettytogetthe
GPO,butnotSally.So,weaddSallytotheACLandDeny/ApplyGroup
Policyforheruseraccount.Whenthepermissionsarebeingcalculatedfor
Sally,shewontgetthepermissiontoapplytheGPO,soshewillendup
havingherRunCommand.
Note:IcouldalsoaddSallytoagroupandaddthegrouptotheACL,
configuringthegrouptohaveDeny/AllowGroupPolicypermission.
ThereisgreatpowerintheuseoftheAuthenticatedUsershavingboth
ReadandApplyGroupPolicypermission.Youneedtousethispowerto
yourbenefit.Forexample,ifyouwantaGPOtoapplytoallusersinan
OU,exceptforasmallgroup,itisbesttoleavethedefaultAuthenticated
UsersontheACL.Then,justaddinthesmallgrouptotheACL,denying
themtheabilitytoReadtheGPO.
Ontheotherhand,theAuthenticatedUsersisabroadstroke,which
cancausesomeunpleasantbehaviorwiththeapplicationofGPOs,ifyou
arentcareful.Say,forexample,youwantonlytheITgrouptoapplyaGPO.
IncludingtheAuthenticatedUsersontheACLcancreateanabundanceof
settingsforthecomputersanduseraccountsinthepathofthisGPO.
Ideally,youwanttoremovealluserandcomputeraccountsthatcould
receivetheGPOfromtheACL,butthiscancauseanabundanceofGPO
settings.Instead,itisbesttoremovetheAuthenticatedusersgroupfrom
theACL,whichwillatfirstglancegivenooneaccesstotheGPO.Thefinal
stepforthismethodistoaddintheITgrouponlytheACLoftheGPOthat
theywillneedtoreceive.ThefinalresultisthatallMembersoftheIT
groupwillreceivetheGPO,butnootheruseraccountwill,evenifitis
locatedinthepathoftheGPO.Thisisbecauseitlacksbothrequired
permissionstoapplyGPOs.
GPOfilteringisacomplexanddifficultaspectofGPOs.However,
whenusedappropriately,itcanbeuseful.WhenyoudouseGPOfiltering,
therearesomeminorpointstokeepinmind:

59

2004101communicationsLLChttp://mcpmag.com

1. TheACLforaGPOisontheGPOitself,nottheGPOLinktothe
Site,domainorOU.IfasingleGPOislinkedtomultipleobjectsin
ActiveDirectory,achangetotheGPOACLatonelevelwillchange
theGPOACLatalllevels.
2. GPOfilteringcanbedifficulttotroubleshoot,sincethereisnoway
tolookattheinheritedpermissionsfortheGPOs.
3. DesigningyourOUsforGPOapplicationshouldbeoneofthekey
designcriteriaforallOUs.However,theremightbeacausefor
GPOfiltering.IfyoucandesigntheOUswithintheActive
DirectorydesignforapplicationofGPOs,therewillbenoneedfor
GPOfiltering,whichcanbegood!UseGPOfilteringsparingly.

GPO WMI Filtering


AnewGPOfeaturewithWindowsServer2003istheuseofWMIfiltering
totargetspecificcomputers.TheWMIfilterisaquerythatisattachedtoa
GPO.Thefilterwillreturnallcomputersthatfulfillthequery
requirements.Thecomputersthatfulfilltherequirementswillthenreceive
theGPOsettings.
MostqueriesusetheRoot/CMIV2class.ThelanguageforWMIis
similartoSQL,andiscalledWQLlanguage.
WMIisanacquiredskill,butifyouhavebeenworkingwithscriptsor
doingsoftwaredevelopment,WMIscriptswillcomeeasily.However,if
youneedguidanceorassistance,youcanusetheScriptomatictool!The
toolisavailablefromtheTechNetscriptingcenterandiscalled
scriptomatic.hta.Atipinusingthetoolistoreferencethe
Win32_operatingsystemcategory,whichcontainsmostofthevariablesthat
youllusetoquerycomputers.
Also,whenyoucreateyourscript,youlluseBooleanoperatorstohelp
controlwhatyourequerying.Whenyouwanttogathercomputersina

60

2004101communicationsLLChttp://mcpmag.com

generalform,youllusetheLIKEoperator.Whenyouwanttogather
computersthatmeetadetailedcriteria,youllusethe=operator.
ThisexamplewillwalkyouthroughhowtocreateandtieaWMIfilter
toaGPO.InthisWMIfilter,wellqueryonlytheWindowsXPProfessional
operatingsystemcomputeraccounts.Ifthecomputeraccountisrunning
anythingotherthanWindowsXPProfessional,itwontreceivetheGPO
settingsthataretiedtotheWMIfilter.
WefirstneedtoestablishwherewewanttohavetheWMIfilter
located.WearegoingtofocusontheHRdepartmentcomputers.TheHR
departmentinourexamplehasanOUdirectlyunderthedomain,anditis
namedHR.Therearebothuserandcomputeraccountsdirectlyunderthe
HROU.ThereisanexistingGPOthatislinkedtotheHROU,which
configuressomeofthenewGPOsthatonlytargetWindowsXP
Professionalcomputers.ThisiswhywewanttocreateaWMIfilter,to
targettheXPcomputers.
TocreatetheWMIfilter,weneedtogototheGPOthatislinkedtothe
HROUandaccessthepropertiesoftheGPO.Followthesestepstogetto
thispoint:
1. RightclickontheHROUandselectPropertiesfromthe
menu.
2. SelecttheGroupPolicytabontheHRPropertieswindow.
3. SelecttheGPOfromthelistandselecttheProperties
button.
4. SelecttheWMIFiltertabontheHRPropertieswindow.
5. SelecttheThisfilterradiobuttonandselectthe
Browse/Managebutton.

61

2004101communicationsLLChttp://mcpmag.com

6. SelecttheAdvancedbuttonontheManageWMIFilters
window.
7. SelecttheNewbutton.
8. TypeinXPProOnlyintotheNamefield.
9. TypeinRoot\CIMV2;SELECT*FROM
Win32_OperatingSystemWHERECaptionLIKE
MicrosoftWindowsXPintheQueriestextarea.
10. SelecttheSavebutton.
11. SelecttheOKbutton.
12. SelecttheOKbuttonontheHRPropertieswindow.
13. SelecttheOKbuttononthenextHRPropertieswindow.
TheWMIfilterisnowinplaceandwillonlytargetWindowsXP
Professionalcomputers.

62

2004101communicationsLLChttp://mcpmag.com

Default GPOs and Their Shor tcuts


EveryActiveDirectorydomainhastwodefaultGPOs.TheseGPOs
establishthesecurityfortheuseraccountsandthedomaincontrollers.
AccesstotheseGPOscanbeabitconfusing,sincethereseemstobemany
waystoaccessthem.Insomecases,thelinkstotheGPOsonlygiveyoua
partiallistingofwhatisincluded,insteadofthefullaccessandlistof
settings.Inthissection,IexplainthedefaultGPOsandthelinksthatare
availabletoaccessthem.

Default GPOs
NomatterhowyougettoActiveDirectory,youllhavetwodefaultGPOs.
Bothhavetheirusesandareverymuchneeded.Itismysuggestion,aswell
asthesuggestionofMicrosoft,tonotdeletethesedefaultGPOs.
OneoftheGPOsislinkedtothedomainlevelandtheotherislinkedto
theDomainControllersOU.Theyrenamedaccordingtowhattheirscope
is.TheGPOlinkedtothedomainisnamedDefaultDomainPolicy,andthe
onelinkedtotheDomainControllersOUisnamedDefaultDomain
ControllersPolicy.
EachGPOhasadistinctfunction,aswellasdefaultsettings.Letslook
ateachGPOanditsdefaultsettings.

Default Domain Policy


ThisGPOhasasingleprimaryfunction:toconfiguretheAccountPolicies
foralldomainusers.Remember,theAccountPoliciesinclude:Password,
AccountLockoutandKerberos.Thissettingisacomputersetting,andit
configuresthedomaincontrollerstocontrolalldomainuseraccounts.
Sinceitislocatedatthedomainlevel,itwillalsoconfigurethelocalSAMs
ofalldomainmembers,aslongasaGPOatanOUdoesnotconflictand
changethesettings.

63

2004101communicationsLLChttp://mcpmag.com

Figure16showstheDefaultDomainPolicyregardingtheAccount
Policies.

Figure 16. Account Policies in the Default Domain Policy.


TheDefaultDomainPolicydoesmorethanjustspecifytheAccount
Policies.Table1showsalistofthedefaultsettingsintheDefaultDomain
Policy.

Table 1. Default Domain Policy default configurations and values.


Computer

Policy Setting

Value

Configuration
Password Policy

Enforce Password History

24 passwords
remembered
42 days
1 day
7 characters
Enabled

Account Lockout Policy

Kerberos Policy

Local Polices\Security Options


Public Key Policies

Maximum Password Age


Minimum Password Age
Minimum Password Length
Password must meet complexity
requirements
Store passwords using reversible
encryption
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock
synchronization
Network security: Force logoff when logon
hours expire
Encrypting File System

Disabled
Not Defined
0 invalid logon attempts
Not Defined
Enabled
600 minutes
10 hours
7 days
5 minutes
Disabled
Administrator is
configured as a Data
Recovery Agent

64

2004101communicationsLLChttp://mcpmag.com

TheUserConfigurationportionoftheDefaultDomainPolicyisnt
configuredforanysetting.

Default Domain Controller Policy


TheDefaultDomainControllersPolicyGPOislinkedtotheonlydefault
OU,whichistheDomainControllersOU.ThisGPOprovidessome
essentialsecurityforthedomaincontrollers,includingsecuritysettings,
UserRights,andAuditPolicy.TheprimaryfocusisontheUserRightsfor
thedomaincontrollers,asshowninFigure17,below.

Figure 17. User Rights Assignment in the Default Domain Controller


Policy.
TheDefaultDomainControllerPolicydoesmorethanjustconfigure
theUserRightsforthedomaincontrollers.Table2showsalistofthe
defaultsettingsintheDefaultDomainControllerPolicy.

Table 2. Default Domain Controller Policy default configurations and


values. Note: User Rights not filled in are either not defined or are defined
but are left empty.
Computer
Configuration
Audit Policy

Policy Setting

Value

Audit account logon events


Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking

Success
No auditing
No auditing
Success
No auditing
No auditing
No auditing
No auditing

65

2004101communicationsLLChttp://mcpmag.com

User Rights Assignment

Audit system events


Access this computer from the network

Add workstations to the domain


Adjust memory quotas for a process

Allow logon locally

Back up files and directories

Bypass traverse checking

Change the system time


Create a pagefile
Debug programs
Deny access to this computer from the
network
Deny log on locally
Enable computer and user accounts to be
trusted for delegation
Force shutdown from a remote system
Generate security audits
Increase scheduling priority
Load and unload device drivers
Log on as a batch job

Log on as a service
Manage auditing and security log
Modify firmware environment variables
Profile system performance
Remove computer from docking station
Replace a process level token

Restore files and directories

Shut down the system

No auditing
Administrators
Authenticated Users
ENTERPRISE DOMAIN
CONTROLLERS
Everyone
Pre-Windows 2000
Compatible Access
Authenticated Users
Administrators
LOCAL SERVICE
NETWORK SERVICE
Account Operators
Administrators
Backup Operators
Print Operators
Server Operators
Administrators
Backup Operators
Server Operators
Pre-Windows 2000
Compatible Access
Authenticated Users
Administrators
Everyone
Administrators
Server Operators
Administrators
Administrators
<domain>\Support_*
<domain>\Support_*
Administrators
Administrators
Server Operators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Print Operators
<domain>\IIS
<domain>\IUSR
<domain>\IWAM
<domain>\Support_*
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
Administrators
Administrators
<domain>\IWAM
LOCAL SERVICE
NETWORK SERVICE
Administrators
Backup Operators
Server Operators
Administrators
Backup Operators
Print Operators
Server Operators

66

2004101communicationsLLChttp://mcpmag.com

Local Polices\Security Options

Take ownership of files and other objects


Domain controller: LDAP server signing
requirements
Domain controller: Digitally encrypt or sign
secure channel data (always)
Microsoft network server: Digitally sign
communications (always)
Microsoft network server: Digitally sign
communications (if client agrees)
Network security: LAN Manager
authentication level

Administrators
None
Enabled
Enabled
Enabled
Send NTLM response
only

TheUserConfigurationportionoftheDefaultDomainController
Policyisntconfiguredforanysetting.

Account Policies Break the Rule


TheaccountpolicysettingsareuniquewithinGPOs,inthattheaccount
policiesbreakthedefaultinheritanceandprecedencemodelIvebeen
talkingaboutinearlierchapters.Idontwantyoutothinkthatallaccount
policiesbreakthestandardrules;itisjustonespecificinstanceofthe
accountpolicies.
Theinstancewherethisoccursisatthedomainlevel,wheretheDefault
DomainPolicyconfigurestheaccountpoliciesforalldomainusers.
RememberthatGPOsfollowtheLSDOUruleforallinheritanceandpolicy
applicationpriority.Notsowithregardtotheaccountpolicysettingfor
domaincontrollers.Rememberthefollowingandyouwontgetconfused
again.
1. Alldomainuseraccountsaccountpolicysettingsarecontrolledby
theaccountpolicysettingsconfiguredintheDefaultDomain
Policy!(TherecanbeotherGPOsatthedomainlevelthatcanalter
thesettingsinthisGPO,butthethingtheyalldoishaveaLinkto
theDomainlevel!)
2. AnyGPOthatislinkedtotheSiteoranyOUcantconfigurethe
accountpolicysettingsfordomainusers!Noexceptions.

67

2004101communicationsLLChttp://mcpmag.com

3. AnyGPOthatislinkedtotheSiteoranyOUdoesconfigurethe
localSAMforthecomputerthatisinthepathoftheGPO.Therules
ofLSDOUstillapplytothecomputerslocalSAM,withregardto
theaccountpolicysettings.Itisonlythedomaincontrollersthatare
exemptfromthisbehavior.(Aneasywaytorememberthisisthat
DCsdonthavealocalSAM,sotheSiteandOUGPOswouldnt
affecttheminthismanneranyway.)

AccountPoliciesattheDomainLevel
TheaccountpoliciesintheDefaultDomainPolicycontrolthepasswords
foralldomainuseraccounts.Thisisforthesingledomainonly!Thisruleis
100percentindependentoftheoverallActiveDirectorystructureorany
trustmodelthatisinplace.Ifyouhaveanemptyroomdomainwitha
complexsetofpasswordrestrictionsconfiguredintheaccountpolicy,it
willonlyaffecttheuseraccountsintheemptyroomdomain.TheGPO
settings,includingtheaccountpolicysettings,donotinheritdowntoother
domainsinanyway.

AccountPoliciesattheOULevel
Sincetheaccountpoliciesarealreadyconfiguredatthedomainlevel,there
mightnotbeanyneedtoconfigureaccountpoliciesattheOUlevel.In
mostcases,youshouldstayawayfromthisaltogether.Thereasonisthat
theaccountpoliciesconfiguredintheDefaultDomainPolicymeetor
exceedthecompanyswrittenpolicyforpasswordrequirements.IfaGPO
thatislinkedtoanOUisconfiguredtomodifytheaccountpolicies,it
couldbreakthecompanyswrittensecuritypolicyifthesettingsarentset
moresecurethantheGPOatthedomain.
Ontheotherhand,therearecaseswhereyouwouldliketohavesome
computersadheretoamorestringentaccountpolicythantheother
computersonthenetwork.ThismightapplytoWebservers,human
resourcesservers,orserversthatrunfinancialapplications.Remember,we
areonlyaffectingthelocalSAMandtheuseraccountsthatresideinthe
localSAM.

68

2004101communicationsLLChttp://mcpmag.com

GPO Shortcuts
OnastandardinstallationofActiveDirectory,therearemanywaysto
accessthedefaultGPOs.Theproblemwithalloftheseoptionsisthatit
seemslikeaccesstothedifferentoptionsdisplaysdifferentviewsofthe
sameGPOs.However,whenyoureceivedifferentviewsofthesameGPO,
itcancauseconcernastowhethertheyarethesamethingatall.
Letsinvestigatethedifferentoptionsandmethodsforaccessingthe
defaultGPOs.Thiswillalsohelpyouunderstandhowtoaccesstheother
GPOsthatyoucreateinActiveDirectory.

ADUC
First,youcanaccesstheGPOsfrominsidetheActiveDirectoryUsersand
Computers(ADUC)console.ToviewthedefaultGPOs,youlleitherright
clickonthedomainorrightclickontheDomainControllersOU.
RegardlessofwhichGPOyourelookingfor,selectPropertiesfromthe
rightclickmenu.Then,selecttheGroupPolicytabfromtheProperties
sheet.YouwillseetheGPOthatyourelookingforonthistab,asshownin
Figure18.

69

2004101communicationsLLChttp://mcpmag.com

Figure 18. You can gain access to the default GPOs from the domain
and Domain Controllers OU Properties sheet.
ByselectingtheGPOandclickingtheEditbutton,youllinvokethe
GroupPolicyEditor.ThiswillshowyoutheentirelistingoftheGPO.

Default<Domain/DomainController>SecurityPolicy
Next,youcanaccessthedefaultGPOsfromtheashortcutontheStart
Menu(Thismustbefromadomaincontroller.)GotoStart|AllPrograms
|AdministrativeTools.(Yourpathmightvary,dependingonoperating
systemandStartMenuconfigurations.)Fromhere,youcaneitherselectthe
DefaultDomainSecurityPolicyortheDomainControllerSecurityPolicy.
Whenyouselecteitheroneoftheseoptions,youllopenawindowthat
lookslikeFigure19,whichshowstheDomainSecurityPolicy.

70

2004101communicationsLLChttp://mcpmag.com

Figure 19. Default Domain Security Policy is a subset of the overall


Default Domain Policy.
ThiswontshowyoutheentireGPO;insteaditonlyshowsyouthe
securitypolicysettings.Thesecuritypolicysettingsareasubsetofthe
overallGPO.IfyouaccesstheentireGPO(usingthemethoddescribed
above),andexpandthenodesundertheComputerConfiguration|
WindowsSettings|SecuritySettings,youllseethereisaonetoone
relationshipbetweenthisportionoftheGPOandtheDefault
<Domain/DomainController>SecurityPolicyfromtheStartMenu.
Dokeepinmindthatthesetwoviewsofthesecuritysettingsarethe
samesettingsintheGPO.ItisjustadifferentpresentationoftheGPO.

LocalSecurityPolicy
Thelocalsecuritypolicyisanunderusedtoolthatisalsolittleunderstood.
WhatImreferringtoistheLocalSecurityPolicysettingthatisavailable
undertheStart|AllPrograms|AdministrativeToolsmenuoption.
IfyoureworkingonaWindowsServer2003domaincontroller,youll
findthatthismenuoptionfortheLocalSecurityPolicyismissing.Imnot
surewhyMicrosoftremoveditfromthemenu,butmyguessisthatitwas
tooconfusingandcausedmoreproblemsthangood.However,youllstill
findtheLocalSecurityPolicyonallWindows2000computers,Windows

71

2004101communicationsLLChttp://mcpmag.com

XPProfessionalcomputers,andWindowsServer2003nondomain
controllers.
WhenyouopenuptheLocalSecurityPolicyonaWindows2000
domaincontroller,youllseeasubsetofastandardGPO,asshownin
Figure20.

Figure 20. Local Security Policy indicates what is actually configured on


the computer.
ThereasonthatthistoolissoimportantforthedefaultGPOs,aswellas
foranyGPOapplication,isthatitshowsyouthelocalGPOandthe
effectiveGPOsettingsonthecomputer.Thiscanbeconfusing,soletme
explainexactlywhatisoccurringhere.TheLocalSettingcolumnindicates
thesettingsthatarelocatedinthelocalGPO.Thismayormaynotbethe
finalsettingsonthecomputer.Ofcourse,weknowtherecanbeGPOsat
thesite,domainandOUlocationthatoverridethelocalGPOsettings.That
iswhattheEffectiveSettingscolumnisfor.Itindicateswhatthefinal
settingsareonthecomputer.Thisgivesyouaviewintothesettingsonthe
computerwhenyouopenuptheLocalSecurityPolicywindow.
WhatthetooldoesnotgiveyouisanindicationastowhichGPOmade
theconfigurationandfromwhichlocation,SDOU.However,thereare
toolsthatcandothis,forexample,theRSoPsnapinforWindowsXPand
WindowsServer2003,aswellastheFullArmortools.(Youcandownload

72

2004101communicationsLLChttp://mcpmag.com

anevaluationofFazamtoolsfromtheFullArmorWebsiteat
http://www2.fullarmor.com/solutions.)
Note:Inmysecondvolumeinthisseries,AdvancedGroupPolicyObjects,I
willprovidedetailedinformationonRSoP,toolsthatcanbeusedtoreportthe
RSoPandinstructionsfortroubleshootingGPOswhentheRSoPis
malfunctioning.
ItisclearthatcheckingGPOapplicationcanbeassistedwiththeuseof
theLocalSecurityPolicy.However,thingschangedradicallyafter
Windows2000withregardtotheLocalSecurityPolicy.AsIhavealready
saidbefore,aWindowsServer2003domaincontrollernolongerhasthe
LocalSecurityPolicyasanoptionundertheAdministrativeTools.
Tip:TogettheLocalSecurityPolicyonaWindowsServer2003domain
controller,youcanfollowthestepsinthesectionbelowthisoneonusingthe
MicrosoftManagementConsoletoviewthedefaultGPOs.
TheotherdramaticchangewithregardtotheLocalSecurityPolicyis
withaWindowsServer2003serverandaWindowsXPProfessionalclient
computer.BothhavetheshortcutfromAdministrativeTools,butonceyou
getintotheinterface,thingshavechanged,asyoucanseeinFigure21.

Figure 21. The XP and Windows Server 2003 Local Security Policy
has a different interface from the Windows 2000 Local Security Policy.

73

2004101communicationsLLChttp://mcpmag.com

First,noticeinFigure21thattherearenolongertwocolumnsforthe
settings.Thereisonlyasinglecolumn,namedSecuritySetting.Thisis
reallythesameastheEffectiveSettingfromWindows2000.However,you
cantdeterminewhatsalocalsettingorwhatsaGPOsettingthatcame
fromaGPOlinkedtoSDOU.Orcanyou?Ifyoulookcloselyattheleftside
ofthePolicycolumn,youllseeanicon.Therearetwodifferenticonsthat
showup.OnerepresentstheRegistry.Thisoneisthetornsheetwithblue
binarydigitsontheicon.TheotherrepresentsaGPOfromActive
Directory.Thisiconisapairofcomputers,withascrollinfrontofthem.
ThescrollisthestandardiconforaGPO.Withthisinformation,youcan
decipherwhethertheGPOisfromthelocalGPOorfromSDOU.Those
thatarelocalhavetheRegistryicon,andthosethatarefromSDOUwill
havetheActiveDirectoryGPOicon.Tricky,butnowthatyouknowthe
secret,youcanusetheLocalSecurityPolicyagain.

MicrosoftManagementConsole
AnalmostfoolproofmethodtoviewthedefaultGPOsoranyGPOfor
thatmatteristousetheMicrosoftManagementConsole(MMC).The
MMCallowsyoutoopenupanyGPO,eventhelocalGPOfromthe
computerwhereyourerunningthetool.Withthismethod,youcanopen
anyGPO,eventhosethatarentlinkedtoasite,domainorOU.
ToedittheDefaultDomainPolicyusingtheMMC,followthesesteps:
1. ClicktheStartbutton,thenselectRun.
2. TypeMMC,thenclicktheOKbutton.
3. ClickFileonthetoolbarandselecttheAdd/RemoveSnap
inmenuoption.
4. ClicktheAddbutton.
5. ScrolldownandclickontheGroupPolicyObjectEditor
snapin.

74

2004101communicationsLLChttp://mcpmag.com

6. ClicktheAddbutton.
7. ClicktheBrowsebuttonontheSelectGroupPolicyObject
page.
8. ClicktheAlltab.
9. SelecttheDefaultDomainPolicyfromtheGPOlistandthen
clicktheOKbutton.
10. ClicktheFinishbutton.
11. ClicktheClosebutton.
12. YoushouldnowseetheDefaultDomainPolicyintheSnap
inslistontheAdd/RemoveSnapinpage.
13. ClicktheOKbutton.
Fromhere,youcanseetheentireDefaultDomainPolicyGPO.This
providesyouafoolproofmethodtoopenanyGPO,aslongasyouhavethe
permissiontoeditGPOs.
AsyouopenuptheDefaultDomainPolicy,youmightnoticethatyou
canalsoopentheLocalGPOusingthismethodtoo.ForWindowsServer
2003domaincontrollers,thisisaperfectwaytoaccessthelocalGPO,as
wellasseetheLocalSecurityPolicysettings,whichisasubsetofthelocal
GPO.

75

2004101communicationsLLChttp://mcpmag.com

Tip:WhenyouexitfromtheMMCwindow,itwillpromptyouasto
whetherornotyouwanttosavethewindow.Nothingwillbedeleted
fromtheGPOifyoudontsavethewindow.Thisisonlyifyouwantto
savethesnapinlistforeasyaccess.MostofmyWindowsServer2003
domaincontrollershaveasavedMMCforthelocalGPO,whichIsaveto
theAdministrativeToolslist.

Gpedit.msc
TodirectlyaccessthelocalGPO,youcanruntheGPEDIT.MSCcommand
fromtheStart|Runoptionoracommandline.Thisprovidesthesame
resultasusingtheMMCtoopenthelocalGPOforthecomputerwhere
yourunthecommand.YoucanonlyopenthelocalGPOusingthismethod
though,whichmakesitratherlimiting.Thegreatthingaboutthisoptionis
thatitisfastmuchfasterthanattemptingtoopentheMMCandadda
snapin.

76

2004101communicationsLLChttp://mcpmag.com

Group Policy User and Computer


Configurations
InthissectionIdiscussthetwomajorareasofaGPO.Wealreadyknow
thatGPOsapplytoeitheruseraccountsorcomputeraccounts.Here,well
breakdowneachofthesesectionsthatislocatedunderadefaultGPOso
youfullyunderstandwhateachsectioncandoforyou.Wewontbediving
intoeachindividualGPOsetting,sincethatisalreadydoneforyouatthe
followinglocations.

Windows2000ResourceKit;referencetheGP.CHMfile.

GroupPolicySettingsReferenceforWindowsServer2003
(policysettings.xls).

WindowsServer2003HelpandSupportCenter(searchon
GroupPolicy).

WithalmostathousandsettingsinaWindowsServer2003/XPGPO,
youcantexpecttomemorizethem.Rather,itismoreimportantto
understandthelogicalstructureandareasoftheGPO.Withthis
knowledge,youcanfindtheGPOthatyourelookingfor,oryoucansearch
thedocumentsprovidedtofindtheGPOsetting.

Computer Configuration
ThetophalfofeveryGPOisdedicatedtoconfiguringthecomputer
accounts.Asyoumayhavenoticedinmanyofthefiguresinthisbook,you
canseetheComputerConfigurationsectionoftheGPOduringediting.
TherearemanysectionsintheComputerConfigurationsectionofthe
GPO,eachhavingadistinctareaandfunction.Welllookateachsection,
discusshowtoconfiguredifficultsettings,coverthekeyconfigurationsfor

77

2004101communicationsLLChttp://mcpmag.com

areasthathavemanypolicies,andexplorewhattheareaisdesignedto
modifyforthecomputeraccounts.

Software Settings
Thisisdesignedtoinstallsoftwaretothecomputeraccount.Thereason
thatmanyadministratorsliketoinstalltothecomputeraccountisthat
everyuserthatlogsontothecomputerwillhavethesoftware.Also,a
benefittoinstallingtothecomputeristhatthesoftwareisinstalledwhen
thecomputerisrestarting.Basicallythisprovidesforimmediateaccessto
theapplicationwheneveryuserlogson.
SoftwareforcomputeraccountscanonlybeAssigned(wellseethatfor
useraccountstheycanbeassignedorpublished).Anassignedapplication
willinstalltheapplicationandplaceashortcuttotheapplicationonthe
StartMenuautomatically.SoftwarethatisassignedusesMicrosoft
InstallationPackages,orMSIs.ManyapplicationsnowprovideMSI
versionsforinstallation.Examplesinclude:AdministrativeTools,Microsoft
OfficeandServicePacks.
ToprepareaGPOtoinstallsoftware,followthesesteps:
1. ExpandtheSoftwareSettingsnodelocatedundertheComputer
ConfigurationsectionoftheGPOintheGroupPolicyEditor.
2. RightclickontheSoftwareinstallationnodeandselectNew|
Package.
3. BrowseforandselecttheMSIpackagethatyouwanttodeploy.
4. ThenselecttheOpenbutton.Note:Ifyouhaveusedalocalpath,
insteadofanetworkpath,totheMSIpackage,youllreceivethe
errormessageshowninFigure22,below.Thisindicatesthatthe
softwarepackagewillfailtoapplytocomputeraccounts,sincethe
pathtotheMSIpackageisntavailabletonetworkcomputers.

78

2004101communicationsLLChttp://mcpmag.com


Figure22.Youmustuseanetworkpath,notalocalpath,whenconfiguring
thelocationoftheMSIpackageinaGPO.
5. ClicktheAssignedradiobutton,thenselectOK.
6. Thenewsoftwaredeploymentpackagewillshowupinthelistof
softwaretobeinstalled.
7. ClosetheGPOeditorandtheapplicationisreadytobeinstalled.
YoucouldhaveselectedAdvanced(AdvancedPublishedor
AssignedforWindows2000)duringStep5.Ifyouhadchosenthisradio
button,youwouldhavebeenabletocustomizethedeploymentpackage.
Youcouldhavecontrolledsoftwareupgradescenarios,modificationstothe
MSIpackageanddeploymentcontrol.

Windows Settings
Windowssettingsforcomputeraccountshavethreemajorsubcategories.
Twosubcategorieshaveextensivepoliciesandcategoriestochoosefrom.
ByfarthisisthemostusefulareaintheGPOundertheComputer
Configurationsection.Hereyoucanconfigurealmostanysecuritysetting
relatedtothecomputeraccount.Ifyouremissingasettingthatisntthere
bydefault,youcancustomizealmostanysettingusingcustomsecurity
templates.

79

2004101communicationsLLChttp://mcpmag.com

Note:Inthenextreportinthisseries,AdvancedGroupPolicyObjects,
Illofferdetailedinformationoncustomizingsecuritytemplatesand
ADMtemplates.

Scripts (Startup/Shutdown)
ThefirstsubcategoryundertheWindowsSettingsinvolvesthescriptsthat
canbetargetedtocomputeraccounts.ThisisanewfeatureforActive
Directorythatcanbequitepowerful.Therearetwodifferentsettingsfor
computerbasedscripts:startupandshutdown.Eachisstraightforward,yet
providesflexibilityandpower.
Startupscriptscanmapdrives,connecttoprinters,startservices,stop
servicesandmuchmore.Thegreatthingaboutstartupscriptsisthatthey
willconfigurethecomputerbeforetheuserattemptstologon.Youcanuse
scriptsthatincludethefollowingfiletypes:BAT,EXE,andVBS.Thisarray
ofscripttypesgiveyouthefreedomtodoalmostanythingthatyouwant
inthescript.
ScriptsrunastheLocalSystem.Thisgivesthemfullcapabilitiesthat
areassociatedwithbeingabletorunastheLocalSystem.
Shutdownscriptscancleanupnetworkconnections,stopservices,back
upfilesandmore.Ashutdownscriptcanspeedupshutdownofa
computer,sinceitwillcleanupservicesthatcantakealongtimetotime
outduringtheshutdownprocess.
AddingascriptisassimpleasrightclickingoneitherStartupor
ShutdownandselectingPropertiesfromthemenu.Then,justselectthe
Addbuttontoselectascriptthatyouwanttouse.Ideally,thescriptswill
allliveundertheNetLogonshare,butyoucanbrowseforthescript
anywhereonthecomputer.

80

2004101communicationsLLChttp://mcpmag.com

Security Settings
OneofthemostexcitingareasinalloftheGPOscategoriesistheSecurity
Settingsforthecomputeraccounts.Thisiswheremanyqualitysecurity
settingsareconfigured.Plantospendalotoftimegoingoverthese
settings,toensurethatyouhaventmissedanyandtodeterminewhich
onesshouldapplytoeachtypeofcomputeraccountinyourorganization.

AccountPolicies
OneofthemostimportantconfigurationsinanyGPOinvolvesAccount
Policies.Thisconfigurestherulesforpasswordsonthedomaincontrollers,
fordomainuseraccounts,andforallmembersofthedomain.Theaccount
policiesarebrokendownintothreedifferentareasofconfiguration:
Password,AccountLockout,andKerberos.Theseconfigurations,along
withtheirdefaultsettingsaredescribedintheAccountPoliciesBreakThe
Rulesectionofthisbook.

LocalPolicies
TheLocalPoliciesisanunfortunatenameforthiscategoryofGPO
settings.ThereasonitisunfortunateisthatthewordLocalishardto
scopewhenyoureworkinginaGPO.HereLocalisreferringtothelocal
computerthatitwillaffect.Thesettingsonthelocalcomputerthatthis
sectionaffectsinclude:

AuditPolicies.Theauditpoliciescontrolwhatwillbeaudited
andrecordedinthesecuritylogoftheEventViewer.When
thesepoliciesareconfigured,theywillmodifythesettingson
thetargetcomputer.

UserRightsAssignment.Userrightsareextremelyimportantfor
securitycontrol.Whenthesepoliciesareconfigured,they
modifythetargetcomputer,controllingwhocandowhaton
thatcomputer.Examplesofimportantuserrightsinclude:
Logonlocally;Accessthiscomputerfromthenetwork;and
BackupandRestorefoldersandfiles.

81

2004101communicationsLLChttp://mcpmag.com

SecurityOptions.Hereiswheremuchofyourtimewillbespent
configuringGPOs.Thelistofsecurityoptionsprovidesyou
withafantasticsetofoptionstocontrolalmostanyaspectof
securityonthetargetcomputer.Foradetailedexplanationof
whateachGPOpolicydoes,refertothepolicysettings.xlslink
listedearlieronMicrosoftsWebsite.Also,thefollowinglistof
policiesshouldberesearchedandtestedforyourenvironment,
sincetheyprovideexcellentsecurityformostcompanies:
o

Accounts:<Allconfigurationsunderthiscategory>.

Interactivelogon:Donotdisplaylastusername.

Interactivelogon:DonotrequireCtrl+Alt+Delete.

Interactivelogon:Messagetextforusersattemptingtolog
on.

Interactivelogon:Messagetitleforusersattemptingtolog
on.

Microsoftnetworkclient:<Digitallysigned
communication>.

Microsoftnetworkserver:<Digitallysigned
communication>.

Networkaccess:<Allconfigurationsunderthiscategory>.

Networksecurity:<Allconfigurationsunderthiscategory>.

Note:Thisisntanexhaustivelistofthepoliciesunderthe
SecurityOptionssection.Theotherpoliciesareextremely
importanttoo,butthislistincludesthemostcommonpoliciesa
companywouldwanttoimplement.Besuretoresearchandtest
allpoliciestoseeifyourenvironmentwillbenefitfromtheir
configurations.

82

2004101communicationsLLChttp://mcpmag.com

EventLog
Thissetofpoliciesallowsyoutocontrolalmostanyaspectoftheeventlogs
thatexistonthetargetcomputer.Itisalwayssuggestedthatyoumake
youreventlogslargeenoughtotrackalleventsbetweenbackupsofthe
archivedlogs.Youcanalsocontrolhowthelogsarecycledusingthese
policies.Thefollowingisalistofthecontrolaspectsoftheapplication,
securityandsystemlogs.

Logfilesize.

Guestgroupaccesstothelogfile.

Lengthoftimetoretainthelogfile.

Retentionmethodforthelogs.

RestrictedGroups
ThisisoneofthemostpowerfulyetconfusingareasoftheComputer
Configurationpolicyoptions.Therestrictedgroupsallowyoutocontrol
themembershipofgroupsonthetargetcomputer.Youcancontrolwhich
objectshavemembershipincertaingroups,aswellaswhichgroupsthe
groupisamemberof,asshowninFigure23,below.

83

2004101communicationsLLChttp://mcpmag.com


Figure23.RestrictedGroupsallowyoutocontrolthemembershipofthe
group,aswellaswhichgroupsthegrouphasmembershipin.
Thispolicycanbeusefulforcontrollingbothmembersofthedomain,
aswellasgroupsinActiveDirectory.Youshouldcontrolthefollowing
groupsinthelocalSAMofcomputersinthedomain:

Administrators(typicallywanttoensureDomainAdminsisa
member).

PowerUsers.

BackupOperators.

RemoteDesktopUsers.

Formanyofthesegroups,youllneedtotypethegroupmanuallyinto
thetextboxafteryouselecttheAddbutton.Thereasonforthisisthatthe
GPOeditortakesthelistofusersandgroupsrelativetothecomputerthat

84

2004101communicationsLLChttp://mcpmag.com

youreadministeringtheGPOfrom.IfyoureadministeringtheGPOfrom
adomaincontroller,youwontbeabletoaccessthelistofgroupsfromthe
localSAMonthetargetcomputeryouwanttocontrolwiththepolicy.

SystemServices
IfyouhaventtakenadvantageofcontrollingservicesthroughGPOsyet,
youllwanttocheckoutthissectionofthepolicies.Youreabletocontrol
anyservicerunningonanycomputerfromthesepolicies.Youhavethe
optiontocontrolhowtheservicestarts,aswellastheACLfortheservice,
asshowninFigure24,below.

Figure24.GPOscancontrolsystemservicesatboottime,aswellastheaccess
totheservicecontrols.
TherearetwokeyfunctionsofthesystemservicesinaGPO.First,you
cancontrolhowtheservicestarts.Youcandisabletheservice,suchthatthe
servicecantbestartedwithoutfirstenablingtheservice.Automaticwill
starttheservicewhenthecomputerstarts.Manualwontstarttheservice,
butallowsfortheservicetojustbestartedbyanadministratororan
applicationthatrequirestheservice.

85

2004101communicationsLLChttp://mcpmag.com

Thecontrolofstarting,stopping,pausing,etc.servicescanalsobe
controlledusingGPOs.ServiceshaveanACL,whichisonlyaccessible
throughscriptingortheGPO.YoucantseetheACLontheservicefrom
theServicesmoduleortheComputerManagementconsole.Thepowerand
controlovertheservicesusingthissecurityisuseful,tocontrolwhocan
controltheservicesonthetargetcomputer.
Theonlyessentialconfigurationthatcantbeaccomplishedfromthe
GPOisestablishingtheserviceaccount.Thismustbedoneattheservice
onthelocalcomputer.

Registry
TheACLsforRegistryKeyscanbecontrolledbythisportionoftheGPO.
Thiscanbelimiting,sinceitisonlytheRegistryKey,butthemainaccessto
valuesanddataintheRegistryiscontrolledatthekeylevel.AftertheACL
isconfiguredforthekey,theACLinheritancecanalsobecontrolled,as
showninFigure25,below.

Figure25.TheRegistryKeyACLinheritancecanbecontrolledfromtheGPO.

86

2004101communicationsLLChttp://mcpmag.com

ThesesettingsallowyoutocontrolhowtheACLsontheobjectsbelow
thiskeyarecontrolled,aswellashowtheACLsonthiskeyarecontrolled.
ThetopportionofFigure25relatestothesubkeysandthebottomportion
relatestothepermissionsonthiskey.

FileSystem
ThefilesystemissimilartotheRegistry,inthatyoucancontrolboththe
ACLandtheinheritanceoftheACLsonthefolderaswellassubfolders.
YoucancontrolbothfilesandsubfoldersusingthisGPOpolicy.
Ifthefolderpathorfiledoesntexistonthecomputerwhereyoure
administeringtheGPOfrom,youcanjustmanuallytypeinthepathforthe
folderorfile.Thepathneedstobeexactanditneedstoexist.Ifthepolicy
isincorrectorattemptstoconfigureanonexistentfile/folder,theother
policieswillmostlikelyfailbecausethispolicyfailed.

WirelessNetwork(IEEE802.11)Policies
ThisisnewforWindowsServer2003andWindowsXPProfessionalGPOs.
Therearenowirelessnetworkpoliciesconfiguredbydefault,butthe
wizardwillwalkyouthroughthecreationofanewone.Onceyouhavethe
newpolicynameestablished,youcanconfigurethefollowingkeyareasof
awirelessconnection.

Networkstoaccess.Thiscontrolswhichnetworkthetarget
computerwillaccess.Thelistincludesanyavailablenetwork
accesspoint,infrastructurenetworksonly,oradhocnetworks.

Preferrednetworks.Thisoptioninthepolicyallowsyouto
configureoneormorepreferrednetworks.TheSSIDis
required,aswellastheconfigurationforthewirelessnetwork
key(WEP).ThereisanentiretabrelatedtotheIEEE802.1X
authentication.Thisallowsyoutospecifyhowcredentials,such
assmartcardsorothercertificates,areusedforauthentication.

87

2004101communicationsLLChttp://mcpmag.com

PublicKeyPolicies
ThisisntanewsectiontotheWindowsServer2003/XPGPO,butsomeof
thesettingsarenew.Ifyoureusingcertificatesforauthentication,emailor
anyothersecurecommunication,youllwanttotakeadvantageofthenew
certificatecontrolpolicies.Thefollowingisalistofthedifferentareas
underthispolicy.

EncryptingFileSystem.Thispolicycontrolswhichuseraccounts
willfunctionasaDataRecoveryAgent(DRA)forwhen
encryptedfilesneedtobesalvaged.Italsoallowsa
configurationthatestablishesthataDRAisntneededto
encryptfiles.

Automaticcertificaterequest.Thisallowsanadministratorto
controlwhichtypesofcertificatescanbeautomatically
requestedbyacomputer.

TrustedRootCertificationAuthorities.Thisallowsan
administratortocontrolthecertificates,certificatetrustlistand
certificaterevocationlistinthetargetcomputerscertificate
store.ThisisusefulifyourorganizationhasitsownrootCAs
thatarentinstalledonservers.Thispolicyallowsyouto
distributetherootcertificates.

EnterpriseTrust.Thisallowsanadministratortocontroltrustto
externalCAs.

SoftwareRestrictionPolicies
ThesepoliciesarenewforWindowsServer2003andWindowsXP
Professional.Whenyouusesoftwarerestrictionpolicies,youcandefinea
defaultsecuritylevelofUnrestrictedorDisallowedforaGroupPolicy
Object(GPO)sothatsoftwareiseitherallowedornotallowedtorunby
default.Exceptionscanbecreatedtothisdefaultsecuritylevelforspecific
software.Youcancreatethefollowingtypesofrules:

88

2004101communicationsLLChttp://mcpmag.com

Hashrules

Certificaterules

Pathrules

Internetzonerules

Thefollowingtaskscanbeperformedbyusingthesepolicies:

Youcancontrolwhichsoftwarecanrunonacomputer.

Youcanpermitspecificsoftwaretorunonmultipleuser
computers.

Youcancontroltrustedpublisherstoyourcomputer.

Youcanpreventsoftwarefromrunningonanycomputerthatis
inthedomain.

Thepathruleispopular,sinceitcancontrolanentirepathonthetarget
computer.Acommonpathrulewillbeacombinationofmultiplerules.
Onerulewilllockdownthecomputerfromrunninganyapplications.
Then,additionalspecificpathswillbeestablishedtojustallowcertain
applications.
HeresasamplepolicythatusesthePathRulemethod.Thispolicy
controlstheWordPadprogramonthecomputer.Itonlyallows
Wordpad.exetorunonthecomputer,andnothingelse.
1. ThesecurityneedstobesettoDisallowedandthedefaultpathrule
thatallowsallapplicationstorunisremoved.Thiswillremovethe
abilityforallapplicationstorun.
2. ThenanindividualruleneedstobecreatedforWordpad.exe.

89

2004101communicationsLLChttp://mcpmag.com

3. Finally,theadditionalpathrulethatyouhavecreatedneedsto
includethepathforWordpad.exe,whichwillexemptitfromthe
removalofthedefaultpathruledeletion.
Thehashruleisalsocommon.Itiscommonbecauseasharpuserwill
changethenameoffilestogetaroundsomepolicies.Notsowiththehash
rule.Thehashruleusesthesignatureinsidetheapplicationtolockdown
allowedordeniedaccesstotheapplication.
HeresasamplepolicythatusestheHashRulemethod.Thispolicy
disablesSolitaireandwontletitrun,evenifthenameoftheoriginal
sol.exeischanged.
1. Createanewhashrule.
2. Then,thenewhashruleneedstopointtosol.exe.
3. Finally,youconfigurethehashruletousethehashsignature,
insteadofjustthename.

IP Security Policies on Active Directory


Thesepoliciesarepowerful,aswellascomplex.TheIPSecuritypolicies
cancontrolhowcomputerscommunicatewithoneanotheronthenetwork.
ThemaingoalofIPSecurityisestablishinghowthecomputerswillprotect
thedataasitissentfrompointtopoint.TherearethreedefaultIPSecurity
policies,eachonehavinganestablishedconfigurationfortheencryption,
authentication,andportsthatcanbeusedduringcommunication.The
threedefaultpoliciesinclude:

Client(Respondonly).Whenthispolicyisconfigured,itallows
thecomputertouseIPSecurityconfigurationscontainedwithin
itwhenitisaskedtouseIPSecurityfromthecomputer
initiatingthecommunication.

90

2004101communicationsLLChttp://mcpmag.com

SecureServer(RequireSecurity).Whenthispolicyisconfigured,it
forcesthecomputertouseIPSecurityforallcommunications.If
thecomputerthatthiscomputerinitiatesthecommunication
withcouldntuseIPSecurity,theconnectionwouldfail.

Server(RequestSecurity).Whenthispolicyisconfigured,it
attemptstouseIPSecuritywithallcommunicationstoother
computers.Ifthecomputerthatthiscomputerinitiatesthe
communicationwithcouldntuseIPSecurity,itwouldjust
communicatewithoutanyencryptionorsecure
communications.

Allofthesepoliciescanbeconfiguredforbothaclientcomputerand
servercomputer.ThephrasingofClientandServerinthepolicyonly
specifieswhichcomputerisperformingtheinitialcommunicationand
whichisreceivingtheinitialcommunication.
FormoreinformationonIPSecurity,goto
http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/ipsecure.mspx

toreadaMicrosoftwhitepaper.

AdministrativeTemplates
Theadministrativetemplatesarepackedwithexcellentconfigurationsfora
widevarietyofareasofthecomputer.Alloftheadministrativetemplates
configureaportionoftheRegistry.Whenconfiguringadministrative
templates,besuretopayattentiontothefollowingconcepts.

Enablingapolicyenforcestheactionthatthepolicyspecifies.
Example:IftheDontdisplaywelcomescreenatlogonpolicyis
enabled,theWelcomescreenwontbedisplayedanymore.

Disablingthepolicywilldotheoppositeofwhatthepolicy
specifies.
Example:IftheDontdisplaywelcomescreenatlogonpolicyis
disabled,theWelcomescreenwillbedisplayedatlogon.

91

2004101communicationsLLChttp://mcpmag.com

SettingapolicytoNotconfiguredwillneutralizethisGPOs
abilitytomodifytheRegistryvalue.Theonlywaythatthe
RegistryvaluewillbealteredisforadifferentGPO(local,or
fromSDOU)toconfigurethispolicy.

SettingapolicyfromenabledtoNotconfiguredordisabled
wontsetthedefaultvalueoftheRegistryback.TheGPOor
computerdoesntkeeptrackofoldvalues.Forapolicythatis
eitheronoroff,thebehaviorwillfunctionlikealightswitch.
However,whenthereisaconfigurationinvolved,suchasa
DNSsuffix,thisvaluewillberecordedintheRegistry.When
thepolicyisnolongeraffectingthecomputer,thevalueswont
gobacktoanoriginalstate;itwilljustremovethepolicy
settingsfromtheexistingGPO.

Watchcloselyfordoublenegativesinthepolicywording.Some
timesenablingapolicywillremoveasettingorfeature,where
othertimesitwilladdasettingorfeature.
Example:TheDisablelegacyrunlistwillneedtobeenabledforthe
runlisttonotbefunctional.Ifthisweredisabled,itwoulddisablea
Disable,whichwouldeffectivelyenablethesetting.

Windows Components
TheWindowscomponentsconsistofspecializedareasofthecomputerthat
canbecontrolled.Theareasthatcanbecontrolledunderthissection
include:

NetMeeting

InternetExplorer

Applicationcompatibility

InternetInformationServices

92

2004101communicationsLLChttp://mcpmag.com

TaskScheduler

TerminalServices

WindowsInstaller

WindowsMessenger

WindowsMediaDigitalRightsManagement

WindowsMediaPlayer

WindowsUpdate

MostofthesecategoriesarenewforWindowsServer2003andXP,
mainlybecauseoftheinfluxofrequeststogetthemintheinterface.Since
therequestforthesesettingswassohigh,theyareallpopular.Many
settingsarebasicinthattheyjustdisabletheservicecompletely.Other
settingscontrolfiniteaspectsoftheapplications,suchastheInternet
ExplorerandTerminalServicescategories.

System
AnothersectionthathasblossomedfromWindows2000toWindows
Server2003andXPistheSystemsection.Hereyouhaveafullarrayof
policiescategoriesandsettingsrangingfromUserprofilesdownto
WindowsTimeService.Someoftheotherkeycategoriesunderthesystem
sectioninclude:

UserProfiles

Logon

DiskQuotas

GroupPolicy

93

2004101communicationsLLChttp://mcpmag.com

RemoteAssistance

SystemRestore

OnegroupofpoliciesthatneedmentioninghereisunderGroupPolicy.
Thereare10policysettingsthatareessentialforasecureGPO
environment.Theseinclude:

Registrypolicyprocessing

InternetExplorerMaintenancepolicyprocessing

SoftwareInstallationpolicyprocessing

FolderRedirectionpolicyprocessing

Scriptspolicyprocessing

Securitypolicyprocessing

IPSecuritypolicyprocessing

Wirelesspolicyprocessing

EFSrecoverypolicyprocessing

DiskQuotapolicyprocessing

Allofthepolicysettingshaveakeyconfigurationassociatedwith
them.Ifyouopenupanyofthesepolicies,youllseeaninterfacethatis
similartoFigure26.

94

2004101communicationsLLChttp://mcpmag.com


Figure26.Anentiregroupofpoliciescanapplypoliciestocomputers,evenif
theGPOhasntchanged,allowingforamoresecureenvironment.
YouwillnoticethattheresacheckboxassociatedwiththeProcess
eveniftheGroupPolicyobjectshavenotchanged.ThisappliestheGPO
tothetargetcomputereveniftherehaventbeenanyalterationstothe
GPO.Thereasonthisissuchagreatsettingisthatifthelocaladministrator
ofthetargetcomputerchangesaRegistryvalueorothersystemparameter
thatwassetbytheGPO,atthenextrefreshitwillbesetbacktowhatthe
GPOindicates.

Network
ThenetworksectionoftheGPOallowstheadministratortocontrolkey
elementsofthenetworkingcapabilitiesofthetargetcomputer.Thethree
mostcommonareasthatareusedunderthenetworksectioninclude:

95

2004101communicationsLLChttp://mcpmag.com

DNSClient.ThiscontrolstheDNSconfigurationofthetarget
computer.ThisisntlimitedtotheDNSsuffixes,butalsohow
thetargetcomputerupdatesDNSautomatically.

OfflineFiles.Thispolicycontrolsalmosteveryaspectofoffline
filesonthetargetcomputer,fromdenyingofflinefilesto
controllingtheballoonsthatareusedbyofflinefiles.

NetworkConnections.Althoughthelistofpoliciesisshort,the
settingsarecommon.Thisareaallowsyoutocontrolboth
InternetConnectionSharingandInternetConnectionFirewall
onthetargetcomputer.

Printers
ThepoliciesinthissectioncontrolhowprintersarepublishedtoActive
Directory,aswellashowtheclientcomputersthataretargetedbythis
GPOlocatetheprintersinActiveDirectory.Animportantthemeinthese
GPOsisthePrinterLocationcapabilitiesinActiveDirectory.Thisallows
ausertosearchmoreefficientlyfortheprinters,notonlywithinthe
directory,butphysicallyinthebuildingwheretheuserislocated.

User Configuration
SoftwareSettings
Thisisdesignedtoinstallsoftwaretouseraccounts.Thereasonthatmany
administratorsliketoinstalltotheuseraccountisthatthesoftwarewill
followtheuser,iftheusermovesfromcomputertocomputer.Forsecurity
andlicensingreasons,evenifatargeteduserusesanapplicationona
computer,doesnotmeanthatanontargetedusercanusetheapplication
thatisavailableonthatcomputer.
Forexample,ifJoelogsontoacomputernamedXP1,Joewillbeableto
useallsoftwarethatistargetedtohisuseraccount.AssumethatJoehas
MicrosoftWordassignedtohisuseraccount.WhenJoelogson,hewill

96

2004101communicationsLLChttp://mcpmag.com

haveWordontheStartMenu.WhenJoelogsoffofXP1,Wordwillstillbe
installed.However,whenSally,whodoesnothavetheGPOapplyingto
heraccount,logsontoXP1,shewonthaveaccesstoMicrosoftWord.This
accessevengoesasfarasthelocalAdministrator.IfthelocalAdministrator
logsontoXP1andgoestothefolderwherewinword.exeresides,the
Administratorwillevengetanaccessdeniedforrunningtheapplication.
SoftwareforuseraccountscanbeAssignedorPublished.

Assigned.ThisputstheapplicationontheStartMenu,asifthe
applicationwereinstalled.Theapplicationisinstalledwhenthe
usertriestoopenuptheapplicationorattemptstoopena
documentthatisassociatedwiththeapplication.

Published.ThisputstheapplicationintheAddorRemove
Programslist.Theusercaneitherinstalltheapplicationfrom
theAddorRemoveProgramslist,orheorshecansimply
attempttoopenadocumentthatonlytheapplicationcanopen.
Ineithercase,theapplicationwillinstallonthecomputerthat
theuserisusing.

Bothoptionsprovideaccesstotheapplicationondemand,eitherby
accessingtheapplicationoradocumentthatrequirestheapplicationtobe
installed.

Windows Settings
RemoteInstallationServices
RemoteInstallationServices(RIS)allowsanadministratortodeploythe
operatingsystemfromaboottimeenvironment.Theuserisabletoselect
animagefromalistofpossiblecomputeroperatingsystemsand
configurations.Thesepoliciesallowtheadministratortocontrolsomeof
theextrasthatareassociatedwithRIS.Theseextrasincludecustomsetup
options,automaticrestartoptionsandanadditionalsetoftoolstobeused
withtheinstallation.

97

2004101communicationsLLChttp://mcpmag.com

Scripts(Logon/Logoff)
Therearetwosettingsforuserbasedscripts:logonandlogoff.Logon
scriptscanmapdrives,connecttoprinters,startservices,stopservicesand
muchmore.Youcanusescriptsthatincludethefollowingfiletypes:BAT,
EXEandVBS.Thisarrayofscripttypesgiveyouthefreedomtodoalmost
anythingyouwantinthescript.Logoffscriptscancleanupnetwork
connections,stopservices,backupfilesandthelike.

SecuritySettings
Thesecuritysettingsfortheuserconfigurationarentnearlyasglamorous
androbustasforthecomputerconfiguration.Foruseraccounts,thereare
onlytwocategoriesofconfigurations:PublicKeyPoliciesandSoftware
Restrictions.

PublicKeyPolicies
Fortheuseraccounts,itisonlypossibletocontroltheEnterpriseTrust,
whichmainlycontrolsthetrusttoexternalCAs.

SoftwareRestrictionPolicies
Thesoftwarerestrictionpoliciesfortheuseraccountareidenticaltothose
ofacomputeraccount,exceptthattheywilltargetonlytheoneuserthatis
loggedontoacomputer,noteveryuserthatlogsontothecomputer.Thisis
advantageousiftherestrictionsforusersvarybetweendifferenttypesof
users.Thisallowsformultipleuserstoaccessthesamecomputer,buthave
accesstodifferentapplications.
Formoredetailsonthedifferentruleoptionsandcapabilitiesof
softwarerestrictionpolicies,seethesection,SoftwareRestrictionPolicies.

FolderRedirection
Oneofthemostusedpoliciesinallofthepolicyoptionsarethefolder
redirectionpolicies.Thesepoliciesallowadministratorstocontrolwhere

98

2004101communicationsLLChttp://mcpmag.com

userinformationisstored,forsecurity,compatibilityandconsistency.
Therearefourmainareasthatcanhaveredirectedfolders,whichinclude:

ApplicationData.Thisfolderislocatedintheusersprofile.This
isoneofthekeyfoldersfortheapplicationsandtheir
configurationsforeachuser.Therefore,itsimportanttohave
thisfolderredirectedtoanetworkfolder,soitcanbesecured
andbackedupregularly.

Desktop.Inordertoprovideaconsistentlookandfeelforevery
userinthecompanyorasubsetofusersinthecompany,you
canhaveusersaccessacentrallylocatedfolderthatconfigures
theirdesktop.

MyDocuments.Bydefaultmostapplicationsstorefilesonthe
localcomputer,undertheMyDocumentsfolder.Thisisgreat
forhomeusers,butforcompaniesitisasecurityandstability
issuetoallowuserstostorefileslocally.Thiswillredirectthe
MyDocumentsandMyPicturesfolderstoanetworkdrivefor
controlandbackupreasons.

StartMenu.LiketheDesktop,itisnicetodeliveraconsistent
StartMenutoeveryuserinanarea.Thisprovidesforeasier
training,supportandtroubleshooting.

Eachsettingcomeswithsomeuniqueoptionsforconfiguration.First,
eachfolderhastheabilitytocontrolallusersorjustasubsetofuserswho
havemembershipinagroup.Then,youcancontrolwhatprivilegetheuser
willhaveovertheredirectedfolder.Finally,thereareoptionstocontrol
howthedataismovedbackandforthbetweenthelocalcomputerandthe
centralshareddrive,whenthepolicyisimplementedandremoved,as
showninFigure27,below.

99

2004101communicationsLLChttp://mcpmag.com


Figure27.Folderredirectionallowscontroloverthecontentwhenthepolicyis
implementedandthenremoved.

InternetExplorerMaintenance
TheusertargetedIEMaintenanceisalittledifferentthanthecomputer
targetedIEpolicies.Thesepoliciesaddresstheindividualchoicesthat
usersmakemostoftenwithinIE.Thecategoriesthatcanbecontrolled
usingthispolicysectioninclude:

BrowserUserInterface.Thissetofpoliciescancontrolthelook
andfeeloftheIEinterface.Areasofcontrolincludethetitle,
logosandtoolbars.

Connection.ThissetofpoliciescontrolshowtheIEbrowser
gainsaccesstotheInternet.Thiscouldbeviamodem,LAN,etc.

100

2004101communicationsLLChttp://mcpmag.com

ThissetalsoconfigurestheProxysettings,similartowhatthe
computerconfigurationprovided.Note:Iftherewereasettingthat
boththeuserandcomputerconfigurationestablished,thecomputer
configurationsettingwouldtakeprecedence.)

URLs.ThisallowscontroloverthefavoriteURLsandthe
importantURLs.

Security.Thissetofpoliciesallowscontroloverthesecurity
zonesandcontentratings,aswellasoverAuthenticodesettings.

Programs.ThisallowscontroloverthedifferentIEbased
applicationsandprograms.ThisincludestheHTMLeditor,e
mail,newsgroups,Internetcalling,Calendarandcontactlist.

AdministrativeTemplates
Thesetemplatesprovidethesamecharacteristicsasthecomputerbased
templatesettings,exceptthatthesepolicieswillmodifythe
HKEY_Current_UserRegistryhive,wherethecomputersettingsmodify
theHKEY_Local_Machinehive.

WindowsComponents
TheWindowscomponentsconsistofspecializedareasofthecomputerthat
canbecontrolled.Theareasthatcanbecontrolledunderthissection
include:

NetMeeting

InternetExplorer

Applicationcompatibility

HelpandSupportCenter

101

2004101communicationsLLChttp://mcpmag.com

WindowsExplorer

MicrosoftManagementConsole

TaskScheduler

TerminalServices

WindowsInstaller

WindowsMessenger

WindowsUpdate

WindowsMediaPlayer

MostofthesecategoriesarenewforWindowsServer2003andXP,and
matchthecomputercategoriesalmostexactly.Therearedifferentsettings
comparingthecomputeranduserpolicies.Manyofthesesettingsare
essentialinacompanydomain,duetothesecurityandexcessfunctionality
thatthesetoolsgivethetypicalemployee.

StartMenuandTaskbar
ThissetofpoliciescontrolsalmosteveryaspectoftheStartMenuand
Taskbar.Thereisalmostnothingthatyoucansettocontroltheseareasof
theuserenvironment.Ifyouarentcareful,youcanremovealmostevery
optionfromtheusersStartMenu,allowingthemonlyafewoptionsfor
gettingworkdone.Manycompanieshavetakenthisapproach,not
allowinganyextraapplicationsonthecomputertorestricttheusers
capabilityforbrowsingtheInternetorwastingtimewithSpider
Solitaire.

102

2004101communicationsLLChttp://mcpmag.com

Desktop
ThissetofpoliciescontrolstheActiveDesktopenvironmentasthedesktop
icons.Thecontrolgoesfromtheicons,totheiconcontextmenus,andthe
abilityforausertosavesettingsuponexitrelatedtotheirdesktop.Thisset
ofpoliciesalsocontrolstheusersActiveDirectorysearchoptions.Thisisa
bitstrangetotuckthesesettingshere,butifyouneedtoalterhowtheuser
searchesActiveDirectory,youllneedtolookhereforthosesettings.

ControlPanel
TheControlPanelisfullofappletsthatcontrolimportantaspectsofthe
computer.Manyadministratorsusethesepoliciestorestricttheaccessto
theseareas,including:

AddorRemovePrograms.Iftheusercantaddorremove
programs,thecomputerwillremainmoresecureandstable.
Thissetofpoliciesincludesanoptiontocompletelyremovethe
appletfromtheusersControlPanel.

Display.Itseasyforausertoincorrectlysetascreenresolution
orrefreshratethatisntcompatiblewithhisorhervideo
adapterorscreen.Theseoptionscanbetakenawaywith
policiesinthissection.

Printers.Thesepoliciescontrolhowusersuseandaccess
printersonthenetwork.

Accesstospecificcontrolpanelapplets.Thispolicyallowsyouto
specifywhichappletsausercanaccessandwhichonestheuser
cantaccess.

SharedFolders
Thisisasmallbutimportantsectionforcontrolandsecurity.Thetwo
policiesinthissectioncontrolwhetherornotsharescanbepublishedto

103

2004101communicationsLLChttp://mcpmag.com

ActiveDirectoryandwhetherornotDFS(DistributedFileSystem)roots
canbepublishedtoActiveDirectory.

Network
Likethecomputerconfiguration,thissectionprovidescontroloverthe
networkconnectionsonthecomputer.Thisjustcontrolswhetherornotthe
usercancontrolthesettings.Therearetwocategoriesunderthenetwork
section:offlinefilesandnetworkconnections.Itscommontoconfigurethe
networkconnectionspolicies,toensurethatuserscantredirecttheir
networksettingstolocationsthatwillallowthemtoaccesseitherprivate
data,ordatathattheyshouldntbeworkingonduringbusinesshours.

System
Thesepoliciesallowcontrolovermanydifferentareasoftheuser
environment.Manyarecommontoacorporatesetting,toensurethatusers
areworkinginasecureandstableenvironment.Someofthekeycategories
underthesystemsectioninclude:

UserProfiles.Thesepoliciesallowtheadministratortocontrol
theprofilesize,aswellaswhatinformationisstoredinthe
roamingprofile.

Ctrl+Alt+DelOptions.Thesepoliciesconfiguretheoptionsthat
areavailabletotheuserduringthelogonprocess,andwhenhe
orsheselectsawarmrebootduringasession.

Logon.Animportantsetofpolicies,allowingtheadministrator
tocontroltherunoncelistandthelegacyrunlistfortheusers
environment.

GroupPolicy.AvarietyofsettingsrelatedtoGPOsfortheuser.
Keypoliciescontrolslowlinkdetection,refreshintervalforthe
userportionoftheGPOandspecifyhowtheuserinterfaces
withtheadministrationofGPOs.

104

2004101communicationsLLChttp://mcpmag.com

The Final Word


GroupPolicyObjectshavemanycaveatsassociatedwiththem.Therecan
bemultipleGPOs,GPOsattheLSDOU,blockedGPOs,nooverrideGPOs,
filteredGPOs,WMIfiltersattachedtotheGPOsandothers.However,if
youcangetbywithoutmostofthesecomplexsettings,GPOscanbe
implementedquicklyandefficiently.AsimpleimplementationofGPOs
alsoprovidesforamorestableenvironmentthatseasiertotroubleshoot.
RegardlessofwhereyouheadwithyourGPOdesign,makesureyou
considertheGPOswhenyoudesignyourOUs.Youwillthankthetime
youinvestedreadingthisreportintheend.
BesuretowatchforthenexttworeportsinthisGPOseries
AdvancedGPOsandTroubleshootingGPOsonMCPMag.com.

105

2004101communicationsLLChttp://mcpmag.com