Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Troubleshooting Group Policy Object Design

If network connectivity, DNS, Active Directory replication, and FRS are not the problem, then the problem must be in Group Policy design or implementation. This can mean that either a well thought-out and correct design was not implemented correctly, or the design was flawed to begin with. Finding the root cause can help prevent similar problems in the future. If the designer does not understand Group Policy, he will continue to present flawed designs that will not work even if they are implemented exactly as written. If the implementer makes a mistake and does not learn where the error is, then she will continue to repeat the error.Determining If the Policy Has Been Applied" examined reasons why a Group Policy implementation may mean that a GPO is not applied or, if it was applied, why specific security settings might not be applied. If these issues are not the problem, the only remaining possibility is that the correct setting for the desired result is not selected. This might be due to a misunderstanding about what specific settings do, or about the container to which the GPO containing them must be linked.

An example of the first problem might result from reading one of the many setting statements that are confusing and getting it wrong. For example, the Security Option Domain member: Disable machine account password changes if Enabled will prevent computers from updating their machine account. If the setting is Disabled, the account password will change periodically. It would be very easy to think that if you want to prevent machine passwords from changing, this setting should be Disabled, when what you want to do is to Enable it. In other words, the use of two negative words (Disabled and Disabled) produces a positivemachine accounts are changed. If the setting had read instead Domain Member: Change machine passwords periodically, then making the right choice would be easier.

An example of the second problem results when an attempt is made to apply a different password policy for a user in a specific OU. Password policy can be set only in the Domain GPO. Password policy settings made in GPOs linked to specific OUs are disregarded when users log on using their domain account. (If they use a local machine account to log on to a specific machine, the password policy dictated by an OU-level GPO will be effective.)

Determining where Group Policy settings are misinterpreted and thus misapplied can be an exhausting task. The problem can be alleviated by taking the time to understand what settings mean what and where they can be effectively applied before attempting to use them. Far too often, administrators simply read the settings and guess at their meanings. A good source for learning the ins and outs of Group Policy settings is the white paper "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP" at http://www.microsoft.com/downloads/details.aspx?FamilyID=1b6acf93-147a-4481-9346-f93a4081eea8&DisplayLang=en. New settings introduced for Windows XP in SP2 are listed in the Excel file PolicySettings.xls available from http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en.