Lesson 1: Group Policy Concepts - MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources] نسخه متنی

Lesson 1: Group Policy Concepts

Before attempting to implement group policy you must be familiar with concepts that affect group policy operations. This lesson defines group policy, explains how group policy is administered, and provides an overview of the group policy settings. It also introduces you to how group policy affects startup and logon, how it is processed, and how security groups are used to filter group policy.

After this lesson, you will be able to

Explain the purpose and function of group policy

Explain how to delegate administrative control of group policy

Identify group policy settings

Explain how group policy affects startup and logon

Describe how group policy is processed

Explain how security groups can be used to filter group policy

Estimated lesson time: 35 minutes

What Is Group Policy?

Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and organizational units (OUs) to specify the behavior of users' desktops. For example, using group policies, you can determine the programs that are available to users, the programs that appear on the user's desktop, and Start menu options.

Group Policy Objects

To create a specific desktop configuration for a particular group of users, you create group policy objects (GPOs). GPOs are collections of group policy settings. Each Windows 2000 computer has one local GPO, and may in addition be subject to any number of nonlocal (Active Directory-based) GPOs.

One local GPO is stored on each computer whether or not the computer is part
of an Active Directory environment or a networked environment. However, as the local GPO settings can be overridden by nonlocal GPOs, the local GPO is the least influential if the computer is in an Active Directory environment. In a non-networked environment (or in a networked environment lacking a Windows 2000 domain controller), the local GPO's settings are more important because they are not overwritten by nonlocal GPOs.

Nonlocal GPOs are linked to Active Directory objects (sites, domains, or OUs) and can be applied to either users or computers. To use nonlocal GPOs, you must have a Windows 2000 domain controller installed. Following the properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.

This lesson discusses nonlocal GPOs unless otherwise specified.

Delegating Control of Group Policy

You can determine which administrative groups can administer (create, modify, delete) GPOs by defining access permissions for each GPO. By assigning Read and Write permissions to a GPO for an administrative group, the group can
delegate control of the GPO.

The Group Policy Snap-In

A Microsoft Management Console (MMC) snap-in is used to organize and
manage the many group policy settings in each GPO. The snap-in for the Default Domain Controllers Policy GPO is shown in Figure 12.1.

Figure 12.1 Group Policy snap-in

Ways to Open the Group Policy Snap-In

You can open the Group Policy snap-in in several ways, as shown in Table 12.1, depending on what action you want to perform.

Table 12.1 Ways to Open the Group Policy Snap-In

To open the local Group Policy snap-in

Open Microsoft Management Console.

On the MMC console's menu bar, click Console, and then click Add/Remove Snap-In.

In the Add/Remove Snap-In dialog box, on the Standalone tab, click Add.

In the Add Standalone Snap-In dialog box, click Group Policy, and then click Add.

In the Select Group Policy Object dialog box, ensure that Local Computer appears in the Group Policy Object box.

Click Finish, then click Close on the Add Standalone Snap-In dialog box.

In the Add/Remove Snap-In dialog box click OK.

The Group Policy snap-in for the local computer is now available.

To open the Group Policy snap-in from Active Directory Sites and Services

Open Active Directory Sites and Services.

In the console tree, right-click the site you want to set group policy for, then click Properties.

Click the Group Policy tab, click an entry in the Group Policy Object Links list to select an existing GPO, then click Edit. (Or, click New to create a new GPO, and then click Edit.)

The Group Policy snap-in for the site is now available.

To open the Group Policy snap-in from Active Directory Users and Computers

Open Active Directory Users and Computers.

In the console tree, right-click the domain or OU you want to set group policy for, then click Properties.

Click the Group Policy tab, click an entry in the Group Policy Object Links list to select an existing GPO, then click Edit. (Or, click New to create a new GPO, and then click Edit.)

The Group Policy snap-in for the domain or OU is now available.

Group Policy Settings

Group policy settings are contained in a GPO and determine the user's desktop environment. There are two types of group policy settings: computer configuration settings and user configuration settings.

Computer and User Configuration Settings

Computer configuration settings are used to set group policies applied to computers, regardless of who logs on to them. Computer configuration settings are applied when the operating system initializes.

User configuration settings are used to set group policies applied to users, regardless of which computer the user logs on to. User configuration settings
are applied when users log on to the computer.

NOTE
Although some settings are user interface settings—for example, the background bitmap or the ability to use the Run command on the Start menu—they can be applied to computers using computer configuration settings.

Both computer configuration settings and user configuration settings include Software Settings, Windows Settings, and Administrative Templates.

Software Settings

For both the computer configuration and user configuration, Software Settings (see Figure 12.2) contains only Software Installation settings by default. Software Installation settings help you specify how applications are installed and maintained within your organization. Software Installation settings also provide a place for independent software vendors to add settings.

You manage an application within a GPO that, in turn, is associated with a particular Active Directory container—a site, domain, or OU. Applications can be managed in one of two modes: assigned or published. You assign an application to a computer when you want computers or people managed by the GPO to have the application. You publish an application when you want the application to be available to people managed by the GPO, should a person want the application. You cannot publish an application to computers. More information on setting software installation using group policy is provided in Lesson 4.

Figure 12.2 Software settings

Windows Settings

For both the computer configuration and user configuration, Windows Settings (see Figure 12.3) holds Scripts and Security Settings.

Scripts allow you to specify two types of scripts: startup/shutdown and logon/logoff. Startup/shutdown scripts run at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off the computer. When you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, Windows 2000 executes the scripts from top to bottom. You can determine the order of execution for multiple scripts in the Properties dialog box. When a computer is shut down, Windows 2000 first processes logoff scripts followed by shutdown scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and shutdown scripts require more than 10 minutes to process, you must adjust the timeout value with a software policy.

Administrators can use any ActiveX scripting language they are comfortable with. Some possibilities include VBScript, JScript, Perl, and MSDOS style batch files (.bat and .cmd).

Security Settings allows a security administrator to manually configure security levels assigned to a local or nonlocal GPO. This can be done after, or instead of, using a security template to set system security. For details on system security, see Chapter 13, "Administering a Security Configuration."

For the user configuration only, Windows Settings holds additional group policy settings for Internet Explorer Maintenance, Remote Installation Services, and Folder Redirection. Internet Explorer Maintenance allows you to administer and customize Microsoft Internet Explorer on Windows 2000 computers. Remote Installation Services is used to control the behavior of remote operating system installation. Optionally, this can be used to provide customized packages for non-Windows 2000 clients of Active Directory. (Group policy requires a genuine Windows 2000 client, not merely a pre-Windows 2000 client of Active Directory, however.) Folder Redirection allows you to redirect Windows 2000 special folders (My Documents, Application Data, Desktop, and Start menu) from their default user profile location to an alternate location on the network, where they can be centrally managed. More information on redirecting special folders using group policy is provided in Lesson 5.

Figure 12.3 Windows settings

Administrative Templates

For both the computer and user configurations, Administrative Templates (see Figure 12.4) contains all registry-based group policy settings, including settings for Windows Components, System, and Network. Windows Components allows you to administer Windows 2000 components including NetMeeting, Internet Explorer, Windows Explorer, Microsoft Management Console, Task Scheduler, and Windows Installer. System is used to control logon and logoff functions and group policy itself. Network allows you to control settings for Offline Files and Network and Dial-Up Connections.

For the computer configuration only, Administrative Templates contains additional group policy settings for Printers. Additionally, System Settings contains Disk Quotas, and Domain Name System (DNS) Client and Windows File Protection.

For the user configuration only, Administrative Templates contains additional
registry-based group policy settings, including settings for Start Menu & Taskbar, Desktop, and Control Panel. Start Menu & Taskbar settings control a user's start menu and taskbar, and desktop settings control the appearance of a user's desktop. Control Panel settings determine the Control Panel options available to a user.

In Administrative Templates there are more than 450 of these settings available for configuring the user environment. In the registry, computer configurations are saved in HKEY_LOCAL_MACHINE (HKLM) and user configurations are saved in HKEY_CURRENT_USER (HKCU).

Figure 12.4 Administrative templates

NOTE
You can display administrative template settings by clicking the Administrative Templates node, clicking View, then clicking Show Policies Only to show all settings, or Show Configured Policies Only to show only those settings that have been configured.

The MMC Snap-In Model

The nodes of the Group Policy snap-in are themselves MMC snap-in extensions. By default, all the available Group Policy snap-in extensions are loaded when you start the Group Policy snap-in. You can modify this default behavior by using the MMC method of creating custom consoles and by using policy settings to control the behavior of MMC itself. Use the Administrative Templates node to configure these policy settings.

Using this extension model, developers can create an MMC extension to the Group Policy snap-in to provide additional policies. These snap-in extensions may in turn be extended. An example of such a snap-in is the Security Settings snap-in, which itself includes several snap-in extensions.

Group Policy Snap-In Namespace

The root node of the Group Policy snap-in is displayed as the name of the GPO and the domain to which it belongs, in the following format:

GPO Name [DomainName] Policy

For example: Default Domain Controllers Policy [server1.microsoft.com] Policy

How Group Policy Affects Startup and Logon

The following sequence shows the order in which computer configuration and user configuration settings are applied when a computer starts and a user logs on:

The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started.

An ordered list of GPOs is obtained for the computer. The list contents may depend on these factors:

Whether the computer is part of a Windows 2000 domain, and is therefore subject to group policy through Active Directory.

The location of the computer in Active Directory.

If the list of GPOs has not changed, then no processing is done. You can use a group policy setting to change this behavior.

Computer configuration settings are processed. This occurs synchronously by default, and in the following order: local GPO, site GPOs, domain GPOs, OU GPOs, and so on. No user interface is displayed while computer configuration settings are being processed. See the section "How Group Policy Is Processed" for details about GPO processing.

Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default timeout is 600 seconds (10 minutes). You can use several group policy settings to modify this behavior.

The user presses Ctrl+Alt+Delete to log on.

After the user is validated, the user profile is loaded, governed by the group policy settings in effect.

An ordered list of GPOs is obtained for the user. The list contents may depend on these factors:

Whether the user is part of a Windows 2000 domain, and is therefore subject to group policy through Active Directory.

Whether loopback is enabled, and the state (Merge or Replace) of the loopback policy setting. Refer to the section "How Group Policy Is Processed" for more information about loopback.

The location of the user in Active Directory.

If the list of GPOs to be applied has not changed, then no processing is done. You can use a policy setting to change this behavior.

User configuration settings are processed. This occurs synchronously by default, and in the following order: local GPOs, site GPOs, domain GPOs, OU GPOs, and so on. No user interface is displayed while user policies are being processed. See the section "How Group Policy Is Processed" for details about GPO processing.

Logon scripts run. Unlike Windows NT 4.0 scripts, group policy-based logon scripts are run hidden and asynchronously by default. The user object script runs last.

The operating system user interface prescribed by group policy appears.

How Group Policy Is Processed

Group policy settings are processed in the following order:

Local GPO. Each Windows 2000 computer has exactly one GPO stored locally.

Site GPOs. Any GPOs that have been linked to the site are processed next. Processing is synchronous; the administrator specifies the order of GPOs linked to a site.

Domain GPOs. Multiple domain-linked GPOs are processed synchronously; the administrator specifies the order of GPOs linked to a domain.

OU GPOs. GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and so on. Finally, the GPOs linked to the OU that contains the user or computer are processed. At the level of each OU in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several group policies are linked to an OU, then they are processed synchronously in an order specified by the administrator.

This order means that the local GPO is processed first, and GPOs linked to the OU of which the computer or user is a direct member are processed last, overwriting the earlier GPOs. For example, you set up a domain GPO to allow
anyone to log on interactively. However, an OU GPO, set up for the domain
controller, prevents everyone from logging on except for certain administrative groups. Figure 12.5 shows the relationship of group policy and Active Directory.

Figure 12.5 Group Policy and the Active Directory

Exceptions to the Processing Order

The default order of processing group policy settings is subject to the following exceptions:

A computer that is a member of a workgroup processes only the local GPO.

No Override. Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override with respect to that site, domain, or OU, so that none of its policy settings can be overridden. When more than one GPO has been set to No Override, the one highest in the Active Directory hierarchy (or higher in the hierarchy specified by the administrator at each fixed level in Active Directory) takes precedence. No Override is applied to the GPO link.

Block Policy Inheritance. At any site, domain, or OU, group policy inheritance can be selectively marked as Block Policy Inheritance. However, GPO links set to No Override are always applied and cannot be blocked.

Block Policy Inheritance is applied directly to the site, domain, or OU. It is not applied to GPOs, nor is it applied to GPO links. Thus, Block Policy Inheritance deflects all group policy settings that reach the site, domain, or OU from above (by way of linkage to parents in the Active Directory hierarchy) no matter what GPOs those settings originate from.

Loopback setting. Loopback is an advanced group policy setting that is useful on computers in certain closely managed environments such as kiosks, laboratories, classrooms, and reception areas. Loopback provides alternatives to the default method of obtaining the ordered list of GPOs whose user configuration settings affect a user. By default, a user's settings come from a GPO list that depends on the user's location in Active Directory. The ordered list goes from site-linked to domain-linked to OU-linked GPOs, with inheritance determined by the location of the user in Active Directory and in an order specified by the administrator at each level.

Loopback can be Not Configured, Enabled, or Disabled, as can any other group policy setting. In the Enabled state, loopback can be set to Merge or Replace mode.

Replace. In this case, the GPO list for the user is replaced in its entirety by the GPO list already obtained for the computer at computer startup (during Step 2 in "How Group Policy Affects Startup and Logon"). The computer's GPOs replace the user GPOs normally applied to the user.

Merge. In this case, the GPO list is concatenated. The GPO list obtained for the computer at computer startup (Step 2 in "How Group Policy Affects Startup and Logon") is appended to the GPO list obtained for the user at logon (Step 7). Because the GPO list obtained for the computer is applied later, it has precedence if it conflicts with settings in the user's list.

Group Policy Inheritance

In general, group policy is passed down from parent to child containers. If you have assigned a separate group policy to a parent container, that group policy
applies to all containers beneath the parent container, including the user and computer objects in the container. However, if you specify a group policy setting for a child container, the child container's group policy setting overrides the
setting inherited from the parent container.

If a parent OU has policy settings that are not configured, the child OU doesn't inherit them. Policy settings that are disabled are inherited as disabled. Also, if a policy is configured for a parent OU, and the same policy is not configured for a child OU, the child inherits the parent's policy setting.

If a parent policy and a child policy are compatible, the child inherits the parent policy, and the child's setting is also applied. Policies are inherited as long as they are compatible. For example, if the parent's policy causes a certain folder to be placed on the desktop and the child's setting calls for an additional folder, the user sees both folders.

If a policy configured for a parent OU is incompatible with the same policy
configured for a child OU, the child does not inherit the policy setting from the parent. The setting in the child is applied.

Using Security Groups to Filter Group Policy

Because you can link more than one GPO to a site, domain, or OU, you
may need to link GPOs associated with other directory objects. By setting
the appropriate permissions for security groups, you can filter group policy to influence only the computers and users you specify.

Lesson Summary

In this lesson you learned that group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to define settings of various components that make up the users' desktop environment. To create a specific desktop configuration for a particular group of users, you create GPOs, which are collections of group policy settings. You learned that you can determine which administrative groups can administer (create, modify, delete) GPOs by defining access permissions for each GPO.

You walked through the various group policy settings. There are two types of group policy settings: computer configuration settings and user configuration
settings. Both computer configuration settings and user configuration settings include Software Settings, Windows Settings, and Administrative Templates.

You examined in detail how group policy affects startup and logon and how it is processed. Computer configuration settings are processed first, followed by user configuration settings. The settings are processed synchronously by default in the following order: local GPO, site GPOs, domain GPOs, and OU GPOs. Exceptions to this processing order include the No Override and Block Policy Inheritance options and the Loopback group policy setting.

Finally, you learned that by setting the appropriate permissions for security groups, you can filter group policy to influence only the computers and users
you specify.