Home > Articles

This chapter is from the book

Using Group Policy

Centralized management of computer and user configuration settings within Windows Server 2003 is accomplished through Group Policy management, which was introduced in Windows Server 2000. Group Policy settings are configured within Group Policy Objects (GPOs), which can be linked to container locations throughout the Active Directory. The container objects will inherit the proper GPO settings based on object location within the site, domain, or OU to which the GPO has been linked. Group Policy settings are grouped into the following general categories:

  • Registry-Based Policy—These settings are used for Registry-based configurations such as the automatic removal of the Run option within the Start menu.

  • Security Settings—These settings include security settings for local, domain, and network connections as well as software restriction management based on access path.

  • Software Restrictions—These settings can be used to configure the accessibility of individual software packages throughout the directory, limiting the damage that virus programs or undesirable software can cause.

  • Software Distribution and Installation—These settings are used to manage the installation, update, and removal of approved software packages based on organizational factors and group membership.

  • Computer and User Scripts—Scripts can be written for automatic configuration of the local environment at computer startup and shutdown, or user logon and logoff.

  • Roaming User Profiles and Redirected Folders—These settings can be used to configure user environment storage locations, such as the location of the My Documents folder path, along with details for users with roaming profiles.

  • Offline Folders—These settings can be used to configure the synchronization options and details for offline file management.

  • Internet Explorer Maintenance—These settings can be used to configure user environment details when utilizing the Internet Explorer browser, such as security zones and privacy settings.

Configuration of individual settings is managed within the Group Policy Object Editor (see Figure 3.8), which is almost identical to its Windows Server 2000 equivalent. Windows Server 2003 has added more than 200 new settings that can be configured using this tool.

Figure 3.8Figure 3.8 The Group Policy Object Editor showing current manipulation of the Maximum Password Age policy setting.

Using the Group Policy Management Console

One key technology introduced in Windows Server 2003 is the Group Policy Management Console (GPMC), which brings together many standard management functions for the manipulation of GPOs and their links into a single utility.

NOTE

The GPMC utility is not included in the Windows Server 2003 Administrative Tools package (Adminpak.msi), but is available as a free download (gpmc.msi) from Microsoft's download site: http://www.microsoft.com/downloads/details.aspx?FamilyID=f39e9d60-7e41-4947-82f5-3330f37adfeb&DisplayLang=en.

Using this utility, individual GPOs can be configured and linked, and each link's enforcement managed through a simple user interface, as shown in Figure 3.9.

Figure 3.9Figure 3.9 The Group Policy Management Console showing a current manipulation of the enforcement status of the Default Domain Policy link to the mydomain.mycorp.com domain.

The current status of each GPO can be manipulated using the GPMC, as shown in Figure 3.10.

Figure 3.10Figure 3.10 The Group Policy Management Console showing a current manipulation of the GPO status of the Default MyDomain Policy.

The GPMC also includes a well-developed reporting capability, which can be used to display the settings of an individual GPO, as shown in Figure 3.11.

Figure 3.11Figure 3.11 The Group Policy Management Console showing a report of the current Default MyDomain Policy GPO settings.

Because accounts and groups inherit Group Policy settings based on their access privileges, the GPMC includes the capability to manipulate GPO delegation, as shown in Figure 3.12.

Figure 3.12Figure 3.12 The Group Policy Management Console showing the current delegation settings for the groups and users with permissions to the Default MyDomain Policy.

By manipulating the privileges for each group or user, it's possible to further refine the application of Group Policy settings based on as complex a scheme of inheritance as is desirable. To block the application of a particular GPO's settings to a group or user, the rights to Read and Apply Group Policy can be denied, as shown in Figure 3.13.

Figure 3.13Figure 3.13 Restricting the Read and Apply Group Policy rights of the Workgroup Leads group with regard to the Default MyDomain Policy.

The GPMC provides a convenient method for the review of all linked GPOs for a particular container, including the order in which the links will be evaluated, as shown in Figure 3.14.

Figure 3.14Figure 3.14 The Group Policy Management Console showing all linked GPOs and their evaluation order for the mydomain.myserver.com domain.

Copying a GPO

The GPMC can be used to copy an existing GPO to any trusted domain in which the administrator using the GPMC utility has the right to create new GPOs. This can be accomplished by the following:

  1. After adding the source and target domains to the GPMC and ensuring that the necessary rights have been granted to the account performing the migration, expand the Group Policy Objects node of the source domain.

  2. It's possible to drag and drop a particular GPO listed in the source domain's Group Policy Objects container to the Group Policy Objects container in the target domain. Alternatively, right-clicking on the source GPO, selecting Copy, and then right-clicking on the container in the target domain and selecting Paste also provides the same result: opening the Cross-Domain Copying Wizard. Click Next.

  3. Specify whether the copied GPO will use the default permissions for new GPOs or if the original GPO's permissions should be migrated and preserved.

  4. After the wizard has performed a scan of the new GPO's application, specify a migration map for the specification of local security principal references. Clicking Next enables you to select a default migration mapping or the specification of unique by-item migration tables.

  5. After the selection of all migration mapping, you can review the pending migration and then click the Finish button to complete the copying process.

Backing Up and Restoring GPOs

In addition to the ability to copy GPOs between domains, the GPMC can also be used to back up existing GPOs so that they can be recovered later through a restore procedure. Backing up a GPO stores a copy of the GPO's settings to a selected file location, which can be used to store multiple versions of the same GPO, allowing for versioned recovery to prior GPO settings through a simple restoration of the earlier form. A GPO backup can be accomplished by performing the following steps:

  1. Within the GPMC, right-click the desired GPO and select the option to Back-up from the drop-down list provided.

  2. Provide a location in which to store the GPO backup and an optional unique description for the backup.

  3. Click the Backup button.

CAUTION

It's possible to back up all GPOs by right-clicking on the Group Policy Objects node and selecting Back Up All from the options provided.

Restoration of an existing backup can be accomplished by the following procedure:

  1. Within the GPMC, right-click the desired GPO and select the option to Restore from Backup from the drop-down list provided.

  2. Provide the backup location used previously to store the GPO backups.

  3. Select the desired backup file and choose to view the settings of the highlighted backup before restoration, if desired.

  4. Provide the details of the pending operation; click Finish to perform the restoration.

It's also possible to manage all existing backups by right-clicking on the Group Policy Objects node and selecting Manage Backups from the drop-down list of options. Within the Manage Backups dialog box, you can view a listing of existing backups that can be restored and deleted from this interface; you can also view the settings for each.

Importing GPO Settings

Previous GPO backups can also be used for migration of settings when interforest GPO copying is not convenient, such as between testing and production environments. The following procedure can be used to perform an importation of GPO settings from an available backup:

  1. Within the GPMC, you should create a new GPO or you can use an existing one as the target for the imported settings.

  2. Right-click on the target GPO and select Import Settings from the drop-down list of options provided to open the Import Settings Wizard.

  3. You'll be prompted with the option to backup the current settings of the existing GPO before performing the import operation.

  4. After selecting the backup source location and specific GPO backup, a scan will be performed. If any local security principals or UNC paths must be migrated, you'll be prompted to provide a migration mapping before the import procedure begins.

  5. Click the Finish button to allow the importation of previously backed up settings to the target GPO, overwriting its current settings.

Configuring the Resultant Set of Policy

The GPMC includes several features beyond the manipulation of individual GPO links, such as the ability to evaluate the overall Resultant Set of Policy (RSoP) with regard to a particular account or group, as shown in Figure 3.15.

This capability is invaluable for troubleshooting the resulting settings that are produced through the application of GPO links across many levels of container inheritance. Each resulting setting and the GPO link that is its source can be displayed, as shown in Figure 3.16.

In addition to static information such as GPO settings, the GPMC's reporting capability for modeling Resulting Set of Policy details can also be used to review policy-related events generated within the target system's event logs, as shown in Figure 3.17.

Figure 3.15Figure 3.15 The Group Policy Management Console showing an evaluation of the RSoP for the Administrator account.

Figure 3.16Figure 3.16 The Group Policy Management Console showing each setting and the Winning GPO that produces the configuration result.

Figure 3.17Figure 3.17 The Group Policy Management Console showing policy-related events queried from the target server's event logs.

Performing Policy Simulation

The GPMC also includes the capability to perform an evaluative simulation of the effect of a particular GPO's application to the current GPO configuration through the use of the Group Policy Modeling subcomponent, which includes the ability to perform a simulated application of a GPO's settings based on a detailed query specification, as shown in Figure 3.18.

Figure 3.18Figure 3.18 The Group Policy Management Console showing the query settings for an evaluation of GPO application.

Group Policy settings can be evaluated within this testing environment before rolling out the results within the production environment. This feature, along with others present within the GPMC, make it possible to perform complex troubleshooting and testing of planned changes to policy settings to facilitate centralized management over even very extensive and complex directory structures.

Configuring Security Policy Management

Microsoft Windows Server 2003 provides many different means by which individual settings can be configured, including the Group Policy Management Console as well as the Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services MMC snap-ins. After the Group Policy Management Console has been installed, the Group Policy tab (displayed in the Properties pages of sites, domains, and OUs when the MMC is started in Author mode) displays an Open button that redirects GPO access attempts to the GPMC, making this utility a one-stop solution for all categories of GPO manipulation.

The Group Policy Object Editor accessible through the aforementioned MMC snap-ins (refer to Figure 3.8) provides the ability to manipulate all possible settings for a particular GPO. Additionally, Microsoft Windows Server 2003 also includes more focused utilities, such as the Local Security Policy, Domain Security Policy, and Domain Controllers Security Policy MMC snap-ins. These utilities allow the manipulation of security settings within the appropriate GPO, where templates can be used to apply standard configuration settings based on the intended role of the target system.

A number of preconfigured security templates are stored in %systemroot%\ Security\Templates and include the following:

  • Compatws.inf—The compatibility template is used to relax security settings to allow users to make use of applications that do not conform to the requirements for the Windows Logo Program for Software.

  • DC Security.inf—The default security template for domain controllers.

  • Hisecdc.inf—The highly secure template for domain controllers.

  • Hisecws.inf—The highly secure template for workstations.

  • Rootsec.inf—The root directory permissions template.

  • Securedc.inf—The secure template for domain controllers.

  • Securews.inf—The secure template for workstations.

  • Setup security.inf—The default security settings for a system created during initial installation.

Using Security Policy MMC Snap-ins

Windows Server 2003 includes several MMC snap-ins that can be added to custom MMCs. Two in particular are useful in the manipulation of security template settings: the Security Configuration and Analysis MMC snap-in and the Security Templates MMC snap-in. The following steps can be used to create a custom MMC with these snap-ins configured:

  1. Select Start, Run, and then type MMC in the Open box. After clicking OK, a new blank MMC console opens.

  2. From the Console main menu, select File and then Add/Remove Snap-in from the list of options provided. Select the console to which the snap-ins will be added, then click the Add button to open the Add Standalone Snap-in dialog box.

  3. From the list of options provided, create a custom MMC that includes many standard tasks. For the purposes of this example, highlight the Security Configuration and Analysis option and click Add, highlight the Security Templates option, and click Add again.

  4. Click the Close button and then the OK button to return to the custom console, as shown in Figure 3.19.

  5. Figure 3.19Figure 3.19 A custom MMC console with the Security Templates and the Security Configuration and Analysis MMC snap-ins added.

  6. Save this custom MMC for later reuse by selecting File, Save As. After selecting the container location and name for the new custom MMC, save the console with its current settings.

The Security Templates MMC snap-in can be used to create and modify templates, which can then be modeled and applied within the Security Configuration and Analysis MMC snap-in using the same techniques described within the Group Policy Editor MMC snap-in accessed through the GPMC.

When a target template is analyzed against current security settings, the Security Configuration and Analysis MMC snap-in produces a comparative analysis of each setting, as shown in Figure 3.19.

Managing Policies Through the Command Line

Microsoft Windows Server 2003 includes command-line utilities that mirror much of the same functionality present in the graphical user interface utilities previously discussed in this chapter, including

  • Secedit.exe—A utility used to analyze and configure security settings based on templates. This is a command-line close equivalent to the Security Configuration and Analysis MMC snap-in, which was also present in Windows Server 2000. In the Windows Server 2003 version of the utility, the /refreshpolicy option is no longer present.

  • Gpupdate.exe—This utility is used to refresh Group Policy settings, replacing the /refreshpolicy option within the secedit utility. This utility can be used to force a logoff or reboot when the update is complete to ensure that new policy settings are applied immediately.

  • Gpresult.exe—A utility that can be used to display Group Policy settings and the RSoP of a target user or computer account. This utility is a command-line close equivalent to the reporting and analysis functions within the GPMC.

CAUTION

You should be able to use the gpupdate utility to refresh a GPO. The syntax of the gpupdate.exe utility is provided in the Microsoft help file:

gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]

To see a listing of all the parameters and their meanings, type the following at the command-line shell prompt:

gpupdate /?

The GPMC's Software Development Kit (SDK) includes a number of scripts that can be used to automate GPO troubleshooting, including the following:

  • ListAllGPOs.wsf—Used to list all GPOs within a domain

  • FindDisabledGPOs.wsf—Used to list any GPOs currently disabled

  • DumpGPOInfo.wsf—Used to display information about a particular GPO

  • QueryBackupLocation.wsf—Used to list all GPOs stored within the specified target backup location

  • FindUnlinkedGPOs.wsf—Used to list all unlinked GPOs within a domain

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020