Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
com
tm
Windows 2000
Group Policy
Darren Mar-Elia
Table of Contents
Chapter 1: Introducing Group Policy .............................................................................................. 1
Overview of Group Policy .............................................................................................................. 1
Processing GPOs ............................................................................................................................. 2
Server-Side Processing........................................................................................................ 2
Using LSDOU Ordering.......................................................................................... 3
Client-Side Processing ........................................................................................................ 5
Viewing and Editing GPOs ............................................................................................................. 6
Capabilities of GPOs..................................................................................................................... 12
Software Settings | Software Installation .......................................................................... 13
Assignment vs. Publishing .................................................................................... 14
Windows Settings | Security Settings................................................................................ 16
Account Policies................................................................................................................ 17
Local Policies .................................................................................................................... 18
Audit Policy........................................................................................................... 18
User Rights Assignment........................................................................................ 19
Security Options.................................................................................................... 20
Event Log .......................................................................................................................... 20
Restricted Groups.............................................................................................................. 21
System Services................................................................................................................. 22
Registry ............................................................................................................................. 23
File System........................................................................................................................ 24
Public Key Policies (Machine and User) .......................................................................... 25
Windows Settings | Scripts (Startup/Shutdown) ............................................................... 26
Windows Settings | Scripts (Logon/Logoff) ..................................................................... 26
Windows Settings | Internet Explorer Maintenance.......................................................... 27
Browser User Interface.......................................................................................... 27
Connection ............................................................................................................ 27
URLs ..................................................................................................................... 28
Security.................................................................................................................. 28
Programs................................................................................................................ 28
Windows Settings | Folder Redirection............................................................................. 29
Windows Settings | Remote Installation Services............................................................. 30
Administrative Templates ................................................................................................. 31
Table of Contents
Summary ....................................................................................................................................... 33
Chapter 2: Group Policy Structure and Processing....................................................................... 34
Structure of the GPO ..................................................................................................................... 34
The GPC............................................................................................................................ 35
Finding GPO Friendly Names from Their GUIDs................................................ 37
The GPT ............................................................................................................................ 39
Storing Group Policy Settings....................................................................................................... 41
Storing GPC Information .................................................................................................. 42
The Class Store Container..................................................................................... 43
Storing GPT Information .................................................................................................. 47
Applications Folder ............................................................................................... 48
Documents and Settings Folder............................................................................. 48
Microsoft Folder.................................................................................................... 49
Scripts Folder ........................................................................................................ 50
Registry.pol ........................................................................................................... 51
GPO Versioning ................................................................................................................ 51
Group Policy Processing ................................................................................................... 54
Bringing It All Together........................................................................................ 55
Summary ....................................................................................................................................... 55
Chapter 3: Creating Group Policies Step by Step ......................................................................... 56
Creating AD-Based GPOs............................................................................................................. 56
Editing GPOs................................................................................................................................. 58
Setting GPO Options......................................................................................................... 60
No Override........................................................................................................... 61
Disabled................................................................................................................. 62
Blocking Policy Inheritance .............................................................................................. 63
Setting GPO Properties ..................................................................................................... 65
General .................................................................................................................. 66
Links...................................................................................................................... 66
Security.................................................................................................................. 67
Controlling GPO Precedence ............................................................................................ 67
Adding New GPO Links ................................................................................................... 69
Deleting GPOs................................................................................................................... 70
ii
Table of Contents
Setting Domain Controller Options............................................................................................... 71
Using Security Groups to Filter the Processing of GPOs ............................................................. 72
Changing the Default Processing ...................................................................................... 73
Using the Deny ACE......................................................................................................... 74
Treading Carefully ............................................................................................................ 75
Using GPO Functionality .............................................................................................................. 76
Administrative Template Policy........................................................................................ 76
Software Installation ......................................................................................................... 82
Folder Redirection............................................................................................................. 88
Setting Up Advanced Folder Redirection ............................................................. 88
Security Settings................................................................................................................ 91
About Security Templates..................................................................................... 91
Creating Security Templates ................................................................................. 92
Importing Security Templates into a GPO............................................................ 93
Summary ....................................................................................................................................... 93
Chapter 4: Designing and Implementing Group Policy in the Enterprise..................................... 95
Integrating Group Policy Design in Your AD Infrastructure........................................................ 95
Managing the Complexity of GPOs .............................................................................................. 96
Designing the Implementation ...................................................................................................... 97
Scenario AOne AD Domain.......................................................................................... 98
Two Implementation Options.............................................................................. 101
Scenario BMultiple AD Domains ............................................................................... 103
Two Implementation Options.............................................................................. 105
Handling Delegation Requirements .................................................................... 108
Multi-domain Considerations.......................................................................................... 109
Site-Linked GPOs ........................................................................................................... 109
Adopting GPO Naming Conventions.............................................................................. 111
Maintaining Change Control........................................................................................... 113
Tying It All Together ...................................................................................................... 114
Considering Technical Issues...................................................................................................... 115
Asynchronous, Slow Network, and Periodic Background GPO Processing................... 115
Controlling Their Effects .................................................................................... 116
GPO Loopback Processing.............................................................................................. 119
iii
Table of Contents
Summary ..................................................................................................................................... 119
Chapter 5: Working around Group Policy Limitations............................................................... 120
Controlling GPO Delegation....................................................................................................... 120
Default Rights ................................................................................................................. 121
How GPO Delegation Works.......................................................................................... 123
Delegating Creation, Editing, and Deletion GPOs.............................................. 123
Linking GPOs...................................................................................................... 128
Putting GPO Delegation into Practice............................................................................. 133
Making Changes to the Policies Folder............................................................... 134
Modifying Permissions on Existing GPOs.......................................................... 138
Linking GPOs to a Site Object............................................................................ 138
Using Security-Group Filtering on GPOs ................................................................................... 139
Security-Group Filtering for Applications ...................................................................... 140
Using Loopback Processing ........................................................................................................ 144
Summary ..................................................................................................................................... 148
Chapter 6: Troubleshooting and Managing Group Policy .......................................................... 149
Examining Common GPO Problems .......................................................................................... 149
Using GPO Troubleshooting Tools............................................................................................. 155
Group Policy Result Tool (gpresult.exe)......................................................................... 155
Group Policy Object Verification Tool (gpotool.exe) .................................................... 157
Network Connectivity Tester (netdiag.exe) .................................................................... 159
Software Installation Diagnostics (addiag.exe)............................................................... 162
FAZAM 2000.................................................................................................................. 163
Enabling GPO Logging............................................................................................................... 164
The Application Event Log ............................................................................................. 165
Usermode Logs ............................................................................................................... 167
The userenv.log File............................................................................................ 168
Other Log Files.................................................................................................... 169
Windows Installer Logging............................................................................................. 170
Managing GPOs .......................................................................................................................... 171
RSoP................................................................................................................................ 172
Backing Up and Restoring GPOs.................................................................................... 173
The Role of the Local GPO............................................................................................. 174
iv
Table of Contents
Summary ..................................................................................................................................... 176
List of Acronyms and Abbreviations .......................................................................................... 177
Copyright Statement
2001 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have
been created, developed, or commissioned by, and published with the permission of,
Realtimepublishers.com, Inc. (the Materials) and this site and any such Materials are protected
by international copyright and trademark laws.
THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. The Materials are subject to change without notice and do not represent a
commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event
shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial
errors or omissions contained in the Materials, including without limitation, for any direct, indirect,
incidental, special, exemplary or consequential damages whatsoever resulting from the use of
any information contained in the Materials.
The Materials (including but not limited to the text, images, audio, and/or video) may not be
copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in
whole or in part, except that one copy may be downloaded for your personal, non-commercial use
on a single computer. In connection with such use, you may not modify or obscure any copyright
or other proprietary notice.
The Materials may contain trademarks, services marks and logos that are the property of third
parties. You are not permitted to use these trademarks, services marks or logos without prior
written consent of such third parties.
If you have any questions about these terms, or if you would like information about licensing
materials from Realtimepublishers.com, please contact us via e-mail at
info@realtimepublishers.com
vi
Chapter 1
Chapter 1
The local GPO is a stand-alone object in that you must manage it individually against each
Win2K device using the MMC Group Policy snap-in. Also, some of the capabilities that GPOs
provide in an ADbased domain environment arent available on local GPOs. (Examples are
software deployment and Folder Redirection, described later in this chapter in the Windows
Settings | Folder Redirection section.) For these and other reasons, GPOs only begin to fulfill
their full promise when youve deployed an AD infrastructure and have begun to migrate all
your workstations and servers to Win2K. Before talking about how GPOs leverage AD, and AD
domain controllers, its important to understand how GPOs are processed.
Processing GPOs
In NT 4.0, when a user logged on to an NT 4.0 domain from an NT 4.0 device, the Winlogon
process running on the workstation or server executed a System Policy file stored on the
authenticating NT 4.0 domain controller in the NETLOGON share (or elsewhere, as specified by
the administrator). NT 4.0 System Policy let administrators distribute changes to registry keys
per-user changes were stored in HKEY_CURRENT_USER keys, per-machine changes in
HKEY_LOCAL_MACHINE keys. These registry changes were executed according to the
instructions of the System Policy file when the user logged on. Both per-user and per-machine
changes happened at once.
Server-Side Processing
GPOs maintain a few similarities with System Policy processing. Only user objects and
computer objects in an AD domain can process GPOs. However, unlike NT 4.0 System Policy
where only one policy file could be processed by a user per domainmultiple GPOs can be
linked to AD container objects at various levels in the AD hierarchy, providing support for
processing many GPOs for a given user and computer.
In addition to storing links in AD, GPOs leverage file storage on AD domain controllers like NT
4.0 System Policy leveraged the NETLOGON share on NT 4.0 domain controllers. GPOs are
stored in the SYSVOL share on domain controllers in an AD domain.
GPOs are made up of the Group Policy Template (GPT) and the Group Policy Container (GPC).
The GPT stores the files that are stored by GPOs in SYSVOL. These files make up the guts of
the GPO. (A portion of the GPO is stored in AD.)
The GPC is created for each GPO you define. The GPC is a class of AD object that represents a
GPO in the AD and keeps some additional information related to the software deployment
features of GPOs.
Sites, domains, and organizational unites (OUs) link to GPOs using an AD attribute on these
container objects that refers to the linked GPO by its globally unique ID (GUID). More details of
what is actually stored in the GPT and GPC, as well as how they relate to GPO functionality, are
discussed in detail in Chapter 2 of this book.
Chapter 1
Container objects are AD objects that can contain other AD objects. For example, an AD domain is a
container object that can contain OUs, users, and so on. An OU is a container object that can contain
other OUs, users, groups, and so on. Finally, an AD site is a container object that can contain subnet
objects.
Unlike NT 4.0s System Policy, which was processed when the user logged on, GPO-based
policy directed at computers is processed by those computers that are members of an AD domain
when they first start up and establish communication with the domain controller. This computerspecific policy processing happens independently of any user-based policy processing. Then,
when a user defined in the AD logs on to an AD domain from a Win2K workstation (or server),
any user-specific GPO policy is processed at that time.
This split between computer and user processing implies that there are two parts to a GPO, and
that is indeed the case. As youll see further on in this chapter, GPOs are organized in the Group
Policy MMC snap-in into Computer Configuration and User Configuration sections. The section
to which a policy is defined determines whether the computer or the user will process it. (In other
words, computers process the Computer Configuration section, and users process the User
Configuration section.)
Using LSDOU Ordering
In addition to delineating computer and user policies in a GPO, users and computers process
GPOs using the following order of precedence:
1. Local GPO
2. AD site-based GPO(s)
3. AD domain-based GPO(s)
4. AD OU-based GPO(s)
You often see this order represented by the acronym LSDOU (Local, Site, Domain, OU). This
acronym means that computers and users process GPOs using LSDOU based on where those
user and computer objects reside in AD. LSDOU specifies an order of precedence in processing
GPOs: local GPOs are processed first, followed by site, domain, and OU-based GPOs. The
effective policy that a user or computer receives is often referred to as Resultant Set of Policy
(RSoP).
To further illustrate LSDOU, Figure 1.1 shows an example of an AD domain with several GPOs
defined.
Chapter 1
A lot of Figure 1.1 describes how GPOs are processed in an AD domain environment. First, note
that the name of this particular AD domain is mydomain.tld. This domain contains an OU called
Finance and a child OU of Finance called AcctsRecv. In AcctsRecv, there is a Win2K
workstation object and a user object. The workstation object is on a subnet defined in the New
York Site.
AD sites arent associated with a particular domain. Instead, they create logical boundaries of
physical Internet Protocol (IP) network subnets that can encompass devices from multiple domains.
Thus, a site-based GPO can be processed by users and computers in multiple AD domains.
When the workstation starts up or the user logs on to the domain, those six GPOs are processed
in the order shown in the text to the right of the drawing, reflecting the LSDOU ordering. There
are a few things to note about this figure. First, in the case of the GPOs linked to the Finance
OU, even though the workstation and user are defined in the AcctsRecv OU, they still process
the GPOs linked to the parent OUFinancethanks to AD inheritance.
Chapter 1
Also, two GPOs are defined at each of the OU and domain levels. As youll see in Chapter 4,
there is no problem linking multiple GPOs to a given container, but you must define an order of
precedence for processing so that one GPO processes before the other. In this figure, the second
GPO in the list is processed first, followed by the first one in the list for each container.
Finally, the names I chose for the GPOs are meant to help an administrator understand the
purpose of each GPO. Ill talk more about naming conventions for GPOs in Chapter 4, but when
you define your GPOs, its definitely a good idea to descriptively and consistently name them.
Client-Side Processing
In addition to knowing about the order of GPO processing, its important to understand the
mechanism on Win2K devices by which GPOs are processed. While in an AD infrastructure, the
guts of a GPO are stored in the GPT (in SYSVOL) and the GPC (in AD), its the client (the
Win2K server or workstation) that actually processes the GPO. The client uses a series of clientside extensions (CSEs)Windows dynamic-link libraries (DLLs)that are knowledgeable about
the stuff stored on the server side of the GPO (the GPT and GPC).
As in NT 4.0, Winlogon calls these CSEs to process machine- and user-specific GPO settings.
Each major default capability in the Win2K GPO has a corresponding CSE that ships with
Win2K. The extensible model that GPOs provide lets independent software vendors (ISVs) write
their own CSEs to support custom GPO capabilities. You can think of the CSE as providing the
real policy functionality in the GPO, while the GPT and GPC are the storage mechanism for
whatever data that policy functionality requires.
For the list of CSEs registered on a given Win2K device, check the registry key HKEYLOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Gpextensions. Figure 1.2 shows a typical CSE registration.
In Figure 1.2, the Folder Redirection capability is provided by a CSE DLL called fdeploy.dll.
5
Chapter 1
See Chapter 2 for more details about the role of CSEs in Group Policy processing.
to launch MMC with the Group Policy snap-in loaded and focused on the local GPO from where
its being run, as Figure 1.3 shows.
Figure 1.3: Viewing the Group Policy snap-in console tool gpedit.msc.
In this section, I discuss using MMC and MMC console tools to create custom GPO tools. If you need
a refresher on using MMC and creating MMC console tools, check out the MMC overview on
Microsofts MS Developers Network Web site at
http://www.microsoft.com/windows2000/techinfo/howitworks/management/mmcover.asp. In addition,
check Realtimepublishers Web site at http://www.realtimepublishers.com for other free online titles
that discuss using MMC.
In Figure 1.3, you can see two distinct sections to this local GPO. The Computer Configuration
section holds policy definitions for computer-specific settings. As I mentioned earlier in this
6
Chapter 1
chapter, computer-specific policy is processed by Win2K workstations and servers when they
start up.
While its true that most computer-specific policies only run when a workstation or server starts up,
some policy items, such as certain security settings, are processed periodically to ensure that the
policy is enforced without regard to a computer restarting.
The User Configuration section holds policy definitions for user-specific policies, and its
typically processed when the user logs on (or logs off, in the case of logoff script policy). In the
next section of this chapter, Capabilities of GPOs, Ill drill into these two sections to further
explore their policy capabilities.
Gpedit.msc is a pre-defined MMC console tool that lets you view and edit a local GPO. The
actual MMC snap-in file that provides GPO editing functionality is called gpedit.dll and is
located in %Systemroot%\System32. Gpedit.msc is locked down using MMC authoring features,
so it only provides scope over the local GPO.
A more likely scenario is that youll need to edit either GPOs defined on an AD domain or local
GPOs defined on a remote workstation or server. In this case, youll need to create your own
MMC console tool. Choose Start, Run, then type
mmc.exe
Once the blank MMC console appears, select Console, Add/Remove Snap-in, then click Add. A
list of available snap-ins will appear, as in Figure 1.4.
Scroll down to the Group Policy snap-in, select it, then click Add (or double-click Group Policy).
The dialog box shown in Figure 1.5 will appear and let you choose the particular GPO that you
want to manage (local or AD-based).
Chapter 1
Click Browse to choose a GPO located on a local computer; in an AD domain, site, or OU; or all
objects available in the current AD domain.
As you can see in Figure 1.5, the Group Policy snap-in provides a check box that allows you to
change the focus of the GPO tool from the command line. The reason is that if you check this box,
then save your MMC tool to an .msc file, you can change which GPO the tool focuses on when you
launch MMC from the command-line. (However, in my testing, this feature doesnt work at all
launching an MMC tool from the command-line and providing the name of a different GPO to focus on
is simply ignored.)
Once youve chosen a GPO to focus on and loaded the Group Policy snap-in, you can either stop
there or add GPO references to this MMC tool. In fact, you can create custom MMC tools to
meet a variety of GPO editing needs. For example, I like to create an MMC tool that has all of
the GPOs I typically need to view and edit in my infrastructure, loaded in a single console for
easy access. Figure 1.6 shows an example of such a tool.
Chapter 1
Figure 1.6: Viewing an MMC console tool that references multiple GPOs.
In this figure, Ive loaded into one console four GPOs (and four instances of the Group Policy
snap-in) that I frequently use, making it easy for me to get to them and edit them in one fell
swoop. Similarly, if you have GPOs linked to OUs that are administered by different
administrators in your enterprise, you can create MMC tools with just those GPO references
loaded, then distribute those console tools to your OU administrators.
These console tools provide you with some level of control over who is viewing and editing
GPOs in your AD infrastructure. Of course, you can still delegate AD access rights on a
particular GPO, and this allows you to control who can access and edit a GPO. But the MMC
console-tool approach is quick and easy.
Once youve loaded the references to the GPOs youre interested in managing, choose Console
from the MMC menu and Save (or Save As) to give a name to your .msc file. I like to name my
GPO console files descriptively to help distinguish their function (for example, Domain-Wide
GPOs or Finance OU GPOs).
The GPO snap-in organizes GPO capabilities into nodes. You can expand these nodes to drill
into each capability. For example, if I expand the Computer Configuration node of the local GPO
shown in Figure 1.3, I see a number of different categories of functionalitySoftware Settings,
Windows Settings, and Administrative Templates. The same is true under User Configuration. In
each of these categories are the nodes that describe the individual policy functionality provided
by this GPO. Ill talk more about this functionality in the next section, but lets drill into one in
particular to see how you can edit a GPO.
In Figure 1.7, Ive drilled into the Windows Settings, Security Settings node under Computer
Configuration in my local GPO.
Chapter 1
Figure 1.7: Viewing the expanded Security Settings node in a local GPO.
In this figure, you can see that the Security Settings node is where I can set a variety of security
policy in this local GPO. Indeed, on a local workstation or server that isnt part of an AD
domain, this node provides the equivalent functionality to NT 4.0s User Manager\Policy menu
items.
Within Security Settings, there are three subcategoriesAccount Policies, Local Policies, and
Public Key Policies. If you drill into each of these, you see additional capabilities. For example,
under Account Policies, you see the Password Policy, which lets you set restrictions such as
minimum password length and age. Figure 1.8 shows where Ive drilled into Password Policy to
expose the actual policy items available.
10
Chapter 1
Figure 1.8: Viewing the policy options under the Password Policy section of a local GPO.
This figure shows the actual policy items in the results pane in the MMC snap-in. If you doubleclick one of the items, such as Minimum Password Age, you can set the policy in this GPO.
When you set a policy item in a GPO, there is no concept of saving or undoing it. Once you
make a change, the change is committed unless you change it to another value. For example, if
you set Minimum Password Age to 10 days, then click OK, the policy is set. You dont need to
save the GPO (in fact, there is no place in the MMC snap-in to save it). Likewise, you cant
simply click an Undo button to back out of the change. You need to go back into the Minimum
Password Age dialog box and reset the value to 0.
This issue underscores an important point when youre editing GPOs: Make sure you document
the changes youre making. Unfortunately, there is no good automated way to manage GPO
changes in Win2K, but I suspect that third-party software companies will develop products that
solve this problem in the near future. In the meantime, one tip that you might find useful is to
disable the GPO before you edit it. This will prevent users who may be logging on or restarting
their computers from processing your GPO while youre in the middle of changing it.
In Chapter 3, I describe how you can disable a GPO before you edit it (or for other reasons).
In Figure 1,8, you see two columns in the results pane of the MMC console toolLocal Setting
and Effective Setting. This distinction is important to understand if youre working in an AD
environment with AD-based GPOs.
As I mentioned, every Win2K device comes with a local GPO, which is what Figure 1.8 is
focused on. The Local Setting column shows the policy that has been set for that item in the local
11
Chapter 1
GPO. The Effective Setting column shows what the current policy is actually set to. This may be
different than the Local Setting value in an AD environment because AD-based GPOs are
processed after the local GPO (remember LSDOU) and therefore can override settings made in a
local GPO. Of course, for Win2K devices that arent members of a domain, Local Setting and
Effective Setting values should be identical.
The distinction between Local Setting and Effective Setting is a function of the Security Settings node.
Other policy nodes in a GPO may or may not present this information.
Keep in mind that each GPO node has its own requirements for enabling or disabling policy. For
example, in the Security Settings section, you may be required to provide an absolute numeric
value like number of days between password changes. However, in other areas, it may be a
matter of simply enabling or disabling policy. Still other areas, such as logon scripts, may require
you to enter the path to a file or folder. The important thing to remember is that there is no one
standard way of manipulating GPOs.
Capabilities of GPOs
Now that Ive introduced the basic concepts of GPOs and how you can view and edit them, Ill
describe the policy capabilities that are available out-of-the-box for Win2K GPOs. The
capabilities of GPOs are formidable and complex. In this section (and this entire book), Ill
discuss all that GPOs are capable of and help you use them in your enterprise to your best
advantage. While the GPO infrastructure is extensible, allowing developers of third-party
applications to develop their own CSEs and policy features, this section describes what
Microsoft has developed in Win2Kand the major features of each policy area.
Chapter 3 discusses the hands-on use of each of these GPO capabilities.
Table 1.1 shows a brief overview of the default GPO capabilities available.
Computer Configuration (specific to computer objects)
Setting
Description
Windows Settings|
Scripts(Startup/Shutdown)
Administrative Templates
Description
Lets you manage Internet Explorer (IE) configurations for each user.
12
Chapter 1
Explorer Maintenance
Windows Settings|
Security Settings
Administrative Templates
Interestingly, not many capabilities of SMS 2.0 have been integrated into Software Installation.
Despite that fact, Software Installation provides a good software-distribution capability for
small- to medium-sized enterprises. It lets you assign applications on a per-computer basis and
assign and publish applications on a per-user basis. Ill describe assignment and publishing in a
moment. But first, I want to talk a little bit more about Software Installation and the Windows
Installer.
Software Installation leverages Microsofts Windows Installer, which ships with Win2K to
perform application installations. The Windows Installer is an application-packaging format,
installation engine, and set of APIs, and it provides a better application setup than earlier
technologies. Windows Installer packages have an .msi file extension. Applications such as
Microsoft Office 2000 are good examples of software that leverages the .msi package format.
One of the big advantages of the .msi format and the Windows Installer engine is the ability to
install applications using an elevated security context. This means that applications that normally
13
Chapter 1
require administrator access to install can be installed by regular users without an administrators
intervention and without the need to grant the users privileged access to their workstations.
When an application is deployed using Software Installation, its called a managed application,
and it can thus take advantage of the elevated security privileges in Windows Installer. Figure
1.9 shows an example of an application that has been deployed in Software Installation.
In this figure, Ive assigned the Win2K Support Tools application to be deployed in this GPO
called App Deployment Policy. This is a computer-specific deployment, so all computers subject
to this GPO will have the application installed.
Assignment vs. Publishing
Applications can be deployed using Software Installation to either computers or users. An
application deployed to a Win2K computer is installed the next time that computer is restarted.
Applications deployed to users can either be partially installed when the users log on
(assignment), or installed on demand by the users themselves (publishing).
Applications that are assigned to a user are advertised to that user the next time the user logs on.
Advertisement is a feature of Windows Installer packages (.msi files) that is tightly integrated
into the Windows Explorer shell. Advertisement puts an applications presence on the users
desktop. A presence may be a shortcut to an application placed on the users Start menu, a file
association to the application (for example, .doc files are associated with Microsoft Word), or
even a Component Object Model (COM) component registration that refers to the application.
14
Chapter 1
However, during advertisement, the application isnt really installed. Rather, these presences are
placed in the users environment. The first time a user activates one of these presences (for
example, clicks a shortcut or opens a file with an advertised association), the Windows Installer
engine starts up and installs the application from its setup package. This is known as Install on
Demand, and its a powerful feature of GPO-based Software Installation deployments. It means
that only those applications and application features that the user needs are installed when
theyre needed.
Publishing takes a different approach from assignment in GPO-based Software Installation.
Publishing an .msi-packaged application makes it available to the user in the Add/Remove
Programs applet in Control Panel that comes on every Win2K device. Figure 1.10 shows an
example of an application that has been published in a GPO.
Figure 1.10: Using Software Installation publishing to make applications available in the Add/Remove
Programs applet.
In this figure, you see that the Win2K Support Tools application has been published so that a
user can install it by clicking Add. In GPO-based software installation, you can also categorize
published applications to make it easier for your users to find and install them. Notice the
Category drop-down list in Figure 1.10. You can define categories in the GPO Software
Installation node to help delineate your applications in the Add/Remove Programs applet. For
example, in Figure 1.10, I created a category called Administrative Tools, in which Ive placed
this published application.
Another useful feature of Software Installation is managing the life cycle of applications.
Managing a life cycle is upgrading, patching, rolling back, and uninstalling applications
centrally, and whats more important, cleanly. Managing a life cycle in Software Installation
15
Chapter 1
depends on the Windows Installer technology to succeed. However, its an important feature that
more advanced products, such as SMS, dont do or do poorly.
In Software Installation, you can create update dependencies among applications. When a new or
patched release of an application comes out, all those users or computers that previously had the
application installed can be set to receive the new version. Additionally, if youre trying to retire
an application, you can deploy it using Software Installation in such a way that if the application
is no longer deployed using Group Policy, itll be uninstalled. These life cycle management
features are tremendously valuable for organizations that are deploying and uninstalling many
applications over time.
Windows Settings | Security Settings
The Security Settings feature in GPOs may be one of the most confusing for many
administrators. The ability to set many basic security policies in Win2K is now only done using
Group Policy (either local or AD-based GPOs). This differs dramatically from NT 4.0, where
features such as account and audit policy were set from the User Manager, and more advanced
security features like setting service and file system permissions could be managed using the
Security Control Manager (SCM).
Microsoft folded the capabilities of SCM into Group Policy. In fact, Security Settings policy in a
GPO can use the same security template files (file names usually ending in .inf) to set security
policy settings that SCM (both the NT 4.0 and Win2K versions) uses. At the same time,
Microsoft augmented the capabilities found in NT 4.0 SCM to provide a one-stop shop for
setting all security policy in Win2K. Indeed, you can think of the Security Settings featureboth
computer- and user-specificas being an excellent centralized tool for managing security across
all of your AD-based Win2K devices.
The confusing part about GPO-based Security Settings comes when you try to ensure that the
right security policy is applied to the right set of computers and users. For example, machinebased security policy defined in GPOs that are processed by domain controllers affects policy for
the entire domain. Whereas, security policy defined in GPOs that are processed by member
servers or workstations only affects the local Security Account Manager (SAM) and resources on
those local computers.
I mentioned earlier that machine-based policy is typically processed when a computer restarts
and user-based policy when a user logs on. However, the Security Settings policies are also
processed on a periodic basis (by default, every 90 minutes).
You can also manually force security policy to refresh by issuing the following command:
The Security Settings capability provides a number security policy features, discussed in the
following sections.
16
Chapter 1
Account Policies
Account Policies are machine-specific policies. Account Policy defined for an entire AD domain
can only be set in a domain-linked GPO. That is, if you have an AD domain controller that is
subject to a GPO linked to an OU, and that GPO contains Account Policy settings, theyll be
ignored in favor of the Account Policy defined in any domain-linked GPOs that are present.
Account Policy includes three sectionsPassword Policy, Account Lockout Policy, and
Kerberos Policy. Password Policy, as Figure 1.11 shows, is where you set policy such as
minimum password length, password age, and password complexity enforcement (rules that say
that a password must contain numbers and capital letters, for example).
Account Lockout Policy is where you set policy to determine whether and for how long a user
account is locked out after a number of incorrect password attempts. Kerberos Policy is new in
Win2K and supports the MIT Kerberos V implementation that Win2K uses as its default
authentication protocol. Figure 1.12 shows the options available in Kerberos Policy.
17
Chapter 1
As the figure shows, Kerberos Policy lets you set features of the Kerberos protocol such as ticket
lifetime and ticket renewal intervals.
Local Policies
Local Policies, as the name implies, lets you set security policy that is relevant to the local
computer. Local Policy defined in a domain-linked GPO affects all computers in that domain
(unless explicitly excluded), including domain controllers. Local Policy applied to a domain
controller becomes the local policy for that domain. Local Policy applied to workstations or
member servers is just specific to those devices. Local Policies includes three sectionsAudit
Policy, User Rights Assignment, and Security Options.
Audit Policy
Audit Policy is similar to the NT 4.0 User Managers Policy Audit menu item. Figure 1.13 shows
the options available in Win2K Audit Policy.
18
Chapter 1
Audit Policy allows you to enable auditing events for various kinds of system access. Audit
events are stored in the Security event log on the Win2K system where theyre generated. As
with Account Policy, Audit Policy defined in a GPO that is processed by a domain controller
will become the policy for that AD domain. Audit Policy defined on GPOs processed by
workstations or member servers affects only those devices. Auditing success indicates that you
want to raise an event log entry each time that particular type of event (for example, Audit
Account Management) succeeds. Similarly, auditing failure means that you want to raise an
event log entry when that type of event fails.
Auditing NT File System (NTFS) and registry access is a two-part process. First you must enable
the Audit Object Access event type. Then, in the file system or registry itself, you need to enable
auditing for a particular folder or key.
User Rights Assignment
User Rights Assignment is similar to NT 4.0 Users Managers Policy User Rights menu item.
Its where you define which users and groups have the right to perform certain kinds of
operations. Typical user rights include the ability to shut down a computer, log on to the local
console of the computer, and add computer accounts to a domain. Win2K adds quite a few rights
above and beyond what NT 4.0 provided, so its worth scanning through them to see if there are
any that offer some useful additional protection. Again, User Rights Assignment defined on a
GPO that is processed by domain controllers becomes the user rights policy for that domain.
19
Chapter 1
Security Options
Security Options lets you set what I call the miscellaneous security lockdowns. Many of the
security settings you see in this section previously required registry tweaks to set or werent
available at all. Figure 1.14 shows many of the policies in this section.
As you can see in this figure, features such as Message text for users attempting to log on was
typically something you had to set directly in the registry (or using System Policy). You can
think of the Security Options section as the dustbin of Win2K security policy. Everything that
was left over when Microsoft created the other security policy sections was placed in here!
However, it also contains some useful features, especially if youre deploying Internet-facing
Win2K systems, so its worth having a look.
Event Log
The Event Log policy section is another computer-specific security setting. This section lets you
centrally define, in a GPO, the event log settings you want to enforce across computers in your
domain (or locally on a computer, in the case of the local GPO). Figure 1.15 shows the options
available in this section.
20
Chapter 1
Figure 1.15: Viewing Event Log policy settings in GPO-based Security Settings.
To enforce some consistency of logging in NT 4.0, you had to set these options on every nondomain controller computer. Using Group Policy, you can control how big event log files can
grow and what to do with them when theyve reached their limit.
Most of the security policy Ive been discussing in this section lets you define a policy item with a
particular value or leave it as Not Defined. Note that Not Defined isnt the same as disabled. That is, a
particular security policy (such as Application Event Log Size) may come with a default value when
you install Win2K. Not defining in a GPO simply means that the default value remains, not that (as in
this example) application event logging has been disabled.
Restricted Groups
Restricted Groups is an interesting, if not complicated, security policy to implement in GPO.
Restricted Groups allows you to define particular user groups who can only have a specific set of
users as members. Similarly, you can define a Restricted Groups policy that says that a particular
user group must always be a member of another group or groups.
In the former situation, you can use the Restricted Groups feature to say that only Joe Admins
account and the local Administrator account can be members of the local Administrators group
on computers subject to the GPO policy. This means that if a user account called Bill Evil is able
to compromise a computer and add itself to the local Administrators group, the next time a GPO
containing Restricted Groups policy is processed by that computer, Bill Evils account is
automatically removed from the group.
Using the second part of the Restricted Groups feature, you can ensure that a particular user
group cannot be removed from other groups. For example, suppose you want to ensure that the
user group Desktop Administrators, defined on your AD domain, is always a member of the
21
Chapter 1
local Administrators group. If you define this policy in Restricted Groups, any computers that
process the GPO containing this policy will always enforce this restriction. If someone tries to
remove your Desktop Administrators group from the local Administrators group on a
workstation, the next time the GPO is applied, the policy will be enforced, and your group will
be added back in.
As you can probably see, Restricted Groups is a powerful feature. Misusing or misunderstanding
how and when it applies, especially when youre restricting group membership to a set of
particular users, can cause you to lock yourself out of a particular workstation, a server, or
potentially even an entire AD domain. Use Restricted Groups with caution, and remember that
when you set a Restricted Group policy in a GPO, any computer that processes that GPO will
enforce your policy.
System Services
In the System Services policy, you can define the default startup mode for a particular service.
Whats more important from a security perspective, you can define users and groups that have
the right to start, stop, pause, and change the configuration of a particular service. This is a
powerful feature when it comes time to delegate administration of Win2K resources on your
network. You can set a System Services policy, for example, that lets you grant your Help desk
user group the right to start and stop the printer Spooler service only on a designated set of
Win2K print servers that are subject to that GPO. Figure 1.16 shows an example of the dialog
boxes available in the System Services policy.
Figure 1.16: Setting the Windows service policy options under the System Services policy.
In this figure, Ive set the default startup mode of the Windows Time service to Automatic, and
Ive granted the Authenticated Users group the ability to start, stop, and pause the service (as
22
Chapter 1
well as read, write, and delete the services configuration information from the registry). When a
computer subject to this policy processes the GPO, these service settings will be enforced, and
only Authenticated Users will be able to manage this particular service.
Keep in mind that the list of system services that appears in this policy section is somewhat a
function of where youre running the MMC Group Policy snap-in. Ordinarily, the list of services
is built using what is currently installed on the computer where youre editing the GPO. This
may not be sufficient if you want to control services that only exist on certain types of Win2K
devices. For example, you may have a third-party backup application that runs as a service on
your servers, but not on the workstation where youre editing the GPO. In that case, you need to
either open the Group Policy snap-in on that server and create your service security settings or
manually edit the security template file that is being used by that GPO.
For more information about security templates, see Chapter 3.
Registry
The registry security policy section allows you to centrally enforce security permissions on
registry keys on computers that are subject to the policy. For example, for security reasons, you
may want to lock down a particular registry key that enables users to change some aspect of their
workstation configuration. You can use the registry security policy to enforce this lockdown.
You can also use registry security policy to enforce a particular access control list (ACL) on a
particular registry key. For example, you may want to maintain a particular ACL on a key no
matter who comes along with another GPO and tries to reset it. If you set this policy in a GPO
that is processed high in the LSDOU order of precedencefor example, at the domain levela
subsequent OU-based GPO that tries to change the permissions on that key will be ignored.
Figure 1.17 shows an example of the options available for propagating ACLs in the registry
policy.
Figure 1.17: Viewing the ACL propagation (or protection) options in the registry security policy.
23
Chapter 1
In this figure, if you selected Do not allow permissions on this key to be replaced, youd achieve
the effect I just describedprotecting the ACLs on this key. You can use registry security policy
to enforce registry key security on computers that process a given GPO. Because the registry is
unique on every Win2K device, this policy is enforced on every device that is subject to it,
including all domain controllers, member servers, and workstations.
File System
The File System security policy functions very much like the registry security policy except that
it applies to an NTFS volume rather than registry keys. File System security lets you centrally
manage NTFS permissions on servers and workstations. Keep in mind that this is different than
share permissions, which cant be managed using this policy.
File System policy is handy when you want to enforce security on files or folders across multiple
servers in your AD infrastructure. However, like registry security, it can be tricky to manage. For
one thing, File System policy requires that you set security restrictions using an absolute drive
letter (or environment variable that evaluates to a drive letter) and folder name. For example,
suppose you have a number of servers that have a file folder called \Apps, but on each server,
\Apps may be on the C drive or the D drive. File System policy requires that you specify an
absolute drive letter (see Figure 1.18).
Figure 1.18: Setting up File System security policy using an absolute drive letter.
This figure shows how Ive set up File System security policy on the E volume under the apps
folder. When computers process the GPO containing this policy, and if they have an E:\Apps
folder, the permission policy will be applied.
24
Chapter 1
Public Key Policies (Machine and User)
This policy lets you specify behavior related to both computer- and user-specific use of a PKI
implementation based on Microsofts Certificate Services. Let me just point out that many
enterprises may not be implementing a PKI solution that is integrated with their Win2K
infrastructure. If thats the case, this policy section wont have much value for you. However, for
those who are implementing PKI, and especially a Microsoft-based PKI solution, the Public Key
policies listed here support that implementation. Specifically, on a per-machine basis, the
following policies are supported:
Encrypted Data Recovery AgentsLets you specify users or groups who can decrypt
files that have been encrypted by users using Win2Ks Encrypting File System (EFS)
feature. Recovery Agents are used when the person who encrypted a file or files is unable
or unavailable to decrypt them.
Automatic Certificate Request SettingsLets you specify that machines that are subject
to this policy automatically receive prescribed public key certificates from AD.
Trusted Root Certification AuthoritiesLets you import lists of trusted public key
certificates, Certificate Authorities (CAs), or certificate revocation lists (CRLs), which
are then distributed to all machines that are subject to this policy.
Enterprise TrustThis feature lets you assign certificate trust lists (CTLs) to machines
that are subject to this policy. CTLs are lists of root CAs. If a computer has a list of valid
root CAs, it can accept certificates they certify without question.
On a per-user basis, there is a Public Key policy, similar to the Enterprise Trust machine policy,
that lets you assign a CTL to users who are subject to the GPO. The final machine-specific
Public Key policy is called IP Security Policies on Active Directory. Using this policy (shown in
Figure 1.19), you can enforce Internet Protocol Security Protocol (IPSec) usage on computers
that are subject to this GPO.
25
Chapter 1
For example, using this policy, you can specify that all IP traffic to and from servers that are
subject to this policy can request or require encrypted (IP SecurityIPSec) communications.
Windows Settings | Scripts (Startup/Shutdown)
NT 4.0 supported the notion of logon scripts that were defined on a per-user basis in User
Manager. Logon scripts could be batch files, executables, WSH scripts, or even Perl scripts. In
Win2K, the concept has been extended in Group Policy. (Per-user logon scripts are still
supported in AD users objects.)
GPOs support computer-specific startup and shutdown scripts. Startup and shutdown scripts
work just as the names imply. When a Win2K workstation or server subject to a GPO-based
startup script starts up, it processes the GPO and runs the startup script in the context of the
special LocalSystem user account. Similarly, when the workstation or server shuts down, any
shutdown scripts defined by the GPO are processed at that time.
Startup and shutdown scripts can help you perform administrative tasks that dont require user
intervention or report on the behavior of computers when they restart. For example, you can
write a shutdown script that sends an email to a particular mailbox whenever a server or group of
servers subject to a GPO shuts down. Because these scripts are based on a GPO, and because a
computer can be subject to multiple GPOs at various levels (site, domain, and OU), a computer
might process many shutdown and startup scripts. Depending on your perspective, this behavior
can be either a good or a bad thing.
Windows Settings | Scripts (Logon/Logoff)
Like shutdown and startup scripts in GPOs, logon and logoff scripts are per-user scripts that run
in a users security context whenever a user subject to a GPO that defines these scripts logs on to
or off of a Win2K device. Figure 1.20 shows how logon scripts are defined in a GPO.
26
Chapter 1
In addition to defining multiple scripts across GPOs, you can define multiple logon or logoff scripts in
a single GPO. As you can see, using this feature can quickly become overwhelming.
27
Chapter 1
Figure 1.21: Setting manual proxy settings using the Internet Explorer Maintenance Connection policy.
URLs
The URLs policy lets you define pre-set lists of favorites (bookmarks), important URLs such as
home page and search page buttons, and Active Desktop channels.
Security
This policy item lets you define and enforce the different IE security-zone settings (Intranet,
Internet, Trusted, and so on) as well as content-rating settings (which restrict content based on its
rating). You can also enforce Microsoft Authenticode support in this policy. Authenticode
guarantees that code that is downloaded by IE is safe to use, and it uses public key certificates to
certify the trustworthiness of the code. The Security policy section lets you defined trusted
authorities, whom you trust to allow your users to download code from within IE.
Programs
The Programs policy section lets you enforce the support programs that your IE users use within
the context of a Web browsers. For example, if a user clicks an email address on a Web site,
which email program is launched? Or if a user wants to edit an HTML file, which HTML editor
is launched? Figure 1.22 shows the settings that are available in the Programs section.
28
Chapter 1
Figure 1.22: Viewing the settings available in the Programs policy item.
Application Data
Desktop
Start menu
Each of these folders typically resides in the users profile (usually stored in
%Systemroot%\Documents and Settings\%Username%). When users are subject to a GPO-based
Folder Redirection policy, Folder Redirection provides a way to redirect these profile-based
folders to alternative locations. For example, you might choose to redirect the My Documents
folder for all of the users in a particular OU to a server-based home share that is backed up
frequently.
Whereas NT 4.0 redirected all users subject to a particular GPO, Folder Redirection allows you
to redirect users to different server-based folders based on their group membership. This is
known as advanced (as opposed to basic) redirection, and its illustrated in Figure 1.23.
29
Chapter 1
In this figure, for users processing this GPO who are members of the Finance Users group, Ive
defined an advanced Folder Redirection policy to redirect My Documents to the home share
folders \\Financeserver\Home\%Username% .
Folder Redirection is smart in other ways too. For example, you can define settings for a Folder
Redirection policy that instruct the GPO to move the contents of, for example, My Documents
from the users profile to the new, redirected location when the GPO is first applied. But if the
user is no longer subject to the policy, you can also tell Folder Redirection to either move the
contents back to the users profile or leave them where they are.
Folder Redirection can also grant exclusive security rights to a folder that has been redirected, as
you might want to do for personal documents typically found in My Documents. In this case,
Folder Redirection takes care of applying ACLs to the folder so that only the user who is being
redirected has access to that folder and its contents. Folder Redirection is also useful for
redirecting user folders to read-only server shares. This is especially appropriate for folders such
as Start menu or Application Data, whose contents you might want to be identical for all users.
Windows Settings | Remote Installation Services
The Remote Installation Services RIS policy is fairly simple. If youre using RIS to install
Win2K workstations, you know that one of the first steps is to log on to an AD domain. If you
log on using an AD user account that is subject to a GPO on which RIS policy is defined, that
policy may restrict what you can and cannot do in the RIS menus. Figure 1.24 shows the RIS
policy options that are available.
30
Chapter 1
In this figure, you can see that the policy provides the ability to control four aspects of a RIS
setupautomatic setup, custom setup, restart setup, and tools. Each section has three policy
settingsAllow, Dont Care, and Deny. If, for example, you define a Deny policy for custom
setup, users subject to this GPO cannot choose the manual setup option from the RIS installation
menus. In the normal course of your work with GPOs, Id be surprised if you find much use for
this policy. But its useful to know its available.
Administrative Templates
Administrative Templates are available in both the per-user and per-computer parts of a GPO.
Administrative Templates are NT 4.0 System Policyor more specifically, an enhanced version
of NT 4.0 System Policy. They let you enforce particular registry settings in either the
HKEY_CURRENT_USER (per-user) or HKEY_LOCAL_MACHINE (per-machine) hives.
Administrative Templates use an approach similar to System Policy to define which registry
keys and values can be set. Namely, Microsoft provides (and you can define) .adm files that use
a special macro language to define the keys and values that you want to control. When you set
Administrative Template policy, you choose from three states for a given policy item:
DisabledThe policy item is actively not enforced or not done. In other words, if a
registry value is set to 1, and 0 is its off state, disabling the policy will set the registry
value to 0. (This corresponds to an unchecked value in NT 4.0 System Policy.)
31
Chapter 1
Not ConfiguredThe value for this registry policy item is left alone. That is, if the value
in the registry is 1, a GPO with Not Configured defined for that value will have no
impact. (This corresponds to a grayed value in NT 4.0 System Policy.)
The .adm files that ship in Win2K are more numerous and provide more registry-based policy
settings than those provided in NT 4.0. This makes sense when you consider the number of
additional features in Win2K. Figure 1.25 shows an example of some of the Administrative
Template settings available in Win2K GPOs.
This figure happens to show some Administrative Template policies that you can set to control
the behavior of GPO processing itself on a given computer.
In NT 4.0 System Policy, if you set a registry value by policy and that policy file was removed or
no longer applied, the value would remain as the policy had specifiedit would remain
tattooed. However, in Win2Ks Administrative Templates, Microsoft now distinguishes
between registry settings that are policies and those that are preferences.
A policy is defined as any values that are modified under one of the following four registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
(per machine)
32
Chapter 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies (per
user)
The policies defined by these registry keys dont suffer the tattooing fate. If a GPO-based
Administrative Template policy is no longer active, the registry value is removed as if the policy
had never been there. Preferences, however, are Administrative Template-based policy that
makes changes to registry keys other than the four previously listed. If a GPO that sets a
preference is removed, the registry values set by that preference are left as is.
Finally, just as with NT 4.0 System Policy, you can customize existing or create new .adm
template files to add registry lockdown functionality to your GPOs. Youll find that the macrolanguage syntax in Win2K is quite similar to NT 4.0 .adm files, and indeed, NT 4.0 .adm files
typically work without change in Win2K.
One nice enhancement Microsoft made to Administrative Templates is support for a new .adm
tag called Explain. The Explain tag lets you add detailed textual explanations of what a particular
policy item is doingright in the Group Policy snap-in. Youll notice that Microsoft has done a
pretty good job of using this feature to document the .adm files that they provide. If you create
your own custom files, I encourage you to follow suit.
Summary
In this chapter, I reviewed the purpose of GPOs, how theyre processed, how to edit them, and
what features they provide. As you can begin to see, GPOs are a powerful and complex tool that
can either greatly enhance or greatly harm your Win2K infrastructure.
The rest of this book focuses on how to use GPOs to enhance your infrastructure and prevent
them from harming it. Chapter 2 discusses a GPO in detail and how it interacts with AD,
Chapters 3 and 4 drill into the features described in this chapter with an eye to helping you use
them in practice and design and deploy an effective GPO infrastructure, Chapter 5 talks about
some of the limitations youre likely to encounter as you use this technology, and Chapter 6
provides some tools and troubleshooting techniques for managing your GPOs when things go
awry.
33
Chapter 2
Figure 2.1: The Group Policy snap-in showing the GPO Default Domain Policy.
34
Chapter 2
The GPO really consists of two components. The first part is stored in AD as a container object.
This part of the GPO is referred to as the GPC. The GPC AD object is derived from a special AD
class called, as you would expect, groupPolicyContainer. The second part of the GPO is stored as
files in the file system in the shared SYSVOL folder on every domain controller. This second
part is called the GPT.
The exception to this model is the local GPO. As I mentioned in Chapter 1, the local GPO
resides on every Win2K device that you install. It doesnt have a GPC in AD or a GPT in
SYSVOL. Rather, it simply stores what would correspond to its GPT in the local file system of a
workstation or server. In this chapter, Im going to focus on AD-based GPOs rather than the
local variety, so thats all Ill say about local GPOs for now.
Given this reliance of GPOs on AD and a domain controller infrastructure, its easy to
understand why, as I explained in Chapter 1, you need to have an AD infrastructure in place to
take full advantage of GPO functionality. But this reliance implies something else as well
namely, that GPOs belong to a particular domain in which theyre created. That is, in a multidomain AD forest, each GPO you create must be stored in a single domain.
However, its also important to remember that while GPOs live in a single domain, they can be
linked to objects outside the domain. As you can imagine, this cross-domain linking can have
an impact on the performance of GPO processing. Ill discuss that topic later in the Group
Policy Processing section of this chapter. Next, lets dive into the details of the two parts of the
GPOthe GPC and GPT.
The GPC
The GPC is critical to ensuring that computers and users in AD environments correctly process
policies. To view the GPC, open the MMC Active Directory Users and Computers snap-in.
Make sure you have the advanced features view enabled. Select the system container, and
beneath that, the Policies container in the domain. There youll find all the policies defined in the
domain. Each GPO is represented as a container named with a 128-bit GUID (see Figure 2.2).
35
Chapter 2
Figure 2.2: GPCs exposed through the Active Directory Users and Computers tool.
By default, you cannot see the System\Policies container when you first start the Active Directory
Users and Computers tool. To see the container, choose View, Advanced Features (shown in Figure
2.3).
Now lets think about which GPC object in Figure 2.2 maps to a recognizable GPO, like the one
shown in Figure 2.1. Typically, we compare the GUID string in the Policies container with a
GUID string on the GPO, as seen in the MMC Group Policy tool. If you right-click the GPO
name in the Group Policy tool, then choose Properties from the context menu, you can view the
36
Chapter 2
properties of the GPO in the Properties dialog box. Youll see its GUID listed on the General tab
as Unique Name (see Figure 2.4).
Figure 2.4: Viewing the GUID of a GPO using the Group Policy tool.
Once you know the GUID of the GPO youre editing, its easy to find the corresponding GPC
object in the Policies container of the domain in which the policy is stored. In addition, if youre
reviewing a GPO and are unsure which domain is mastering it, just look at the value for Domain
on the General tab of the policys Properties dialog box. The domain shown there is the domain
in which the GPC, and thus the GPO, is stored.
Finding GPO Friendly Names from Their GUIDs
The need to derive a GPOs friendly name from its GUID (that is, to perform a reverse policy
name lookup) doesnt occur very often, but if you need to perform such an operation, you can
use a tool called ADSIEdit.
You can install ADSIEdit as a part of the Support Tools from the Win2K Professional, Server,
Advanced Server, or Datacenter CD-ROMs. Its also available in the Win2K resource kit.
37
Chapter 2
You may not have security clearance to install Support Tools on your servers. In this case, consider
registering the adsiedit.dll for one-time use. Simply find a copy of adsiedit.dll (on any system on which
youve installed the previous tool set). Copy the adsiedit.dll to your systems %systemroot%\system32
folder, and run the following code to register the dll:
Regsvr32 %systemroot%\system32\adsiedit.dll
Un-registering is as simple as executing the following command:
Regsvr32 /u %systemroot%\system32\adsiedit.dll
Once youve installed ADSIEdit, you can start it by choosing Start, Run, then typing
adsiedit.msc
in the dialog box or by loading the ADSIEdit snap-in into an MMC console. When you start the
tool, three folders are listedDomain NC, Configuration Container, and Schema. These are
ADs three naming contexts.
Naming contexts are partitions in AD. A full discussion of them is beyond the scope of this
book, but for our purposes, GPCs are always stored in the Domain NC folder. Expand this folder,
and youll see a structure very similar to that shown in the Active Directory Users and
Computers tool. If you select CN=System, then CN=Policies, youll see a list of folders, named
with their GUIDs. These are the GPCs that reside in the domain (see Figure 2.5).
38
Chapter 2
Once youve exposed the GPC objects using ADSIEdit, you can review the properties of each
GUID to find a GPO by its friendly name. Right-click a GUID and choose Properties from the
context menu. The Properties dialog box appears. For example, suppose youre looking for the
Default Domain Controller policy. In the Select a Property to View text box, choose the
displayName property from the drop-down list (see Figure 2.6). The Value(s) text box at the
bottom of the dialog box displays the friendly name for that GPO.
In this next section, Ill take a look at the GPOs template information, or what is commonly
referred to as the file-system part of a GPO.
The GPT
The GPT provides an additional level of storage as it pertains to the GPC. The GPT stores policy
settings that dont store well in AD. The GPT is a template or a suite of files stored on a Win2K
domain controller. A particular GPT is tied to its associated GPC through a special property on
the GPC object under the Policies container.
GPTs and GPCs have a one-to-one relationship. In other words, you generally cant (and shouldnt)
have a particular GPT referenced by more than GPC.
39
Chapter 2
To see the relationship between a GPT and a GPC, display the Properties dialog box for a GPC
in ADSIEdit. In the Select a Property to View text box, choose the gPCFileSysPath property
from the drop-down list. This property translates to the path to the GPT for this particular GPC.
(See Figure 2.7.)
As you look at the Value(s) text box in Figure 2.7, youll see a rather long entry. The following
is a typical example:
\\domain.tld\sysvol\domain.tld\Policies\{6AC1786C-016F-11D2-945F00C04fB984F9}
Note that the GUID in the entry above is the same as the title bar in Figure 2.7. This shows that
the GPC and the GPT share the use of the GUID to ensure consistency, regardless of the GPOs
friendly name.
The value of the GPT is that it gives software vendors (Microsoft included) who want to Group
Policyenable their applications the flexibility to provide policy-related configuration data (for
example, files and file folders) that isnt conducive to being stored in AD. This apparent
disconnection between the GPT and the GPC can cause many problems with GPO processing
that youll need to be aware of. (This is discussed in greater detail in Chapter 6.) Later in this
chapter, Ill discuss GPO versioning, which is the principal method by which Microsoft attempts
to ensure that for a particular GPO, the contents of both the GPC and the GPT are synchronized
before being processed by a user or computer. (See GPO Versioning.)
40
Chapter 2
Compare Figure 2.8 with Figure 2.7, and youll see that the title bars show the same GUID, but
the content in Figure 2.8 is a view of the file system on a Win2K domain controller. Specifically,
Figure 2.8 is the SYSVOL share point found on all domain controllers, and it shows the contents
of a GPT. As you can see, its composed of a number of files and folders, which Ill describe in a
later section. (See GPT Storage.)
Because a GPT is stored in SYSVOL, its replicated to all domain controllers in a particular
domain. When you create or edit a GPO, in effect, youre creating or editing a GPC on the
domain controller that youre currently focused on, and youre correspondingly creating or
editing a GPT on the same domain controller in SYSVOL. As the domain controller replicates
AD and SYSVOL, so is your GPO distributed throughout your AD infrastructure.
The NT File Replication Service (NTFRS) is responsible for replicating the SYSVOL structure among
domain controllers. However, AD is replicated using a different mechanism and can replicate on a
different schedule from NTFRS.
In the next section, Ill drill into GPC and GPT storage. Namely, Ill take a close look at the
contents and subcontainers of the GPC and the GPT.
41
Chapter 2
As I mentioned earlier and in Chapter 1, Group Policy allows software vendors to Group Policy
enable their applications. When making the decision to integrate with Group Policy, developers
must consider their storage options.
Group policy settings can be stored in three places; these are shown in Table 2.1.
Location
Content Should Be
Container
AD
Typically less than 100KB in size, binary, alphanumeric, and so on. Doesnt change very often.
GPC
SYSVOL\policies\<GUID>\<User
or Machine>\Registry.pol
GPT
SYSVOL\policies\<GUID>\<User
or Machine>\<vendor or custom
folder>\customFile
GPT
Ill start with a more detailed description of GPC storage, then move into whats stored on the
file system under the SYSVOL share point.
Storing GPC Information
A GPC object has two important subcontainers in AD. These two subcontainers (see Figure 2.9)
correspond to the AD objects we envision Group Policy managingnamely, people (users) and
machines (computers).
42
Chapter 2
As with the GPT, any software vendor has the ability to extend the user or machine
subcontainers to provide AD-based policy storage for their applications. Earlier in this chapter, I
discussed using ADSIEdit to view some of the properties on a GPC object. Table 2.2 provides a
description of some of the more interesting properties in a GPC.
Property
Description
displayName
The Group Policy friendly name shown in the MMC Group Policy
tool and on the Group Policy tab of Sites, Domains and OUs.
gPCFileSysPath
gPCFunctionalityVersion
Defines the version of the MMC Group Policy extension that created
this GPO.
GPCMachineExtensionNames
GPCUserExtensionNames
VersionNumber
Table 2.2: A list of some important properties on GPC objects in the Policies container.
43
Chapter 2
The Class Store provides a powerful tool for developers and administrators. Think of the Class
Store as an AD-based version of the Win2K registry. More specifically, its an AD version of
HKEY_CLASSES_ROOT, the registry subtree that holds useful configuration information about
file-extension associations and COM objects that are installed on a particular system.
As discussed in Chapter 1, when you assign an application to a user, the application registers up
to three advertisements on the users computer. These advertisements include file shortcuts, fileextension associations, and COM interfaces (if any). For this last form of advertisement, COM
class registration, the Class Store provides a central repository of registration that lets a computer
or user processing GPOs know what COM objects have been deployed.
In addition, when a user wants to use the Add/Remove Programs applet in the Control Panel to
review which GPO-published applications are available from the network, the Winlogon process
on the computer uses an application programming interface (API) called GetGPOList to query
the associated GPCs for GPOs that apply to them. Once the API has identified the applicable
GPCs, it queries the Class Store package container to determine which applications are available
to the user, and the Add/Remove Programs applet is populated with a list of available
applications. Likewise, when GPOs are processed when a computer starts up or a user logs on,
the GetGPOList API methods review all assigned applications .
GetGPOList is an API documented by Microsoft that allows the system to pass in user or computer
information and have returned a list of applicable GPOs. GetGPOList is discussed later in this chapter
in Group Policy Processing.
44
Chapter 2
As I mentioned in Chapter 1, Group Policy makes it possible to deploy applications that you
install using file-extension activation. Normally, when a user double-clicks a file with an
extension that hasnt been registered to an application with HKEY_CLASSES_ROOT, the
familiar Open With dialog box appears, prompting the user to choose an application to open the
file.
Group Policy uses a combination of the Class Store and a file called an application assignment
script (.aas file, stored in the GPT) to guarantee that file-extension associations are advertised
when an application has been assigned to a computer or user. When a computer or user accesses
a file using that extension, Win2K then automatically installs applications with registered fileextension associations as part of a GPO-deployed application.
For example, if you assign Microsoft Office using Group Policy, a number of file extensions are
associated with it in the GPC and GPT (for example, .doc, .xls, .ppt). The next time a user logs
on or a computer restarts, these file extensions are registered in the computers local registry. If a
user then clicks a file with a registered extensionfor example, a Word .doc filethe Office
package will be installed at that time.
There are several reasons why developers can take advantage of the Class Store too. Developers
can create applications installed using the Windows Installer engine and packaging format.
These application packages contain information about DLL files, or COM objects, that might be
needed by other applications. When an application is published or assigned in a GPO, references
to any COM objects that are exposed by that application are stored in the GPC in the
packageRegistration object for that application. These references are stored, using their
associated GUID, in the cOMClassID property on the object.
If an application running on the workstation makes a subsequent call to a COM object that has
been published or assigned, the API that calls the object queries the packageRegistration objects
in the GPC to determine whether the necessary COM object has been registered. If it has, the
application package that contains the COM object is installed automatically from the MSI
package defined in the GPO.
The Class Store provides a valuable way for developers to use AD to make their COM components
widely and automatically available to their users.
Table 2.3 lists some of the more interesting properties in the packageRegistration object.
Property
Description
canUpgradeScript
The script that would be called if the package had an upgrade associated with it.
(See Chapter 3 for a discussion of establishing upgrade relationships.) Its
typically in the form \\domain.tld\sysvol\policies\domain.tld\policies\GUID.
categories
cOMClassID
The GUID(s) associated with the COM object(s) that this package contains.
When an instance of an object is created, this property is queried by APIs to
determine if the application package contains the required object.
cOMInterfaceID
Defines COM interface IDs available from this package (similar to cOMClassID).
cOMProgID
Defines the COM ProgID contained in the package. (A ProgID is the userfriendly textual representation of a COM objects Class ID.) For example, you
45
Chapter 2
Property
Description
see ProgIDs used when a Visual Basic (or VBScript) application creates a new
object instance.
cOMTypelibld
displayName
Is the display name of the application as its written in the Windows Installer
package.
installUiLevel
localeID
machineArchitecture
Defines the type of system on which the package can be deployed. If the policy
were multi-platform, you could deploy packages to users on different systems.
msiFileList
Identifies the location on the network of the MSI package that installs this
application. If you changes the server where your applications were deployed
from, youd modify the 0:<File Location> value to reflect that change. Ironically,
once youve deployed the package, you cant change this value in the Group
Policy snap-in, so modifying this property is your only choice. (See the caution
below this table for information about making changes to the GPC using
ADSIEdit.) The format of this property is <n:file location>, where n can be 0
and <file location> is a valid network resource like a distributed file system (Dfs)
share point. Any value of 1 or higher identifies a Windows Installer transform file
that was identified on the Modifications tab when the application was deployed
in the GPO.
msiScriptPath
Identifies the application assignment script (.aas file) that should be called when
installing or removing an application. (This is discussed in more detail in the
next section, GPT Storage.)
packageFlags
packageName
packageType
productCode
setupCommand
url
versionNumberHi
Because version numbers use dotted decimal notation, this describes the whole
number, or the tens place. For example, in Version 2.0, 2 is the
versionNumberHI.
versionNumberLow
46
Chapter 2
Be careful about editing the properties of a GPC directly in ADSIEdit. As Ill explain later in this
chapter, GPO versioning is the mechanism by which Win2K computers validate whether the GPC and
GPT are in sync when processing a GPO. (See the section entitled GPO Versioning.) Versioning is
normally controlled using the MMC Group Policy snap-in. When you make a change to a GPO, the
GPC and GPT version information is incremented to reflect the change. When you make a change to
a GPO, it may require changes to both the GPT and the GPC or to one but not the other, but the
Group Policy tool will increment version information on both. If you make a change to a GPC using a
tool such as ADSIEdit, you may be circumventing GPO versioning, creating a situation where your
Win2K computers think your GPOs are in sync when in fact, theyre not.
Policy Name
{31B2F340-016D-11D2-945F-00C04FB984F9}
{6AC1786C-016F-11D2-945F-00C04fB984F9}
Once you open a GUID folder using file explorer, whether its a default policy or one that youve
created, you start to see the guts of the GPT. If you refer back to Figure 2.8, youll see the default
top-level folders for a GPT. Table 2.5 describes the purpose of these folders.
Object
Purpose
Adm
All of the Administrative Templates (.adm files) for a policy. If you add an
administrative template (.adm) file to a policy its stored here and replicated
throughout the domain.
Machine
User
GPT.ini
Version information about the GPT. It allows extensions to gracefully fail if there is a
synchronization problem between the GPC and the GPT.
To expand on the information in Table 2.5, the Adm folder stores Administrative Templates
(.adm files) used by the Group Policy editor. The default files in the Adm folder are:
47
Chapter 2
inetres.admManages IE settings
The Machine and User folders are very similar in structure, so Ill discuss them in tandem. If you
look at the User folder in the GPT GUID, youll find something similar to Figure 2.11.
Ill now drill down into each folder in the User and Computer folders and describe its function.
Applications Folder
The Applications folder in Figure 2.11 stores files relating to applications being deployed using
the Software Installation feature in Group Policy. The files in this folder contain application
assignment scripts using the file-name format <GUID>.aas. The GUID refers to the
packageRegistration object in the Class Store of the GPC. The files can be viewed in Notepad,
but the .aas extension has no default association. As I mentioned above, the .aas script allows
advertisements to be registered for a particular application deployed using Group Policy.
Documents and Settings Folder
Figure 2.11 shows the Documents and Settings folder. This folder appears only when youve
configured the Folder Redirection feature in Group Policy. The Folder Redirection extension
code on the client reads this folder when the user logs on, and the extension determines the folder
redirection settings for the user.
The Documents and Settings folder contains a special text file named fdeploy.ini that contains
configuration-related information. An example of the file is shown in Listing 2.1.
48
Chapter 2
[FolderStatus]
Application Data=39
Desktop=39
My Documents=39
My Pictures=2
Start Menu=28
Programs=2
Startup=2
[Application Data]
s-1-5-21-970468228-843086746-623648099-1714=\\dks\corp\musers\%username%\appdata
[Desktop]
s-1-5-21-970468228-843086746-623648099-1714=\\dks\corp\musers\%username%\desktop
[My Documents]
s-1-5-21-970468228-843086746-623648099-1714=\\dks\corp\musers\%username%\docs-n-pics
[My Pictures]
[Start Menu]
s-1-5-21-970468228-843086746-623648099-1714=\\dks\corp\musers\%username%\startmenu
[Programs]
[Startup]
Listing 2.1: The fdeploy.ini file, which is located in a users Documents and Settings folder.
The FolderStatus section describes the options selected on the Settings tab of each redirected
folder. The sections beneath FolderStatus refer the workstation to the correct network or filesystem location for the redirected folder. In the example above, members of a user group
(represented by their security identifiers, or SIDs) are being redirected to various folders under a
Dfs share point (for example, \\dks\corp).
The SIDs that appear within the file (for example, s-1-5-21.and so on) refer to the SIDs of
users and groups and are used instead of friendly names because such names can change. Using
SIDs ensures that the user folders are always redirected regardless of the user or group names.
Microsoft Folder
The Microsoft folder is really just a vendors folder and is found under both the machine and
user sub-folders within a GPT. Any application vendor can, and by design should, create a folder
within the GPT for its applications that are Group Policyenabled. In Microsofts case, several
applications are Group Policyenabled and are stored in this foldernamely the Security
Configuration Editor, the IEAK and RIS settings.
The Security Configuration Editor settings are stored in the Machine sub-folder. The
Security Configuration Editor tool was first introduced in NT 4.0. In Win2K, we
commonly refer to it as Secedit. Its data is stored in a template file in
SYSVOL\domain\policies\<GPO GUID>\Machine\Microsoft\Windows
NT\Secedit\gtptmpl.inf.
49
Chapter 2
The Microsoft folder also stores settings used by the IEAK. Its data is found in a series of
folders under SYSVOL\domain\policies\<GPO GUID>\User\Microsoft\IEAK and
contains information that the IEAK would typically create and that an administrator
would deploy. Having these settings integrated into Group Policy is a convenient way of
enforcing IE configuration and branding settings across multiple machines
simultaneously.
Any vendor can create a companyName folder in the User or Machine folder to store file-based
configuration data for its applications.
Scripts Folder
The Scripts folder exists in both the User and Machine folders and provides a mechanism for
distributing logon, logoff, shutdown, and startup scripts to users and computers in your
environment. The Scripts folder in the User folder stores logoff scripts in the Logoff folder and
logon scripts in the Logon folder. In the Machine folder, the Scripts folder stores shutdown
scripts in the Shutdown folder and startup scripts in the Startup folder.
When youre adding a script to a GPO, if you select the script file from a local file system, such
as your administrative workstation, the Group Policy tool doesnt automatically copy the script
file to the appropriate Scripts folder in the GPT. Before you add a reference to the script file in
the Group Policy tool, you must copy the file manually to the appropriate folder in the GPT.
Once you create references to scripts in a GPO, they automatically appear in a scripts.ini file.
This file is created in the Scripts folder; it controls the processing order of the scripts and
references their locations in the file-system. Its important to note that just because a script exists
in the Logon or Logoff folder, it isnt necessarily processed. The scripts must be assigned in the
scripts.ini file, which is populated using the Group Policy snap-in UI. The following is an
example of a User scripts.ini file:
[Logon]
0CmdLine=\\DCServer\sysvol\domain.tld\Policies\{5DE00B1E-29184B82-8CEF-790296F4DFF8}\User\Scripts\Logon\startup.cmd
0Parameters=
[Logoff]
0CmdLine=\\DCServer\sysvol\domain.tld\Policies\{5DE00B1E-29184B82-8CEF-790296F4DFF8}\User\Scripts\Logoff\cleanup.cmd
0Parameters=
The file above can be interpreted slash for slash. In this example, the first of possibly many
logon scripts is referenced by a numeric prefix (that is, 0). The script that is executed is provided
by the 0CmdLine key. The 0Parameters key lists any optional command-prompt parameters
that you provide for starting the script.
50
Chapter 2
Registry.pol
The registry.pol file exists in both User and Machine folders. It stores all of the settings that have
been activated in the Administrative Templates section in a GPO. The Adm folder mentioned
earlier has an impact on this folder. When you open the Group Policy tool, it loads the
Administrative Templates (.adm files) stored in the Adm folder, and these files control the
settings that you see in the Administrative Templates section. When you expand on the
Administrative Templates folder in the Group Policy tool, the registry.pol file is loaded for the
appropriate node youre viewing (User or Machine).
The registry.pol file is also read by the client OS when a computer starts up and when a user logs
on. Its then reread periodically thereafter.
GPO Versioning
GPOs track version numbers each time you make a change to them. This version data is
referenced by the code that processes a GPO on the client machine. Namely, its used to
determine whether something in the GPO has changed from the last time it was processed and
whether the GPT and GPC are in sync (and can therefore be reliably processed). If the version
numbers of the GPT and GPC for a GPO arent the same, a Win2K system querying that GPO
will simply not attempt to process it. In this section, Im going to explain how GPOs track
version numbers.
In the GPT, the version number is kept in a file in SYSVOL\<domain>\policies\<GUID> called
gpt.ini. This is a simple text file like the example below, which shows that the version of the
GPT is 65:
[General]
Version=65
In the case of the GPC, version number information is stored as a property in AD called
versionNumber. As youd expect, you can view this property using the ADSIEdit tool described
earlier in the chapter. (See Finding GPO Friendly Names from Their GUIDs.)
For a GPO to be considered in sync, the version numbers of the GPC and GPT must be identical
on each domain controller in the domain. Replication problems in AD or SYSVOL can cause a
GPO to get out of sync on some domain controllers.
You can easily see which GPOs in a given domain are in sync on a domain controller by using
the Replication Monitor (Replmon.exe) tool that comes with the Win2K Support Tools. Rightclick a domain controller in Replmon and choose Show Group Policy Object Status from the
context menu. Youll see a listing of all the GPOs in your domain for that domain controller (see
Figure 2.12) as well as the current versions of the GPC (listed under Version) and GPT (listed
under SysVol Version). If the GPC and GPT versions of any GPO are out of sync, a check mark
will appear in the Sync column on the left of the table.
51
Chapter 2
Youd think that whenever you edited a GPO, the version numbers for the GPT and GPC would
be incremented by 1. However, thats not the case, and the actual versioning process isnt the
slightest bit intuitive. As you know, there are two sections in a GPOcomputer and user. Each
of these sections actually maintains its own version information. This is because when a Win2K
device is processing a GPO, it needs to know, for computer and user sections, whether there has
been a change from the last time the GPO was processed. If only one version number were kept
for both computer and user sections, there would be no way to know if a change was made to one
section but not the other.
Because a separate version number is kept for each section, only the section of the GPO that has
changed will be processed the next time the system reads the GPO. You can view version
information for each section in a GPO by opening the GPO in the Group Policy MMC snap-in,
selecting the GPO name, right-clicking, then selecting Properties from the context menu. On the
General tab, the Revisions property displays values for both Computer and User (see Figure
2.13).
52
Chapter 2
These revision numbers will often be different from the actual version numbers stored in the
GPC and GPT, and thats where GPO versioning starts to become counterintuitive. Version
numbers for each section of a GPO increment at different rates. Specifically, each change to the
computer section of a GPO increments the version number by 1. However, each change to the
user section of a GPO increments the version number by 65536! For example, if Ive made ten
changes to the user section of a GPO and none to the computer section, the Revisions property in
the General tab of the GPO will read:
0 (Computer), 10 (User)
The corresponding version numbers for the GPT (in GPT.ini) and GPC (in the versionNumber
property) will be 10 x 65536 or 655360. When I make the first edit to the computer section on
that GPO, the Revisions property will show:
1 (Computer), 10 (User)
However, the version number stored in gpt.ini and the versionNumber property in the GPT and
GPC, respectively, will show 655361 (655360+1). Each additional change I make to computer
section of that GPO will increase the version number by 1, and each additional user section
change increases it by 65536.
To reiterate, the revision numbers you see on the GPOs General properties tab is the number of
changes made to either the user or the computer section of the GPO since it was created. The
53
Chapter 2
version number of the GPO is a calculated value that is kept for both the GPC and GPT; it
determines whether each is in sync with the other.
Group Policy Processing
Group Policy processing flows as follows: identifying which policies are associated with a user
or computer, calling the appropriate CSE DLLs, reading the policy information from the GPT
and GPC, and updating the computer and user settings appropriately. Before we get into that,
lets first think about how the system determines which policies are associated with a user or
computer.
I discussed in Chapter 1 that Win2K Group Policy can be linked at three different levels: by site,
domain, and OU. Whenever you link a policy to a site, domain, or OU, the policys distinguished
name (DN) becomes an entry in a special property of the site, domain, or OU called gPLink (see
Figure 2.14).
For more information about gPLink, see Chapter 3.
Figure 2.14: Viewing the gPLink property with the DN of the GPC object. The first half of the DN is shown in
the Edit Attribute text box, while the second half is shown in the Value(s) text box.
Win2K uses the previously described GetGPOList API to identify which GPOs should be
processed on the client. While GetGPOList is being executed on a computer, the computer name
54
Chapter 2
and IP address are used to determine the correct site of the GPOs that may be associated with the
computer. Similarly, wherever the computer (or user) exists in the domain and in an OU,
GetGPOlist uses this info to determine whether any additional GPOs apply.
Next, once the list of applicable GPOs is discovered, version information and other GPO options
are examined to determine which of the required GPOs must actually be processed during the
current cycle. For example, GPOs that havent changed since the last time they were processed
wont be processed again unless the administrator has forced such an operation.
Finally, the required CSE DLLs will process policy for each applicable GPO. These DLLs are
installed by default on a Win2K system and registered in the registry under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.
Of course, Group Policy is extensible by any software vendor, so the CSEs registered on a given
Win2K system may not be identical to a default Win2K installation. Its important to remember
that CSEs do the real work of enforcing GPO policy. They read the settings stored in the GPT
and GPC and use that data to apply policy for whichever feature theyre responsible for.
Bringing It All Together
As users start their computers and proceed to log on to a Win2K system, Group Policy
processing begins. As the system is starting, it obtains an IP address statically or from the
Dynamic Host Configuration Protocol (DHCP) server. This IP address allows the system to
communicate with a domain controller for authentication and secure channel connection to the
domain.
Once a secure channel is created, the client calls GetGPOList. The client identifies its site based
on its IP address and site information stored in AD. Having a computer account allows
GetGPOList to find the domain the account belongs in as well as the OU. Once the client has
obtained the list of GPOs, it prioritizes all of the GPOs, then queries gPCFileSysPath for each
GPO so that it can find the GPT.
Once the final computer-specific GPO is processed, the user is presented with the CTRL-ALTDEL dialog box. When the user types in a user name and password, a login is sent across the
secure channel the computer has with a domain controller. The domain controller replies to the
user with Kerberos tickets, and the policy processing for the user begins. Once all of the GPOs
are processed by the appropriate CSE DLLs, policy processing is complete.
Summary
In this chapter, I began by describing the architecture of Group Policy. The GPO is really
composed of a GPC, stored in AD, and a GPT, stored with the SYSVOL share on each domain
controller. Later in the chapter, I tied together the details of the GPC, GPT, and settings storage
in the form of policy processing.
55
Chapter 3
To begin, you need to ensure that youre logged in to your AD domain with a user ID that is
capable of creating GPOs. Ill talk more about GPO security later in this chapter (see Security
Settings) and in Chapter 5, but to create (and edit) a GPO in a default AD installation, you need
to be a member of one of the following groups:
When the Active Directory Users and Computers MMC tool loads, itll focus on the domain to
which the workstation or server from where youre running the tool belongs. So, if youre
running the tool from a workstation that is a member of the mycompany.com domain, the tool
will be focused on that domain when it starts. To create a GPO linked to a domain, right-click the
domain name listed at the top of the left-hand pane in the MMC tool. My example shows
mycompany.com. Choose Properties from the context menu, then in the Properties dialog box
click the Group Policy tab to see the Group Policy page, shown in Figure 3.1.
56
Chapter 3
Figure 3.1: Viewing the Group Policy page for the domain properties in the Active Directory Users and
Computers MMC snap-in.
The view you see in Figure 3.1 shows you the GPOs that are currently linked to the
mycompany.com domainin this case, its just the Default Domain Policy. The Default Domain
Policy is a special GPO in AD. This policy exists in all default AD installations and in fact cant
be deleted by normal means. If you attempt to delete this GPO using the Group Policy snap-in,
your request will appear to succeed, but the GPO wont actually be removed.
This is because this GPO serves a special functionnamely, guaranteeing that there is always a
way of defining domain security policy, irrespective of whether youre using GPOs for any other
purpose. Remember from Chapter 1 that one of the key features of the GPO is security
configuration management. And, in particular, domain account policy can only be defined in a
GPO linked at the domain level. The persistence of the Default Domain Policy guarantees that
there is always a way of defining account policy on a domain.
In my example, Im going to create a GPO, linked to the mycompany.com domain, called Test
GPO. To create a GPO, I simply click New on the Group Policy page. A GPO is created with the
temporary name New Group Policy Object. Now Im free to edit the name to something more
meaningful for my installation.
When I click New, two operations are happening behind the scenes. First, the physical GPO is
created in AD and the SYSVOL share, (For more information about the physical structure of
GPOs, see Chapter 2.) Then a link is created between the GPO and the domain. As you saw in
57
Chapter 3
Chapter 2, the link is really an AD attribute on the objectdomain, site, or OUthat youre
linking to. When these steps are complete, you have a fully functional GPO. And by fully
functional, I mean that from that moment forward, your GPO is live and can be processed by any
user or computer in the domain with permissions to do so.
Later in this chapter, Ill show you how you can create a GPO without actually linking it to an AD
object. This technique comes in handy if youre creating GPOs that you dont want users or
computers to process right away.
Of course, the important part, editing the GPO to set up your management functionality, is the
next step.
Editing GPOs
Once youve created the GPO, you can turn to the task of editing it. In the Properties dialog box
where you created the GPO, select your new GPO and click Edit. At that point, an instance of the
Group Policy MMC snap-in opens in a separate MMC console, focused on the new GPO. As you
can see, the familiar Group Policy editor interface, as described in Chapter 1, is presented here.
Remember that GPOs break configuration information into computer and user nodes. Under each
node is the functionality that is available.
To illustrate the editing process, Ill walk through setting up some security policy on my Test
GPO. Lets suppose that I want to set up auditing policy for all computers in the domain
mycompany.com. Because Test GPO is linked to the domain, all computers that are members of
the mycompany.com domain will process this GPO.
GPOs linked to a domain are processed by all computers and users in that domain. The exception to
this rule is that you can filter the processing of GPOs using AD security groups. Ill talk more about
security-group filtering later in this chapter (see Security Settings).
To set up auditing policy, I need to drill into the Computer Configuration section of the GPO
under Windows Settings, Security Settings, Local Policies. Figure 3.2 shows where Audit Policy
is located in a GPO.
58
Chapter 3
Figure 3.2: Viewing Audit Policy in the Computer Configuration section of a GPO.
As you can see in the right-hand pane in this figure, you can set a number of audit categories. For
example, setting Audit Account Logon Events to log success events tells any Win2K computer
subject to this GPO to create entries in the security event log any time a user successfully logs
onto that account. Domain controllers ignore local policy (for example, auditing policy) set at the
domain level in favor of local policy defined in the Default Domain Controllers Policy GPO.
However, you can set local policy in a domain-linked GPO for processing by workstations and
member servers in the domain. To set auditing policy, simply double-click the policy item of
interest in the right-hand pane of the Group Policy console. Youll be presented with the Security
Policy Setting dialog box, like that shown in Figure 3.3.
59
Chapter 3
As shown in Figure 3.3, you enable auditing policy by clicking the Define These Policy Settings
check box, then choosing to log success events and/or failure events. Specifying success events
indicates that you want to generate a security event log entry every time an operation of the
chosen type succeeds. For example, in Figure 3.3, Im enabling auditing of directory service
access. Whenever someone successfully accesses AD on a particular domain controller, a
success event is registered in the security event log. Likewise, if you specify failure events, when
someone attempts to access AD and is denied access for whatever reason, a failure event is
logged on that domain controller.
When you click OK in the Security Policy Setting dialog box, your change is immediately
committed to the GPO and is available for processing. This example explains editing just one
section of a GPO. Ill spend more time later in this chapter detailing how you can set policy on
some of the other GPO nodes of functionality.
Setting GPO Options
In addition to making basic edits to a GPO to set the policys functionality, you have a couple of
options that you can set on the GPO to further control its effect. On the Group Policy page of the
Properties dialog box shown in Figure 3.1, youll notice the Options button. Clicking Options
displays the Test GPO Options dialog box, shown in Figure 3.4.
60
Chapter 3
The two check boxes in this dialog box allow you to set the No Override and Disabled options on
a GPO.
No Override
When you click the No Override check box, an attribute is set on the container object in AD
where this GPO is linked. This attribute, introduced in Chapter 2, is called gPLink. For example,
if my Test GPO is linked at the domain level, gPLink is defined on the domain object called
mycompany.com in my AD. This object is viewable using the ADSI Edit tool introduced in
previous chapters. Setting the No Override option for a GPO linked to a container modifies the
gPLink attribute on that container.
Normally, the gPLink attribute on a container contains a bracket ([])delimited list of the GPOs
that are linked to it. The GPOs are referred to by their Lightweight Directory Access Protocol
(LDAP) DNsas described in Chapter 2. An example is shown here:
LDAP://CN={BB8724E4-8BD8-4C31-BA12EA7E69246D16},CN=Policies,CN=System,DC=mycompany,DC=com
The gPLink attribute contains a list of these LDAP distinguished names, with an option flag
tacked onto the end of each GPO referenced. If No Override is enabled, this option flag is set to
the value 2, as shown in Figure 3.5. (A normal GPO linked to a container without No Override
enabled will have a value of 0.)
Figure 3.5: Enabling No Override on the gPLink attribute for a linked GPO.
61
Chapter 3
The gPLink value for a GPO with No Override enabled looks like the following:
[LDAP://CN={BB8724E4-8BD8-4C31-BA12EA7E69246D16},CN=Policies,CN=System,DC=mycompany,DC=com;2]
Because No Override is set at the gPLink level, a GPO can be linked to, say, a domain, and be
set to No Override. However, the same GPO can also be linked to an OU in that domain without
No Override being set on that OU. The point here is that the No Override feature is set at the
container GPO link level rather than as an option in the GPO itself.
So now that we know what gets set in AD when No Override is enabled, what does this feature
actually do? No Override enforces a particular GPOs settings that could otherwise be nullified
by another GPO that is processed afterwards. For example, suppose Ive defined an
Administrative Template policy that has been linked at the domain level in my AD domain. This
policy performs a particular desktop lockdown that I want to enforce across all users in my
domain.
Now suppose an administrator who manages an OU in my domain creates a GPO that sets a
contradictory Administrative Template policy to mine and links that GPO to his OU. Normal
GPO processing precedence, if youll remember from Chapter 1, is: local, site-linked, domainlinked, and OU-linked. This means that the OU administrators OU-linked GPO will process last
and override my own domain-linked GPO. By setting No Override as an option on my domainlinked GPO, I prevent that from happeningthe OU-based GPO settings for Administrative
Template lockdown are simply ignored.
Its important to note that No Override is implemented at the CSE level. That is, if I set No
Override on a GPO linked to my domain, and only define Administrative Template settings in
that domain GPO, other settings defined by OU-linked GPOs, such as local security policy or
software installation settings, wont be overridden by my domain-linked policy. If, after I create
my domain-linked GPO, I decide to edit that GPO to add a software installation policy, the No
Override option will kick in and override any software installation policy defined on the OUlinked GPO.
Disabled
The other GPO option that you can set is called Disabled. This option is again specific to the
container to which the GPO is linked. And as with No Override, Disabled is implemented by
setting the value at the end of the LDAP distinguished name for a particular GPO contained in
the gPLink attribute. As I mentioned, No Override sets this value to 2. Clicking Disabled sets
this value to 1.
If you set both No Override and Disabled for a GPO link, the value placed in the gPLink attribute for
that GPO will be 3.
The Disabled option does just as its name implies: It disables the GPO linked to the particular
container (for example, site, domain, or OU). A disabled GPO link is no longer processed by
computers or users who are subject to it. In addition, if a GPO link is disabled, any settings that
had previously been enforced by that GPO are supposed to be undone during the next processing
cycle by the computers subjected to it.
62
Chapter 3
I say supposed to because Ive experienced situations where this was not the case. Specifically,
after I implemented the Folder Redirection feature in a GPO, disabling that GPO didnt undo
Folder Redirection. Ive reproduced this reliably and suggest that you test this in your own
environment before making assumptions about what the Disabled option can do for you.
You can also access the No Override and Disabled options by right-clicking the name of the GPO in
the GPO Properties dialog box on a given container. For example, on the Group Policy page (see
Figure 3.1), if I right-click Test GPO, I get a context menu with the No Override and Disabled options
at the top. Choosing one has the same effect as clicking the corresponding check box in the Test
GPO Options dialog box (see Figure 3.4).
63
Chapter 3
In this figure, a number of GPOs are defined at the domain, site, and OU levels. When we block
policy inheritance on the Accounting OU, not all upstream GPOs are processed by users and
computers defined in Accounting. Only the Accounting OU GPO is processed.
You block policy inheritance by setting an attribute on the container where you set this feature.
Using the ADSI Edit MMC snap-in, right-click the container object in the console, then choose
Properties from the context menu. In the Properties dialog box, click the Attributes tab. When
block policy inheritance is enabled, the gPOptions attribute is set to 1; when its not, its set to 0.
Figure 3.7 illustrates setting this value.
64
Chapter 3
Figure 3.7: Viewing the gPOptions attribute set on an AD container (domain or OU) object.
There is one exception to how the block policy inheritance feature is used. If an administrator for
a higher-level container (site, domain, or parent OU) specifies that a linked GPO supports the No
Override option (see No Override earlier in this chapter), that GPO cannot be blocked by a
downstream container. This allows an administrator at, for example, the domain level to make
sure that a particular policy is enforced regardless of what a downstream administrator may
attempt to do.
Preventing a downstream container from being blocked is useful for enforcing policy related to
security or desktop lockdown, and it may be corporate policy for all company computers. For
example, I use No Override in a GPO linked to my domain to enforce a particular set of event
log settings on all computers that are part of my domain. This guarantees that all computers have
event logs of sufficient size and rollover behavior to capture system, application, and security
events that Im interested in.
Setting GPO Properties
Another button on the Group Policy page of the Properties dialog box shown in Figure 3.1 is
Properties. Clicking Properties displays the Test GPO Properties dialog box, shown in Figure
3.8. This dialog box lets you set three types of propertiesgeneral, links, and security.
65
Chapter 3
General
The General page, shown in Figure 3.8, lets you view general information about a GPO and also
lets you disable either computer or user settings in the GPO. Chapter 2 describes most of the
information on this page, including the GUID for this GPO, its version number, and domain.
The two check boxes, which were also described briefly in Chapter 2, let you disable one or both
sides of GPO processing in this specific GPO. These settings are GPO-specific. This means that
if this GPO is linked to multiple sites, domains, or OUs, clicking one of these check boxes will
have an impact on them all. This feature lets you optimize the performance of GPO processing in
cases where a GPO may only be using part of its total policy functionality.
For example, if Ive defined a GPO that only processes user-based software installation policy, I
might want to click the Disable Computer Configuration Settings check box. This tells the CSE
on a Win2K device that is processing this GPO to simply ignore any computer-specific CSE
processing because none is set. (Even if theyre defined, they wont be processed.) This can have
the effect of speeding the processing of GPOs in cases where a user or computer must process
many GPOs on logon or startup. Ill talk more about designing a GPO implementation with an
eye towards performance in Chapter 4.
Links
The Links page is useful for locating other container objects that have linked to this GPO. For
example, as Figure 3.9 shows, I can select a domain in my AD forest to search, then click Find
Now.
66
Chapter 3
Figure 3.9: Searching for all links to the selected GPO using the Links page in the Test GPO Properties dialog
box.
As Figure 3.9 shows, this particular GPO, called Test GPO, was found linked at both the domain
level (in mycompany.com) and OU level (in the Finance OU). This search capability can also
locate links that cross domain boundaries because, as Chapter 2 pointed out, youre free to link to
GPOs that are stored across domains in a forest.
Security
The final page is Security. Clicking the Security tab displays the familiar Win2K ACL Editor
dialog box. Just as with other objects in AD, GPOs have security associated with them. Security
is in place for two reasons: to control who can edit or link to a particular GPO and to control
what computers and users can process a particular GPO.
Ill describe using security as a GPO processing filter in more detail later in this chapter. (I also
describe using GPO security to delegate administration of GPOs in Chapter 4.) For now, suffice
it to say that you can use security, in addition to the No Override and block policy inheritance
features described earlier in this chapter, to control at a fine level of granularity what computers
and users can process.
Controlling GPO Precedence
As youve probably guessed by now, the Group Policy page of the Properties dialog box, shown
in Figure 3.1, is the hub of activity for my discussions of the various capabilities of GPOs that
you can enable! This figure provides a container-view of GPOs. That is, for a given site,
domain, or OU, it shows all of the GPOs currently linked to the container.
Youll note that when multiple GPOs are listed, the Up and Down buttons become available.
These buttons let you control the ordering, or precedence, of GPO processing at any container
67
Chapter 3
level. This makes sense when you think about it. There has to be some predictable order in which
GPOs are processed not only across containers (for example, LSDOU) but also in a container.
This Up/Down capability is very similar to the Group Priority capability that was available in NT
4.0 system policy. In the case of system policy, when a user was a member of multiple policy
groups, user groups that were assigned to a particular policy were given an order of precedence
that controlled which group-specific policy was processed first.
The Up and Down buttons on a container control which GPO is processed first, second, third,
and so on. In the case of GPO processing, the higher a GPO is in the list, the later its processed,
and therefore, the more overriding its policy. For example, in Figure 3.10, three GPOs are linked
at the domain levelDefault Domain Policy, Test GPO, and Domain User Policy. The Default
Domain Policy has the highest priority because its at the head of the list and is processed last.
Behind the scenes, this precedence is controlled, again, using the gPLink attribute on the
container to which the GPOs are linked. Each GPO is referenced in this attribute by its GUID,
starting from the lowest GPO to the highest. The string in Listing 3.1 represents a dump of the
gPLink attribute for the container shown in Figure 3.10:
[LDAP://CN={BB8724E4-8BD8-4C31-BA12EA7E69246D16},CN=Policies,CN=System,DC=mycompany,DC=com;0][LDAP://CN={4
BF6C10B-9DDC-4E11-B702E58F8EC52534},CN=Policies,CN=System,DC=mycompany,DC=com;0][LDAP://CN={3
1B2F340-016D-11D2-945F00C04FB984F9},CN=Policies,CN=System,DC=mycompany,DC=com;0]
Listing 3.1: Example of the LDAP path contents of a containers gPLink attribute.
68
Chapter 3
Note that this listing shows the LDAP path to the three GPOs. In this case, the GUID that starts
with 31B2F is the Default Domain Policy, and the one that starts with BB872 is the Domain User
Policy.
In Listing 3.1, the ;0 after each LDAP path represents the value that holds the GPO options described
in Setting GPO Options earlier in this chapter. A 0 means that neither No Override nor Disabled is
configured for any of these three GPO links.
If I were to reorder the three GPOs listed in Figure 3.10, the precedence of the gPLink attribute
would change to reflect this.
Its important to keep this precedence in mind when youre designing your GPO implementation.
Its very possible that two GPOs linked in the same container could have policy settings that
contradict each other. In this case, the GPO with the higher precedence (higher in the list) would
win, resulting in potentially unwanted policy consequences.
Adding New GPO Links
Ive described almost all the buttons and check boxes shown on the Group Policy page of the
Properties dialog box, shown in Figure 3.1. One I have yet to mention is the Add button. How is
this button different from New? Well, New lets you create a brand new GPOwith its attendant
GPT and GPCand link it to the current container, all in one fell swoop. (For more information
about the GPC and GPT, see Chapter 2.) However, if you simply want to create a link from an
existing GPO that was defined elsewhere to this container, click Add. This displays the Add a
Group Policy Object Link dialog box, shown in Figure 3.11.
Figure 3.11: Viewing the Add a Group Policy Object Link dialog box from the GPO Properties dialog box.
This figure shows this dialog box for an OU called Test. Test is a child OU to another OU called
East, which is yet another child OU to an OU called Finance. This dialog box has three tabs
Domains/OUs, Sites, and All. The Domains/OUs tab displays any GPOs currently linked to the
container selected in the Look In text box. In this case, no GPOs are currently linked to the Test
OU.
69
Chapter 3
To see whether the GPO Im interested in linking to is present, I can select the parent OU from
the drop-down list. Or if the GPO Im interested in linking to is defined on a site, I can click the
Sites tab. Finally, to see all of the GPOs defined in this domain (or, using the drop-down list,
any domain in the forest), I can click the All tab. If I select a GPO to link to and click OK, the
GPO is added to the gPLinks attribute on the selected containerand any computers or users in
this container will process the GPO. Its that simple!
On the All page in the Add a Group Policy Object Link dialog box, you can also create a GPO without
performing the second step described abovethe linking process. That is, you can create a physical
GPO but not link it to any AD object. This can be useful if youre creating large numbers of GPOs in a
production domain but dont want them to be processed yet. To create an unlinked GPO, click the All
tab, then perform one of two actions. In any white space in the portion of the dialog box that lists the
GPO, right-click and choose New from the context menu. A GPO is created there, and you can give it
a name. Or click the icon in the upper right of the dialog box that looks like the Win2K user group
icon. In either case, you can create a GPO (with associated GPC and GPT) without linking it to a
container.
You can think of the Add function as providing the inverse of the functionality provided by the
Links page shown in Figure 3.9. The Links page lets you search the AD for all containers that
have linked to the selected GPO. The Add function lets you survey all available GPOs defined in
a forest, then choose one to link to the currently selected container.
Deleting GPOs
The final button on the Group policy page in the Properties dialog box shown in Figure 3.1 is
Delete. This button, as its name implies, lets you delete a GPO link from the selected container.
When you click Delete, there are actually two options available to you, shown in Figure 3.12.
Figure 3.12: Viewing the options for deleting a GPO or GPO link from an AD container.
As this figure shows, you can either remove the link associating this GPO to the container object,
or you can remove the link and delete the GPO itself (that is, its associated GPT and GPC). If
you choose the latter option, any other links to that GPO on other container objects will also be
removed. For example, if my Test GPO is linked to both the mycompany.com domain and the
Finance OU, deleting the link to mycompany.com and deleting the GPO itself also removes the
link to the Finance OU.
You can delete a link to a GPO without much consequence. But deleting the GPO itselfincluding its
attendant GPT and GPC piecesis an irreversible process. There is no Undo button. You can
restore a GPO from a backup of both AD and SYSVOL, but its very difficult, if not impossible, to
restore an individual GPO from such a backup without affecting all other GPOs in the domain.
70
Chapter 3
Figure 3.13: Viewing the Options for Domain Controller Selection dialog box from the Group Policy MMC
snap-in.
This dialog box controls which domain controller youre focused on (and connected to)
whenever you edit a GPO. Why is this important? As Chapter 2 presented, the physical GPO is
composed of two components: the GPC (stored in AD) and the GPT (stored in SYSVOL). Each
of these components replicates on a different schedule, and each is replicated to every domain
controller in a domain. If more than one person is editing a GPO, each can be doing so from
copies of the GPT/GPC stored on different domain controllers. This can obviously cause lots of
unexpected and undesirable results in that GPO as each domain controller replicates its changes
to the other.
To minimize this possibility, whenever an administrator starts up the Group Policy snap-in,
focused on a particular GPO, a connection is made to the PDC Operations Master role-holder in
that domain. Any changes the administrator makes to the GPO are made against the GPC/GPT
copy stored on the PDC role-holder. This minimizes the chance that two people, editing a GPO,
will make changes that will be out of sync with each other. However, you can override this
behavior using the Options for Domain Controller Selection dialog box shown above. Its the
default setting. The second optionThe One Used by the Active Directory Snap-Instells the
snap-in to use the domain controller that is currently focused on and connected to by any AD
snap-ins that are loaded.
For example, because you often launch the Active Directory Users and Computers MMC snap-in
before editing a GPO setting this option opens the Group Policy snap-in against the same domain
controller that is currently in focus for Active Directory Users and Computers. (You can see
which domain controller an AD snap-in is currently connected to by viewing the server name
shown in brackets next to the name of the snap-in in the left-hand pane of the MMC tool.)
The third optionUse Any Available Domain Controllertells the Group Policy snap-in to use
the first domain controller it can find. No particular GPO is preferred. This last option is
obviously the most risky, but its almost the most robust.
If the PDC role-holder was the preferred domain controller for GPO editing and that server was
down, the GP snap-in would fail to load. The Use Any Available Domain Controller option
71
Chapter 3
allows an administrator to always be able to connect to a domain controller and edit the GPO.
You can use this option safely if you have tight control over who is editing GPOs and when. If
one person always edits GPOs in your forest, this option may be acceptable.
Figure 3.14: Viewing the security on a GPO in the familiar ACL editor dialog box.
As you can see in this figure, the Authenticated Users group has two permissions on this Finance
Desktop Lockdown Policy: Read and Apply Group Policy. As it turns out, these are the same
two permissions that are required to process a GPO. Together, they grant the right to process a
72
Chapter 3
GPO. If you have one but not the other, GPO processing will fail, and the computer or user
trying to read the GPO will receive errors in the computers application event log, indicating
permission problems.
When you create a GPO, the Authenticated Users group is automatically granted these two
permissions on the new GPO. Authenticated Users applies to both computer and user accounts;
this means that by default, all computers and users who are subject to the GPO will process it. Of
the other access control entries (ACEs) listed in the dialog box in Figure 3.14, none of the others
have the Apply Group Policy permission. This means that only the Authenticated Users ACE
controls the processing of this GPO.
It also means that, by default, members of the various built-in administrative groups like Domain
Admins and Enterprise Admins dont process GPOs. This makes sense if you think about it
because many policies might have a tendency to hobble an administrators day-to-day work. Of
course, if an administrator is also part of the Authenticated Users group, he or she would still be
subject to the policy. You might also note that other permissions are listed in the ACL editor
dialog box, such as Full Control, Write, Create All Child Objects, and Delete All Child Objects.
These permissions have to do with delegating the editing of a GPO, and Ill discuss them in more
detail in Chapter 4.
Changing the Default Processing
Knowing this little bit of information, you can begin to see how you can use security groups to
filter the processing of a GPO. The first step to change the default processing of a GPO is to
remove the Authenticated Users ACE. You can do this in the ACL Editor dialog box shown in
Figure 3.14 by highlighting Authenticated Users and clicking Remove.
The next step is to add the user or computer group for which you want to allow policy
processing. For example, suppose this desktop lockdown policy only applies to a subset of users
in the Finance OU who are members of a group called Locked Down Finance Users. Click Add
in the ACL editor dialog box, then browse to the Finance OU where this group is defined. Select
the group and add it to your list of permitted groups. Youll see that it automatically receives the
Read permission on the GPO. You only need to add the Apply Group Policy permission to
complete the filtering of this GPO. Figure 3.15 shows what this will look like.
73
Chapter 3
Youll want to use user-based security groups to filter the processing of user-specific portions of
a GPO and computer-based security groups to filter the processing of computer-specific portions
of a GPO. For example, if you have a GPO that only sets computer-specific Administrative
Template policy, adding an ACE that filters the processing of that GPO based on membership in
a user group wont affect processing. This is because what youre really interested in is
controlling which computers process a GPO, not which users. The inverse is true as well, of
course. However, keep in mind that security-group filtering is an all-or-nothing approach for
controlling GPO processing. You cant filter out only certain nodes of functionality in a GPO.
(The exception to this is software installation security, which Ill discuss in Security Settings
later in this chapter.) If you remove the Apply Group Policy permission for a particular group,
the members of that group will no longer be able to process that GPO.
Using the Deny ACE
Another approach you can take is to grant the permission to process a GPO to a wide audience
like Authenticated Users, then add whats called a Deny ACE, which takes away that right from
a particular subset of users or computers. A Deny is a type of ACE that revokes a set of
permissions to an object. As you might expect, a Deny ACE overrules any normal Allow ACEs
that might be defined on an object. So for example, I might have a group in my Finance OU
called Open Users that I dont want to be subject to my desktop lockdown policy. I can add a
Deny ACE to the ACL on my GPO to exclude this group from the processing of the GPO. This
is shown in Figure 3.16.
74
Chapter 3
In this figure, youll see that Ive set the Read and Apply Group Policy permissions to Deny for
the Open Users group, while the Authenticated Users group still has those permissions set to
Allow. This means that all users except those who are members of the Open Users group will
process this GPO.
Treading Carefully
As you can imagine, using security-group filtering to affect GPO processing can get tricky and
complicated very quickly. This is especially true if you begin to use Deny ACEs to control
processing. I recommend not using Deny ACEs unless you really want to exclude a small subset
of users or computers from processing a GPOand only if that group isnt likely to grow. Deny
ACEs make troubleshooting GPO-processing problems very difficult because of the sheer
complexity of managing all the permutations. This is especially true if your users or computers
process many GPOs at logon or startup.
I also recommend going easy on security-group filtering of GPOs to begin with. Even that
approach can be fraught with peril: If youre managing a lot of GPOs, you may start to lose track
of what permissions youve granted to which GPOs.
If you plan to use security-group filtering on your GPOs to any large degree, I highly recommend that
you use a tool that supports RSoP calculations, such as FAZAM 2000 from FullArmor.
(http://www.fullarmor.com). Such tools make troubleshooting these kinds of scenarios simpler by
providing you with information about what the RSoP is for a particular user on a particular computer in
a particular OU.
75
Chapter 3
In this section, Im going to set some common desktop lockdown policies. To do this, I need to
drill down into Windows Components, Windows Explorer. The policies available under this
76
Chapter 3
node include restrictions such as Remove Map Network Drive, Disconnect Network Drive,
and Prevent Access to Drives from My Computer. To set a particular policy, I double-click that
policy item in the right-hand pane of the Group Policy snap-in. All Administrative Template
policy takes a form very similar to that shown in Figure 3.18.
This dialog box gives me three options for the policyNot Configured, Enabled, and Disabled.
As described in Chapter 1, these settings ignore, set, and de-select this policy item. This dialog
box also contains an Explain tab. This is a new feature in Win2K Administrative Templates, and
it provides a detailed explanation of what a policy setting does. The Explain text, as well as the
registry key and value behind the policy setting, are stored in the .adm file(s) that are part of this
GPOs GPT, as discussed in Chapter 2.
After youve set a number of policy items, theres no easy way to see where all policy has been
set in a GPO. To get around this, Microsoft provides the Show Configured Policies Only
command on the Group Policy snap-in View menu. Choosing this command displays only those
Administrative Template policies that have a value other than Not Configured. This is illustrated
in Figure 3.19, where only policy defined in the Windows Components, Windows Explorer
section has been set on this GPO.
77
Chapter 3
Figure 3.19: Viewing only Administrative Template policy that has been set.
If youve modified or defined your own custom .adm files, you must load them into the GPO
using the Group Policy snap-in tool. Specifically, if you right-click the word Administrative
Templates on either the User or the Computer configuration nodes, then choose Add/Remove
Templates from the context menu, youll be presented with the Add/Remove Templates dialog
box, shown in Figure 3.20.
Figure 3.20: Viewing the Add/Remove Templates dialog box in Administrative Templates policy.
From here, you can add your new or modified .adm file to the GPO. Because .adm files are
stored in individual GPOs, if you want the .adm file to be used across multiple GPOs, youll
need to repeat this loading operation on each GPO. (Or you can make the change on one GPO
that youve designated to hold your .adm changes, then link to it from multiple containers.)
78
Chapter 3
If you click Add in the Add/Remove Templates dialog box shown in Figure 3.20, the familiar
Open dialog box appears, focused on the %systemroot%\inf folder on the computer where the
GP snap-in tool is running. This folder typically contains the default .adm files shipped by
Microsoft in Win2K. (If your .adm file is stored in a different folder, you can, of course, point to
it.)When you select the appropriate .adm file and click Open, the file is automatically copied to
the ADM folder in the GPT defined for that GPO (as described in Chapter 2). The .adm file is
now part of the GPT, and the source file that you copied it from remains separate and
independent.
If you have to make a change to the original .adm file, you need to edit the copy that is now in
the GPT in the ADM folder. Or you must edit your local copy, remove the template file from the
GPO, then add it again using the new version.
While its impossible in the space of this book to define all of the policy items available in the
default .adm files shipped for use by Administrative Template policy, Table 3.1 attempts to
present the major categories of Administrative Template policy and their purposes. This table
includes both policies and preferences, as I defined them in Chapter 1.
Policy
Description
User Configuration|Windows
Components|Windows Explorer
Setting a number of Explorer UI locks on a peruser basis only. For example, included in this
policy section are lockdowns such as hiding
particular drives in My Computer and removing
the Map Network Drive and Disconnect Network
Drive options from Explorer.
User Configuration|Windows
79
Chapter 3
Policy
Description
Computer Configuration|System|Logon
User Configuration|System|Logon/Logoff
Per-machine policy that lets you specify a DNSsuffix search order on machines that are subject
to this GPO. A suffix search order is used if you
have DNS subdomains on your network that you
want to search when trying to resolve unqualified
host names.
80
Chapter 3
Policy
Description
Files
Computer Configuration|Printers
81
Chapter 3
Policy
Description
settings. You can also hide the tabs on the
Display applet (for example, Settings,
Background, and so on) to prevent users from
modifying those settings.
As you explore the various Administrative Template policies that ship out of the box, youll
notice that quite a few policies overlap each other. The way to work around this is to carefully
read the text on the Explain tab accompanying each policy item. In a lot of cases, the Explain
text will point out other similar policy and let you know which take priority.
Software Installation
The Software Installation feature in Group Policy is, as I mentioned in Chapter 1, a way of
distributing software by leveraging the Windows Installer engine that comes with Win2K. In this
section, Ill walk through the process for deploying an application using this feature.
To leverage Software Installation your applications need to be packaged using the Windows
Installer packaging format (that is, .msi files). The exception to this rule is that you can publish
applications for individual users to the Add/Remove Programs Control Panel applet using a setup
description file called a .zap file.
A .zap file is a text file that can be referenced by Software Installation to install an application
that doesnt use the .msi packaging format. However, applications published in this manner dont
accrue some of the benefits of .msi packaged applications. For example, you cant install .zap
files using the escalated privilege feature, and they dont provide the life-cycle management
features that the Windows Installer engine provides. Listing 3.2 shows an example of the format
of a .zap file.
[Application]
FriendlyName = ABC App 1.0
SetupCommand = p:\abc_app\setup.exe
DisplayVersion = 1.0
Publisher = ABC Software Inc.
URL=http://abcsoftware.com
[ext]
ABC=
Listing 3.2: Viewing the format of a ZAP file.
82
Chapter 3
In this listing, Ive simply created a text file that lets me call the old-style setup application called
setup.exe for an application called ABC App. In this file, the FriendlyName and SetupCommand
key-value pairs are required fields, but the others arent. The additional information will simply
appear in the application information field in the Add/Remove Programs Control Panel applet
when the application is published. The [ext] tag lets you associate a particular file extension with
this published application.
In this example, if the user double-clicked a file with an .abc extension and the ABC App was
not installed, itd be automatically faulted in and installed on the computer. The Software
Installation feature lets you gain some of the benefits of managed applications without having
to immediately repackage your application using the .msi format. Now that Ive introduced the
exception.zap filesIll talk about using .msi packaged applications to leverage the Software
Installation feature in Group Policy.
For more information about the Windows Installer technology, check out Chapter 3 of The Definitive
Guide to Windows 2000 Administration at http://www.realtimepublishers.com. The site also contains
links to other books that go into more detail about this technology.
Suppose I have a .msi package that I want to assign to users subject to a GPO that Ive defined.
My first step is to make that .msi package accessible to all users who might be installing it. In a
Win2K AD environment, you can accomplish this in a number of ways. For example, you can
put the package on a server share that is universally accessible to all of your users. This might be
a good approach in a small network, but it could become a performance issue if you have
hundreds of users installing the application across a worldwide network.
Alternatively, you can use Win2Ks fault-tolerant Dfs to create a replicated share point across
your AD infrastructure. In this case, the application setup package is placed under a fault-tolerant
Dfs root and replicated across servers on your network that house replicas of that root. This
approach is commonly used in conjunction with the Software Installation feature; the read-only
nature of application setup packages lend themselves well to using Dfs.
For more information about Dfs, read Chapter 5 of The Definitive Guide to Windows 2000
Administration by Sean Daily and Darren Mar-Elia (Realtimepublishers.com). Youll find a link to this
book at http://www.realtimepublishers.com.
Lets assume that Ive created my fault-tolerant Dfs root and have copied my .msi-based
application setup packages to a Dfs folder. Now Im going to walk through the process of
assigning that application to a set of users using GPO-based Software Installation.
The first step is to open the Group Policy MMC snap-in, focused on the GPO youre interested in
editing. Next, drill down into Computer Configuration, Software Settings, Software Installation.
Right-click the Software Installation node, then choose the option on the context menu for
creating a new package. The familiar Open dialog box appears and lets you locate your .msi
package.
Here its important to enter a relative path to your .msi package rather than an absolute one.
Thats because the user processing the GPO needs to be able to find the package anywhere on
your network. So dont use a drive letter designation (for example, d:\apps\mysetup.msi).
Instead, use a relative path, ideally pointing to your Dfs share (such as
\\mycompany.com\dfsroot\appsetups\outlook2000\setup.msi).Once you click Open, the Deploy
83
Chapter 3
Software dialog box opens, where you can choose Published, Assigned, or Advanced Published
or Assigned (see Figure 3.21).
Figure 3.21: Viewing the options available when deploying a new application in Software Installation.
Figure 3.22: Viewing the Advanced Published or Assigned options in Software Installation.
The functionality provided by the six pages in this dialog box is described in Table 3.2.
Page
Description
General
Provides basic overview information about the application name, version, and
publisher.
Deployment
Chapter 3
Page
Description
application, you can also choose to have it install itself based on any file
extensions that are associated with it. In addition, a check box indicates that if the
GPO no longer applies to the user, you need to uninstall the application.
You also have an option to prevent the application from appearing in the
Add/Remove Programs Control Panel applet. This might be useful if you only
want to assign the application using GPO, without giving the user the option to
install it manually. You can also specify that, when the setup runs, it should show
the user a basic or maximum UI. A basic UI shows minimal progress and
requires no user interaction. If the package is coded to support it, the maximum
UI presents the user with the full setup UI, including prompts that the user must
respond to.
Clicking Advanced on this tab displays the Advanced Deployment Options dialog
box, shown in Figure 3.23. In this page, you can indicate that you want to ignore
whatever language preferences may have been specified during setup. You can
also specify that any instances of this application that were not installed by GPO
should be removed. Note that this feature works only if the product code (shown
in the Advanced Diagnostic Information section) for both the GPO-deployed
application and the non-GPO-deployed application is identical. If it isnt, for
whatever reason, Software Installation will simply install the application on top of
existing installations.
This page also includes some advanced diagnostic information on the package
being deployed, including its product code (derived from the .msi package), a
deployment count (which in my experience doesnt work), and the path in the
GPT to the application assignment script (.aas file) that is generated when the
package is deployed.
Upgrades
This page lets you set up upgrade relationships between the application that
youre deploying and older versions of the application that were previously
deployed using this GPO. Note that when you set up an upgrade relationship
between, for example, ABC application v1.0 and ABC application v2.0, any users
(or computers) that installed v1.0 will automatically receive v2.0. An upgrade
package is different from a setup package in that it assumes that the 1.0 version
has already been installed. Generally speaking, upgrade packages only update
key files and registrations as needed. So if you set up an upgrade relationship
between two versions of an application, its important that the original version of
the application remain available for users who havent yet installed it. In that
case, v1.0 will be installed, then v2.0 will be installed on top of it.
If the new version of your software isnt a true upgrade to the previously
deployed version, the best approach may be to remove the previously installed
version (described below) and then republish or reassign the new version.
Categories
Categories let you define a way of grouping applications that appear in the
Add/Remove Programs Control Panel applet. (They were described in Chapters
1 and 2.) Categories must be defined ahead of time before they can be selected
from this page. To define categories, simply right-click the Software Installation
node in a GPO in your domain. Choose Properties from the context menu, and
youll see the Software Installation Properties dialog box, shown in Figure 3.24.
This dialog box presents some default options for Software Installation. If you
click the Categories tab, you can define new categories, which will then become
visible on the Categories page of your new package installation process.
Modifications
This tab lets you associate Windows Installer package transform files (.mst files)
with a given setup. Transform files are custom modifications that you can
perform on a default .msi setup package. Typical transform operations include
choosing particular features to install in an application, changing the default
installation folder for an application, or having an application install in Run from
85
Chapter 3
Page
Description
Network mode.
Security
Presents the familiar ACL editor interface. The Security tab gives you the ability
to assign permissions on individual applications in a GPO. I mentioned earlier in
this chapter that you can assign permissions on a whole GPO to filter the
processing of that GPO to a particular group of users or computers. Well, you
can actually filter the installation of particular applications by modifying the
permissions shown in this dialog box. For a user or computer to see an
application that has been deployed using GPO, that user or computer must be a
member of a group that has Read permission on the application. By default,
Authenticated Users has Read permission on any application that is deployed
using Software Installation. However, you can remove this ACE (just as we did
above in Using Security Groups to Filter the Processing of GPOs) and grant
Read permissions to subsets of user or machine groups. This gives you a very
fine-grained control over who receives which applications, even in a single GPO.
However, when it comes time to troubleshoot problems, this also increases the
complexity of the GPO by an order of magnitude.
Figure 3.23: Viewing the advanced options available on the Deployment page in Software Installation.
86
Chapter 3
Figure 3.24: Viewing the Categories page of the Software Installation Properties dialog box in which you can
create Software Installation categories.
Ive talked about how you can install a new application using Software Installation, but how
about if youre ready to retire an application? Well, its just as easy to remove a previously
installed application. In the GPO snap-in, right-click the application that you want to remove.
Choose All Tasks from the context menu, then choose Remove from the submenu. The Remove
Software dialog box will appear, shown in Figure 3.25.
Figure 3.25: Viewing the options for removing a previously deployed application.
This figure shows two options. Either you can remove the application and have it uninstalled
from all users and computers who received it, or you can simply leave it on the computers of
those users who previously installed it and prevent any future installs. In either case, the
application is no longer listed in the GPO and is no longer available for installation. There is also
a Re-deploy Application command on the All Tasks submenu. This command tells the GPO to
trigger a new installation on any computers or users who are subject to this GPO as though it
were the first time the application was being deployed.
87
Chapter 3
The Re-deploy Application option is useful if youve changed one or two files in an application
setup and dont want to have to repackage it or set up an upgrade relationship between the old
and the new versions. By re-deploying the application, the patched application is re-installed,
and your new files are distributed to all users of the application. This approach is different from
the one used by Windows Installer patch files, which are actually separate file packages with a
specific purpose and relationship to the original .msi file. Folder Redirection
The Folder Redirection feature in Group Policy is an enhanced version of what was available in
NT 4.0 system policy. Keep in mind that Folder Redirection is a user-specific policy onlyit has
no relevance for computers. Also, if the workstation processing a GPO detects a slow network
link, Folder Redirection it isnt processed. Folder Redirection lets you control the following userprofile-based folders:
Application Data
Desktop
Start menu
Folder Redirection supports two types of redirectionbasic and advanced. In basic redirection,
you specify a server share to which you want to redirect the selected user profile folder. Users
who process the GPO are then redirected to that single server share. This approach works best
when youre redirecting parts of the user profile, such as the Start Menu, to read only data that
you want all users to see.
Setting Up Advanced Folder Redirection
The advanced redirection option allows you to specify a different server share, one that is
conditional on the users group membership. Figure 3.26 shows an example of how you might
set up advanced folder redirection.
88
Chapter 3
As the figure shows, Ive redirected the My Documents folder to two different shares
\\servera\home\finance users\%username% and \\servera\home\accounting users\%username%
based on membership in the Finance Users and Accounting Users groups.
Folder Redirection in Win2K doesnt support using mapped drives or environment variables (other
than %username%) when you specify a path to a server share for redirection. Youll need to use
Uniform Naming Convention (UNC) paths or local drive letters instead. I suspect this issue will be
resolved in future releases of the product because it represents a step backwards in functionality from
NT 4.0 system policy and the Custom Shared Folders feature.
The options available on the Settings page are shown in Figure 3.27.
89
Chapter 3
The Settings page gives you the ability to grant exclusive rights to the folder that is being
redirected. This option is only relevant for My Documents, Application Data, and Desktop
redirection (not Start menu). However, if you use it, be cautious. Its really only meant for
folders that are user-specific. For example, if youre redirecting everyones Desktop folder to a
single server share, you wouldnt want to select this option. This would assign the server share
granting the first user who processed the redirection exclusive rights to the folder. This option
actually changes NTFS file system permissions to enforce the exclusion, so be careful!
The next option tells Folder Redirection that when redirecting a folder for the first time, it should
move any files and subfolders in that folder to the server share that has been specified. This is
generally desirable to do unless youre sure you dont want to bring old content along with your
users. However, if you dont select this option and your users have critical files stored in the user
profile version of their folders, they may not be able to easily retrieve them after redirection
occurs: The folder will be pointing at a server share. You can specify that a folder be left in the
new location or be redirected to the user profile location.. This is an important distinction.
Deleting the GPO or denying the user access to it isnt the same as removing the folder
redirection policy. To remove Folder Redirection, you actually have to undo folder redirection
policy on this GPO. The next time the user processes the GPO, itll behave as you specified.
Namely, itll either leave the folder where it was redirected (for example, a server share) or copy
the contents of the redirected folder back underneath the user profile folder where it belongs.
Take my word for itremoving folder redirection can be complicated. You need to thoroughly
test the process you want to use to undo folder redirection before implementing it, or the
consequences may be very undesirable.
90
Chapter 3
Security Settings
In this section, I want to make you comfortable with setting security policy in GPOs and
knowing what to expect when you do. To start with, as was indicated in Chapter 2, there is a
relationship between the security settings nodes in a GPO and the security templates on the one
hand and the Security Configuration and Analysis MMC snap-ins that come with Win2K on the
other. GPO security settings simply apply the security templates that you create using these other
tools to many computers at a time. GPOs provide the transport, if you will, for enforcing
organization-wide security policy. You can do it in real time by opening a GPO for editing and
setting the options in it manually. Or you can pre-create a security template that contains all the
settings you need, then import that template into a GPO. Its the latter process that I want to
describe here.
About Security Templates
To begin with, all Win2K devices come with a standard set of security templates, usually located
in %systemroot%\security\templates. Figure 3.28 shows an example of these template files.
Figure 3.28: Viewing the security templates that come with Win2K.
91
Chapter 3
These templates are simple text files that use a particular format for specifying each of the
security settings that you see supported in computer-based GPO security (for example, audit
policy, user rights, file system security, and so on). The Security Templates MMC snap-in that
comes with Win2K lets you edit one of these existing template files or create one. In either case,
if you know the syntax, you can edit these files using a tool like Notepad. However, using the
Security Templates MMC tool is easier and safer.
Lets suppose I want to create my own security template. It will set a number of audit policy
settings that I want to import into a GPO. To begin with, Ill load the Security Templates MMC
snap-in. When I open the tool and expand the top-level node, it automatically loads the templates
located on the computer where Im running the tool into the %systemroot%\security\templates
folder.
Creating Security Templates
To create a security template, I simply right click the path listed and select New Template. Im
prompted to supply a name for my template and some descriptive text. Ill call this template
Darrens Audit Policy. Once Ive created the template, if I expand the folders underneath it, I see
settings very similar to what is available in the computer-specific security settings in a GPO.
Figure 3.29 shows an example of this.
As you can see, Ive drilled down to the Local Policies, Audit Policy section of the template and
selected a number of audit policy settings. Once my changes are made, I save the changes to my
template file by right-clicking the template name and choosing Save from the context menu.
(Template files have a .inf extension.)
92
Chapter 3
Importing Security Templates into a GPO
Now all I need to do is import my new template into the GPO where I want to enforce my audit
settings. I open the Group Policy snap-in, focused on the GPO I want to edit, then drill down to
Computer Configuration, Windows Settings, Security Settings. I right-click the Security Settings
node, then choose to Import Policy from the context menu. In the Open dialog box, I select my
new template. Once it loads, if I drill down into the audit policy on that GPO, Ill see my changes
made exactly as specified in the original template file. Figure 3.30 reflects this.
Figure 3.30: Viewing a GPO after importing a security template into the security policy settings.
As soon as I import the new policy template file into the GPO, the security settings become
active, and the next computer to process the GPO will receive those new settings. In addition, if I
make changes to other GPO security settings not specified in the template file, then reload the
original template, the template file will overwrite any changes I made in the GPO itself.
However, using templates as the definitive source for all GPO security settings, you build in a bit
of change control that editing a GPO itself doesnt necessarily provide. You can think of security
templates as the .adm files of GPO security.
Summary
In this chapter, I discussed creating and editing GPOs. I started by talking about how GPOs are
linked to containers and discussed simple editing of policy. Then I moved into a detailed review
93
Chapter 3
of the options available to you when you edit a GPO. From there, I described topics such as
filtering GPO processing using security groups. I then discussed in detail how some of the more
popular features in Group PolicyAdministrative Template Policy, Software Installation, Folder
Redirection, and Security Policycan be used to create useful GPOs.
94
Chapter 4
Chapter 4
level, letting security-group filtering control where they apply, or to link more selectively at the
OU level for a given set of users and computers.
To complicate matters even more, GPOs are monolithic. That is, a particular GPO, by default,
can contain policy for everything from security to IE lockdown to Administrative Template
lockdown. You can work around this to some degree by not allowing certain GPO administrators
to load certain MMC snap-ins related to Group Policy. (See Scenario BMultiple AD
Domains later in this chapter.) But in the end, you may opt to create many GPOs, each of which
provides single (or few) policy functions as opposed to fewer GPOs that do everything. Lastly,
any GPO design needs to take GPO processing performance into consideration. A situation in
which a computer or user has to process tens or hundreds of GPOs that may be housed in more
than one domain might result in an unacceptable user experience.
By now, youre probably asking yourself why in the world anyone would deploy GPOs and how
anyone can reap the expected benefits from them in the face of this complexity. I know Ive
asked this question myself on several occasions! Let me assure you that you can design and
deploy a GPO implementation that maximizes the incredible control this feature provides while
minimizing the management complexity of the resulting infrastructure.
What Ive talked about so far in this chapter can be distilled into the following five questions,
which you need to consider as youre designing your GPO implementation:
1. Does your AD design take into consideration how youll use GPOs?
2. What GPO functionality do you want to use in your environment?
3. Will you create and manage AD objects (and thus GPOs) from a central group in your
organization, or will management be delegated across many business units? (Its possible
and perfectly reasonable that GPO delegation wont match your planned delegation of
AD objects.)
4. Will you create GPOs and link them right to the container where they apply (say, at an
OU)? Or will you link them at a higher level (such as at the domain level) and use
security-group filtering to control their effect?
5. How will you manage aspects of GPO administration such as change control, Resultant
Set of Policy (RSoP), and GPO processing performance, and will the GPO delegation
design youve created allow such management?
My goal for the rest of this chapter is to help you answer these questions and to discuss some of
the technical issues you might encounter as you design your own GPO deployment.
Chapter 4
GPOs fall squarely into this category. Use them incorrectly, and theyll cost you a lot more
money than they save. Use them well, and youre a hero, and you can truly claim that youre
taking full advantage of the infrastructure and saving your company money. Ive found that the
best way to take full advantage of any complex technology is to use that technology in baby
steps. Unless youre completely comfortable with all aspects of your Win2K infrastructure and
its management, theres no reason to deploy all of the features of GPOs all at once. Start small
and start simple!
Your initial GPO design should seek to do very little. As I pointed out in chapters 1 and 2, the
minimum youll need to do is use GPOs to set security policy on your domain. If youve been
using system policies in NT 4.0, you might decide to duplicate that desktop lockdown
functionality using Administrative Template policy within a GPO or two. If youre using the
IEAK to lock down your users IE configurations, you might add some IE Maintenance policies
to your GPO. As I said, the idea is to start with aspects of GPOs that youre familiar with.
When youre deciding where to link the GPOs, againstart simple by linking them to the
domain and having them apply to all users and computers. If you dont want a policy setting
applying to everyone in a particular domain, link it to an OU, but dont go overboard. Finally,
when you begin to deploy your GPO implementation, dont immediately delegate control of the
GPOs to every administrator on your network. Keep them centrally managed by a group of folks
who are familiar with the technology. This gives you time to refine your GPO change control,
management, and deployment processes before rolling out a larger deployment.
The following points summarize these keep-it-simple tips for your initial GPO deployment:
Start with features in GPOs that youre already familiar with from NT 4.0 (for example,
Administrative Templates and IE Maintenance).
Initially, link GPOs to a few containers (such as domain or OU) to get a feel for
managing and controlling them.
Only deploy a couple of GPOs to begin with. Dont go all out and deploy dozens of
GPOs at all levels of your AD infrastructure.
Maintain centralized control and management of GPOs during their initial deployment
phases until you understand GPO delegation and can put good change-control processes
in place.
Once youve mastered the complexity of GPOs, you can experiment with more complex
implementations or a larger number of GPOs. In the next section, Ill present some approaches to
GPO deployment that you can use in your own AD infrastructure.
97
Chapter 4
Scenario AOne AD Domain
In this scenario, Company A is deploying a single AD domain, migrating from its current NT 4.0
infrastructure, and wants to start using GPOs slowly. Table 4.1 shows how Company A answers
the five questions I presented earlier in this chapter (see Integrating the Design into Your AD
Infrastructure).
Question
Answer
Given the answers shown in Table 4.1, what is the best GPO design for Company A? Of course,
there are probably a couple of answers to this question, but lets start by looking at its AD
design. Figure 4.1 shows what Company As AD infrastructure will look like.
98
Chapter 4
As you can see in this figure, Company As AD domain is called companya.com. It contains
three top-level OUs: WesternRegion, CentralRegion, and EasternRegion, and within each of
these top-level OUs are two OUs called Sales and Finance. User and machine accounts reside in
each Sales and Finance OU under each region. Each regional OU structure is physically located
in a different part of the country, and thus each region is in a different AD site from the other.
Company A wants to take advantage of the Administrative Templates and Folder Redirection
features of GPOs. In fact, it relied heavily on system policy in its NT 4.0 environment to lock
down the desktops of its users based on their membership in a user group. Company A
differentiated desktop lockdown in system policy among the following six user groups:
WesternSales
WesternFinance
CentralSales
CentralFinance
EasternSales
EasternFinance
The ntconfig.pol file used in Company As NT 4.0 environment is shown in Figure 4.2 below.
99
Chapter 4
In NT 4.0 system policy, a single policy file could apply different desktop-lockdown settings to
different user groups. Unfortunately, in Win2K Group Policy, each GPO only holds a single set
of Administrative Template settings. Company A can filter the effects of a particular GPO to
only apply to a particular user group, but to gain the same lockdown functionality that its
ntconfig.pol file provided, the company may need to build a single GPO for each user group that
it wants to apply policy to. This means six GPOs in Win2K compared to one NT system policy
file in NT 4.0. This may sound less than ideal, but there are steps the company can take to
mitigate the disadvantages of this approach, and Ill present them shortly.
Now lets look at what Company A needs to implement Folder Redirection. Remember that there
are two types of Folder Redirection in Group Policybasic and advanced. In basic redirection,
all users who are subject to the GPO containing the policy have the prescribed folder redirected
to a single destination (for example, \\server\share\%usename%). In advanced redirection, you
can redirect the folder to different destinations (such as different servers or shares) based on
group membership.
Company A would like to redirect the My Documents folder to servers local to each user group.
Given that requirement, it can actually choose one of three GPO designs. It can create:
A single GPO, linked to the company.com domain, that uses advanced redirection based
on user groups defined in each OU where users are to be redirected (for example,
WesternRegion\Sales, EasternRegion\Finance, and so on).
Three GPOs linked to each regional OU (Western, Central, and Eastern), then use basic
redirection to redirect users within each regional OU structure.
Six GPOs, each of which is linked to each of the regional Sales and Finance OUsagain
using basic redirection. This design gives administrators the ability to redirect each OU to
a different location without using advanced redirection.
100
Chapter 4
In the new AD structure, instead of having user groups to differentiate users, Company A can
segregate its users into the various OUs. This is a very common trade-off as youre designing
and deploying both AD and GPOs. It also brings up a key pointnamely, groups and OUs
perform complementary and overlapping functions. You can segregate users (and computers) by
placing them in OUs or by placing them in groups (in which case they may span multiple OUs).
OUs are a more logical place to segregate resources because they dont require explicit
maintenance. That is, when you create a new user in an OU, all of the GPOs linked to that OU
(and inherited by the OU) are automatically applied. However, if you use security groups to
segregate users or computers and filter the effects of GPOs, your administrators need to
remember, each time a new user is added, to place the user in the correct groups. In either case,
this trade-off will affect how complex your GPO design needs to be and how complex your AD
delegation model is.
There is an inherent trade-off in AD between using OUs to segregate users and computers and using
security groups. In some cases, one or the other may better meet your needs, but for the sake of
simplicity, always organize users and computers in OUs rather than security groups.
101
Chapter 4
Figure 4.3 shows a total of seven GPOs (shown in dark blue) defined in Company As AD
domain. The first GPO, called Domain Folder Redirection GPO, is linked to the domain level
and uses advanced redirection based on user groups defined in each of the regional Sales and
Finance OUs below it. Of course, I could have linked this GPO lower in the AD hierarchyat
the OU level, for example. To do that, however, Id have needed three GPOs (one each for the
Western, Central, and Eastern regional OUs) to accomplish the same task as one, and Id still
have needed to use advanced redirection to redirect each Sales and Finance OU to a different
location.
Now lets look at the six other GPOs in Figure 4.3. Because my requirements were to emulate
the desktop-lockdown functionality in Company As NT 4.0 environment, I had no choice but to
create a separate GPO for each OU where the user accounts reside. If Id placed three GPOs at
the regional OU levels, I wouldnt have been able to differentiate Administrative Template
policy for the two OUs (Sales and Finance) in this regional OU. Thus, Im forced to create six
nearly identical GPOs and link them to each OU where I want to set Administrative Template
policy. Fortunately, each user or computer in the Sales and Finance OUs only has to process, at
most, two GPOsthe domain-linked Folder Redirection GPO and the OU-linked Administrative
Template GPOs.
As with many things, there is no one correct answer. Figure 4.4 shows another option that will
meet Company As needs.
102
Chapter 4
Lets suppose that Company As administrators looked at the GPO design in Figure 4.3 and
thought that there were too many GPOs to administer. In that figure, each GPO only did one
thingeither Folder Redirection or Administrative Template lockdown. With only a slight
change in requirements, Figure 4.4 reduces the number of GPOs required and presents a more
reasonable management picture. What has changed?
In Figure 4.4, the Domain Folder Redirection GPO gained some functionalitynamely,
Administrative Template lockdown. On taking a closer look at the lockdown that Company A
required, I saw that 90 percent of the policies were identical among all of the OUs subject to that
policy. So I applied that 90 percent to the domain-linked GPOthus applying that lockdown to
all users. For those users and computers that required a slightly different lockdown, I created the
requisite GPOs and linked them to the OUs in question. Only Western Sales, Central Finance,
and Eastern Sales required a different lockdown from the domain-based policy.
Of course, if each OU really requires some differentiated lockdown, Figure 4.3 is probably my
better option. The point in Figure 4.4 is that by making some compromises and combining
multiple functionality in a single GPO, I was able to reduce the number of GPOs that I needed to
manage by three.
Both of the solutions that Ive presented for Company A are possible because its centrally
managed and has total control over creating and managing its GPOs. Life gets more complicated
in Scenario B below, as I present a company with more complexity and a more distributed
administrative environment.
Scenario BMultiple AD Domains
In this scenario, Ive created a large multinational corporation called ABC Corp., which wants to
implement a multi-domain AD forest. Table 4.2 shows the responses for this scenario to the five
questions listed in Integrating the Design into Your AD Infrastructure earlier in this chapter.
Question
Answer
Chapter 4
Question
Answer
Table 4.2: ABC Corp.s answers to the five GPO design questions.
Table 4.2 gives us a lot to talk about. Lets start by looking at the AD namespace for ABC Corp.,
as shown in Figure 4.5.
As you can see, theres a lot going on in ABC Corp.s AD infrastructure. First, the forest
contains three domainsabccorp.com is the forest root domain, and us.abccorp.com and
europe.abccorp.com are children of the root domain. In the forest root domain, one OU is
defined, called ITAdmins, where the forest administrators user accounts are stored. Each of the
two child domains contains a number of OUs of differing structure. In the US child domain,
there are three top-level OUs called Mfg, Sales&Mktg, and HQ. Under Sales&Mktg are two
OUs called Western and Eastern because the Sales and Marketing division is divided into two
regions. Under the HQ OU are two sub-OUs called IT and Finance. They hold users and
computers in the IT and Finance departments at ABC Corp.
104
Chapter 4
Now, if we shift over to the Europe domain, we see a different OU organization. The three toplevel OUs are organized by countryFrance, UK, and Italy. Under each of these top-level OUs
are two OUsSales&Mktg and Engineering. As you can see, this AD forest appears to have no
consistent approach to how OUs are built and organized. In the US domain, top-level OUs are a
combination of department and location, whereas in Europe, the three top-level domains define
countries, and departments are housed in the sub-OUs under each country.
This seeming mix of organization has a rationale. The OUs are organized according to the
various IT support organizations in the company. For example, in the US domain, the
Sales&Mktg OU is administered by a separate group of administrators from the one that
administers the HQ OU. By organizing OUs according to their administrative authority, its
easier to delegate administration of AD (and GPO) management cleanly along OU lines. In
Europe, one support organization is responsible for each of the top-level OU hierarchies. As
youll see later in this section, this lends the GPO design a degree of simplicity thats required
for these users and computers.
Now youre probably thinking, I thought this was a chapter on GPO design, not AD design.
My goal in describing this AD design in detail was to show that the AD and GPO designs are
linked and one cannot be discussed without the other. Now Ill discuss GPOs for ABC Corp.
As Table 4.2 pointed out, ABC Corp. wants to use several features of GPOs. It also wants GPOs
to be created centrally but wants to be able to delegate the linking of some GPOs to OU
administrators. Given the complexity of its AD namespace, this company wants to minimize the
use of security filtering of GPOs by linking them close to the users and computers that theyre
intended for.
By close, I mean that if the company creates a GPO to lock down the desktop of the
HQ\Finance users in the US domain, it wants to link that GPO to the Finance OU under HQ.
Otherwise, if the company links the GPO higher in the AD treeperhaps at the domain levelit
has to use security groups to ensure that the lockdown policy defined in that GPO is only
processed by an HQ\Finance user group. This is another example of the trade-off between using
OUs or using security groups to segregate usersin this case, for the purpose of filtering Group
Policy.
Two Implementation Options
Figures 4.6a and 4.6b show two GPO design options for ABC Corp.
105
Chapter 4
Figure 4.6a: In the first design option, the US subdomain is part of the GPO design.
106
Chapter 4
Figure 4.6b: In the second design option, the Europe subdomain is part of the GPO design.
There is a lot going on in the figures above, so lets walk through them. The colors of each set of
GPOs represent the administrative group that is responsible for managing them. All GPOs were
initially created by the forest administrators (represented by dark blue). These forest
administrators also manage the domain security policy linked on each domain in the forest. Each
domain has its own security policy. I could have easily created a single security GPO in the
forest root domain (abccorp.com) and linked to it from each of the two child domains, but
because abccorp.com has different security requirements from the US and Europe, I would have
had to create three GPOs.
In the US domain (Figure 4.6a), three GPOs (light blue, green, and dark red) are linked to each
of the three top-level domains. This indicates that a different IT administrative group maintains
each GPO. However, the same set of GPO functionality is defined in each GPOnamely, Folder
Redirection, Administrative Template policy, Software Installation, and IE Maintenance. There
may be subtle differences among the GPOs, but the important thing to remember is that a
different group manages each one.
Of course, the approach Ive shown in Figure 4.6a assumes that each sub-OU under the top-level
OUs needs the same policy settings as its neighbor. This may not be the case, and if so, the
administrators of this domain may need to create additional GPOs, linked to either the top-level
OUs (with security-group filtering to control who gets what policy) or the lower-level OUs
(where the users and computers physically reside).
107
Chapter 4
In the Europe domain (Figure 4.6b), the GPOs are red and have the same name. Theyre the
same color because only one IT group administers this domain. In addition, because the GPO
needs of each top-level OU and its subordinate sub-OUs are identical, only one GPO is actually
defined (hence the same name for each), and it has then been linked to by each of the three toplevel OUs. Of course, this is generally the exception rather than the rule. Its very likely that the
needs of any country will differ at least slightly from those of the other two. However, the
concept of linking to a single GPO from multiple OUs is a common one, and I wanted to
represent it here.
Handling Delegation Requirements
As was the case with Company A, there are probably a few variations to Figures 4.6a and 4.6b
that would meet the needs of ABC Corp. But from a GPO delegation perspective, ABC Corp.
has different requirements than Company A. As I mentioned in Table 4.2 above, the forest
administrators wanted to be able to create all of the GPOs in the forest but leave the task of
linking and managing OU-based GPOs to regional or departmental administrators. (Remember
from Chapter 3 that you can create a GPO without linking it to a container.)
Its important to know how your AD design will lend itself to these delegation requirements. (Ill
discuss the challenges of GPO delegation in greater detail in Chapter 5.) In the meantime, keep
in mind that the ability to link and un-link a GPO from an OU or domain (or site) is granted by a
right on the particular container (either site, OU, or domain), while the ability to edit that GPO is
granted by modifying permissions on the GPO (actually, on the Group Policy Container, or
GPC) itself using the Security page of that GPO (see Figure 4.7).
Figure 4.7: The security properties that control delegation of administration on a GPO.
108
Chapter 4
To see the Security page, right click the GPO name in the Group Policy MMC snap-in, then
choose Properties from the context menu. In the Properties dialog box, click the Security tab. (I
described this dialog box in Using Security Groups to Filter the Processing of GPOs in
Chapter 3.) To control who processes a policy, you simply need to grant the Read and Apply
Group Policy rights to that user, machine, or group. To control who can edit a policy, you need
to grant other rights to that policy (such as Read, Write, Create All Child Objects, and Delete All
Child Objects). In the case of ABC Corp., if Im interested in granting editing rights to the HQ
GPO for HQ administrators, Id modify the security permissions on that GPO to grant a group
that includes the HQ admins the rights to modify that GPO. Ill talk more about GPO delegation
later in this chapter (see Managing Change Control).
Multi-domain Considerations
Scenario B is different from Scenario A in one important wayit includes multiple AD
domains. From a GPO perspective, multiple domains are important because they give
administrators the opportunity to link to a GPO that is stored in a domain other than their own.
This is, of course, perfectly legitimate. As I mentioned above, ABC Corp. could have created a
single GPO in the forest root domain to set security policy, then linked each of the two child
domains to that GPO.
However, there are a couple of reasons why you should seek to minimize the amount of crossdomain linking of GPOs that you use.
Whenever a user or computer must traverse domain boundaries to resolve the GPC and
GPT of a remote GPO, a certain amount of extra overhead occurs as that user or
computer traverses the associated trust relationships, passing its credentials from one
domain to the next. This slows down the processing of a GPO that is remotely linked.
Linking across domain boundaries introduces complexity into your GPO design and
makes it harder to troubleshoot problems should they arise. Because the domain is
remote, the administrator linking to the GPO may not know anything about its
managementfor example, whether its currently functional, in the process of being
changed, and so on.
Site-Linked GPOs
I havent spent any time yet discussing linking GPOs to AD sites. As you know, sites are AD
objects that help control directory replication among domain controllers. You, as the
administrator, define AD sites and the IP subnets that belong to each site. Then you define site
links to connect sites together to form an AD replication topology. You can link GPOs to sites
just as you link them to domains or OUs. When a GPO is linked to a site, all users and computers
that reside in that site are subject to that GPO. You link GPOs to sites using the AD Sites and
Services MMC snap-in (see Figure 4.8).
109
Chapter 4
Figure 4.8:Using the AD Sites and Services MMC snap-in to link GPOs to sites.
In this figure, the SanFrancisco site contains the subnet object 192.168.1.0. If you right-click this
site object, then choose Properties from the context menu, the Properties dialog box appears.
When you click the Group Policy tab, you can create a new GPO that is linked to this site or add
a link to an existing GPO defined elsewhere.
The important question for this chapter is: Why would anyone use site-linked GPOs? Indeed,
Ive found very few circumstances where GPOs linked to a site are actually valuable. Remember
that sites can span multiple AD domains, so you can have devices from multiple domains in a
particular site. However, GPOs themselves are stored in a single domain. This means that if you
define a site-based GPO that is stored in abccorp.com, for example, it can be processed by a
computer or user residing in a different domain in the same site. As I discussed in Multi-domain
Considerations above, whenever GPO processing has to cross domain boundaries, youre likely
to get some degradation of performance.
Aside from that, however, you may find it difficult, as I have, to justify why a GPO would need
to be linked to a site as opposed to a domain or OU. Because sites are really just collections of
subnets, you can think of site-linked GPOs as a way of providing Group Policy based on where
on your network a particular machine resides. One valuable use of such policy might be the
machine-specific IPSec policy I described in Chapter 1. You might want to set policy to specify
that any machine that is on your corporate network, on a particular set of IP subnets, must use
IPSec to communicate with other computers. Similarly, you might have a number of mobile
users who always dial into your network on a well-known IP subnet, and you might want to
provide them with some specific mobile policy that applies only to them when theyre dialing in.
Unfortunately, there are a couple of challenges to site-linked GPOs. First, because in the Site,
Domain, Organizational Unit (SDOU) order of precedence, site-linked GPOs are processed first,
they can be easily overwritten by GPOs linked to domains or OUs, which are processed later.
110
Chapter 4
This means that for any policy you set in a site-linked GPO to stand, it needs to be unique (that
is, only defined there) for all machines and users processing it.
Second, because its more likely that machines will change their IP subnet (for example, when
they move or are mobile), you need to ensure that as machines move from site to site, the GPOs
that are applied to them provide a consistent and expected experience. For example, in certain
sites, a GPO linked there might lock down aspects of your users desktops that theyre not used
to. You almost need to think in advance about how a machine or user will be affected as it moves
around before you can define effective site-linked policy.
Given these caveats, however, site-linked policy can be a powerful tool in situations where
proximity on your corporate network is a significant enough factor to determine which policy
applies.
Adopting GPO Naming Conventions
Another aspect to consider as youre designing your GPO implementation is the naming
convention for your GPOs. As you saw in Chapter 2, GPOs are uniquely identified in AD by
their GUID. However, every GPO has a display name, or friendly name, that you see when
youre opening one for viewing or editing with a tool like the Active Directory Users and
Computers MMC snap-in. Its this name that were interested in when we talk about GPO
naming.
Just as with other objects in your AD infrastructure, its important to come up with a good,
standardized naming convention for GPO display names. The trick is that the convention must
take into consideration that, while the display name is stored with the GPO itself, GPOs can be
linked to any number of containers in your AD. For example, if you name your GPOs using a
convention that includes the name of the container to which theyre originally linked (such as
Finance OU Lockdown Policy), then link that GPO to other containers, your convention may fall
apart.
For that reason, I recommend coming up with a container-neutral naming convention. This
means that in Scenario B above, for example, instead of naming my GPOs after the containers
they were linked to, I should have given them names that are less container-specific. For
example, instead of having an HQ GPO, a better name would be something like FR,SI,AT,IE #1
GPO. This code, if you will, simply lists the functions in the GPO that Im using (FR=Folder
Redirection, SI=Software Installation, AT=Administrative Templates, and so on). The #1
indicates that there may be more of this kind of GPO, such as #2, #3, and so on.
The key here is to keep the names as generic, but as descriptive, as possible. Of course, if you
dont plan to link GPOs from all over your AD infrastructure, its perfectly reasonable to give a
GPO a location-specific name (such as Europe Lockdown GPO). Remember that the display
name for a GPO can be changed to your hearts content because its the GPOs GUID that really
matters to AD.
Another tip you might want to consider is including some kind of version information in a
GPOs name. As you know from Chapter 2, GPCs and GPTs keep their own version-control
information to ensure that theyre synchronized across your AD infrastructure. To maintain
change control over GPOs, you can include version numbers in your naming convention to
ensure that administrators who are linking to a particular policy know that theyre linking to the
correct version. Figure 4.9 shows GPOs that use version numbers in their names.
111
Chapter 4
As you can see in this figure, the names of the three GPOs contain version information, which
tells administrators what theyre dealing with. Each time a GPO is edited, the person who makes
the change needs to change the GPOs display name to increment its version number. In
addition, the names of the GPOs themselves describe the functions that they perform (for
example, Admin Template, Software Installation, and Audit policy). Of course, you can always
use the revision information displayed on the General page on the GPO (see Figure 4.10) to keep
version-control information.
112
Chapter 4
The bottom line is that you need to devise a naming convention that you apply consistently to all
GPOs and maintain as they change.
Maintaining Change Control
And speaking of changechange control is another issue that youll have to face in a GPO
implementation, especially in large AD infrastructures. Unlike normal software-release or
configuration-management processes, there are no built-in mechanisms for decent change control
of GPOs. You need a way of knowing who did what to which GPO and when they did it.
You can use AD and file-system auditing on SYSVOL to determine at least part of this
information, but this entails wading through security logs on potentially multiple domain
controllers to figure out what happened. Also, as I mentioned earlier in this book, the GPO
editing tools dont provide any staging of GPO changes; you can only test your changes in a nonproduction AD infrastructure. Once you click Apply or OK to a change, its committed and starts
to replicate to all domain controllers.
In Chapter 3, I talked about a technique for creating GPOs without linking them to a container.
You can use this no-link approach to phase new GPOs into production. This is a good approach
for ensuring a phased implementation of new GPOs, but it isnt useful for existing GPOs. When
you have to change an existing GPO, you have few choices to ensure that it doesnt adversely
affect your production users.
The first and most obvious step to take is to have a test AD forest available in your environment.
This test forest would mimic some or all of your production forest and would provide you with
113
Chapter 4
an environment for trying out the effects of new GPO changes. Once a GPO change is validated
in the test forest, you can apply it to your production environment with relative safety.
Another technique you can use when making multiple changes to GPOs in a large AD
infrastructure is to first disable a GPO that you plan to change. Remember that in Chapter 3, I
described how you can disable a GPO to prevent it from being processed. Figure 4.11 shows the
dialog box under GPO Options where you can disable a GPO.
If youre making multiple changes to a GPO, you dont want users to be processing itand
getting unexpected results. Disabling the GPO before editing ensures that no user is processing it
while youre making changes.
Disabling a GPO doesnt remove the policy that was previously applied to it. It simply tells the
computer or user subject to it that its not available during the current processing cycle. Once you
complete your changes, enable the GPO using the dialog box in Figure 4.11, and during the next
processing cycle, your users and computers will receive the updated policy.
technology.
114
Chapter 4
2. When you need to manage one policy separately from the others, consider creating
example, if you need to set security policies for all machines in a domain, link the GPO at
the domain level. But if youre setting security policy on a set of machines that resides in
a single OU, link at that OU only. (The alternative to this approach is to link higher in the
AD hierarchy, then use security groups to filter the effect of a GPO. However, this is less
desirable because it makes troubleshooting effective policy more challenging and less
obvious.) Finally, when you need to enforce network-specific policy such as IPSec, link
GPOs to sites.
6. Delegate administration of GPOs only to the extent that is needed to support your
business goals. In general, its a good idea to keep as many of your GPOs centrally
managed as possible to ensure good change control and consistency of use. And because
GPOs (that is, their component GPCs and GPTs) are replicated to all domain controllers
in a domain, its important that forest-wide administrators know whats being done to
their infrastructure.
7. Develop a good and consistent process for naming and changing GPOs, then ensure that
Effect
Asynchronous GPO
processing
115
Chapter 4
Slow-network detection
processing
Periodic background
processing
Table 4.3: GPO processing that can affect your GPO design.
As you plan your GPO rollout, its important for you to recognize the effects of these three types
of processing. For example, if many of your users access your AD infrastructure over slow
linksby default, less than 500 kilobits per second (Kbps)some policies, like Software
Installation and Folder Redirection, wont be applied. Using these policies may therefore not be
effective in your environment. Or if youre worried about the processing performance of GPOs
in your environment, you can enable asynchronous GPO processing for the machine or user (or
both), thus reducing the wait time the machine incurs processing GPOs.
Finally, its important to know that background processing occurs for certain policy, such as
security and Administrative Templates. This means that even if your users attempt to foil a
particular policy on their local machines, their futzing will be undone later when policy is reapplied.
Controlling Their Effects
You can control the effects of these three types of processing using Administrative Template
policy in a GPO. These GPO processing policies are found in the Computer and User sections of
Administrative Templates, under Administrative Templates, System, Group Policy. Figure 4.12
shows an example of the machine-specific GPO processing policies available.
116
Chapter 4
Figure 4.12: The machine-specific GPO processing policies available in Administrative Templates.
If you view each of the policy items available in this policy section, you can change the default
behavior for a number of GPO processing options. For example, if you dont want Folder
Redirection to be disabled when a slow network link is detected, select Folder Redirection Policy
Processing. In the Properties dialog box, click Enabled, then click Allow Processing across a
Slow Network Connection (see Figure 4.13).
117
Chapter 4
If you want to change what Win2K considers to be a slow network connection for machines
subject to this policy, you can modify Group Policy Slow Link Detection to specify a link speed
greater or less than the default 500Kbps. Choosing a larger numbersuch as 700Kbpstells the
machines to consider any link slower than 700Kbps to be a slow link. When the machines detect
a link slower than 700Kbps, they wont process any policies that are set not to process.
Specifying a lower numbersay, 60Kbpstells the machines that, unless their detected link
speed is below 60Kbps, they should consider the link a fast link and process all GPOs normally.
For more information about slow-link detection in Win2K, check out the following Microsoft Support
article http://support.microsoft.com/support/kb/articles/Q227/2/60.ASP.
The Apply Group Policy for Computers Asynchronously during Startup and Apply Group Policy
for Users Asynchronously during Logon policy items control whether asynchronous policy
processing happens.
If you decide to modify the default behavior of each of these processing options, make sure that
the GPO that controls the behavior is one that is centrally managed. This GPO might be a good
candidate for control by your forest-wide administrators. You might also decide that you only
want to link this GPO to selected OUs or, more appropriately for a policy like slow-link
detection, to particular AD sites.
In addition, keep in mind that processing options like slow-link detection are put in place for a
reason. If you have a Software Installation policy that delivers Microsoft Office to a set of users
and you override the slow-link behavior for Software Installation, users dialing in to your
118
Chapter 4
corporate network on 56-Kbps modems may suffer an interminable wait as many megabytes
worth of Office try to install.
GPO Loopback Processing
Finally, I want to say a word about a feature called GPO loopback processing. Ill discuss this
feature in greater detail in Chapter 5, but for now, I want to introduce the concept. Consider the
problem where you have a special kind of workstation in your AD infrastructure. It may be a
kiosk or other single-function device that is meant to run one application and one application
alone. If a user defined in your AD environment walks up to that workstation, he or she will
receive any machine-specific GPOs defined for that device as well as any user-specific GPOs
defined for his or her user account. However, an administrator may not want the user to receive
the normal user-specific GPOs on this particular device.
To handle this situation, Microsoft has developed loopback processing. (See the User Group
Policy Loopback Processing Mode policy item in Figure 4.12 above.) As I said, Ill go into more
detail about this in Chapter 5, so suffice it to say that loopback processing lets you disable a
users normal policy processing in favor of any defined on the GPO(s) that apply to the device he
or shes logging on to. Its a special kind of user-policy override meant especially for machines
with unique application requirements.
Summary
In this chapter, I discussed the challenges and decision points for designing and deploying GPOs
in the enterprise. The key themes here are to start slow and keep it simpleusing the features
youre familiar with, such as Administrative Templatesbefore going full bore into the complex
stuff. That said, youll still want to ensure that part of your GPO rollout plan includes good
version and change control, just as you would with any other infrastructure or application.
Unfortunately, with no tools built in to Win2K to perform these tasks, youll have to go it alone
until third parties catch up and provide this functionality.
Finally, youll need to consider the inherent special behavior that GPOs provide, like
background, asynchronous, and slow-link detection processing. You can modify this behavior if
necessary, but youll need to balance that against good user experience and good GPO
processing performance.
119
Chapter 5
EditingOnce youve created and linked a GPO, you need to edit it.
In Chapter 3, I described how you can create a GPO without actually linking it to a container. See the
tip in the section Adding New GP Links.
As you know, AD delegation is all about granting security rights to AD objects to permit certain
users access to specific objects and their properties. You carry out GPO delegation using the
same techniqueby granting rights to certain AD objects related to GPOs (such as the GPC).
The principal tool for controlling GPO delegation is your old friend, the ACL editor.
As I mentioned in Chapter 4, to display the ACL editor, right-click the GPO display name in a
Group Policy MMC snap-in, then choose Properties from the shortcut menu. In the Properties
dialog box, click the Security tab. Figure 5.1 shows the ACL editor, focused on a GPO.
120
Chapter 5
The ACL editor for GPOs has a dual function. You use it to filter security groups and thereby
control which users and computers process a particular GPO. However, for the purposes of this
discussion, you use it to control who can create, edit, and link to a particular GPO. When you
delegate creating and editing of GPOs, you set security on the GPO itself (as in Figure 5.1).
When you delegate linking GPOs to container objects like sites, domains, and OUs, you grant
rights on the container object itself, as you might expect.
Default Rights
When you install Win2K and AD out of the box, a certain set of default rights is granted on AD.
As they affect the three roles I discussed above, these default rights are shown in Table 5.1.
Group
Rights
121
Chapter 5
Group
Rights
As you can see from Table 5.1, the default GPO delegation configuration in AD is less than
straightforward. No one group with the exception of the forest-wide and all-powerful Enterprise
Admins group can create, delete, edit, link, or un-link GPOs universally in a forest. However, if
youre trying to design a GPO delegation model that grants limited capabilities to your
administrators, youre not going to want to make these administrators members of the Enterprise
Admins group (or even Domain Admins or local Administrators) because these groups confer
other, power capabilities as well. This leaves you using the Group Policy Creator Owners group
(for brevity, Ill call this the GPCO group from now on) as a way of delegating GPO creation,
then coming up with other solutions to take care of the other roles. As you can see, if you want to
build a decent GPO delegation model, you have to modify AD security.
There are several approaches that you can take to solve the GPO delegation problem. The first is
to modify the rights of one of the existing groups above. But because all but the GPCO group
confer many other rights to their members, its probably best to start from scratch and create a
new group. Before I describe such an approach, I want to talk about the problems associated with
using the GPCO group to delegate GPO management.
As I mentioned, the GPCO group only grants a member the ability to create GPOs in a domain; it
doesnt allow the member to link these GPOs to any container. If user Joe Admin is a member of
the GPCO group and he creates a GPO, he alone can edit this GPO by default. The reason is that
when the Group Policy MMC snap-in creates the GPO in the domain, it doesnt assign the
GPCO group as having the rights to the GPO. Rather, GPCO is a special kind of group that is
just a placeholder for the actual user who is a member of the group and performing the operation.
When rights are assigned based on an operation performed by a member of the GPCO group, the
ACE is actually assigned to the users account rather than to the group. As an example, lets
suppose you have a user id in your AD domain called admDarren. The administrator for your
domain has placed this user account in the GPCO group. You want to create a GPO, so you
display the Group Policy MMC snap-in, and using the method described in Chapter 3, you create
a GPO without linking it to a container (because members of the GPCO group cannot, by default,
link GPOs to any container). Figure 5.2 shows what the ACE looks like on the newly created
GPO when you view the security properties on the GPO.
122
Chapter 5
Figure 5.2: The security properties on a GPO created by a member of the GPCO group.
As you can see in Figure 5.2, none of the ACEs list the GPCO group. This is because the user
idadmDarrenreplaced the GPCO group in the ACE when you created the GPO. Why is this
a problem? Well, once you create a GPO, you may want others to be able to edit it. Sounds
reasonable, doesnt it? One would think that if a member of the GPCO group creates the GPO,
another member of the group can edit it. Unfortunately, its not as simple as that. The group only
acts as a placeholder for the real user who is doing the creating. As you can see from the ACL in
Figure 5.2, this account (in addition to the other groups), not the GPCO group, can modify the
GPO.
So how do you get around this? To provide an answer, I need to explain where and how GPO
delegation occurs in AD, and to do that, you need to recall concepts from Chapter 2 on the
structure of GPOs.
How GPO Delegation Works
As Ive mentioned previously, two sets of tasks can be delegated as part of GPO management.
The first set of tasks is creating, editing, and deleting a GPO in the domain. The second is linking
the GPO to a site, domain, or OU.
Delegating Creation, Editing, and Deletion GPOs
Remember from Chapter 2 that GPOs belong to a particular domain and are broken into two
physical piecesthe GPC and the GPT. The GPC is the part of a GPO that resides in AD. GPC
objects can be found in the Active Directory Users and Computers MMC snap-in (in Advanced
View mode) under the System\Policies folder (see Figure 5.3).
123
Chapter 5
Figure 5.3: The GPC portion of a GPO, displayed in the Active Directory Users and Computers MMC snap-in.
Figure 5.3 shows a number of GUID-named folders under the System\Policies folder that
correspond to GPOs created in this domain. Just as with other objects in AD, these folders have
security rights associated with them. These rights control who can do what to a particular GPO.
Figure 5.4 shows the ACL editor for one of these folders.
124
Chapter 5
Figure 5.4: The security properties of a GPC in the Active Directory Users and Computers MMC snap-in.
Youll notice that the permissions shown in Figure 5.4 are identical to those listed in Figure 5.2.
In fact, theyre for the same GPOadmDarrens GPO. Figure 5.2 showed the security settings
on the GPO using the Properties command on the shortcut menu in the Group Policy MMC snapin, whereas Figure 5.4 shows the security settings on the GUID-named GPC folder
corresponding to that GPO.
As you can see, Figure 5.2 shows a sanitized version of the rights assigned to the GPC.
Furthermore, if you were to look at the file permissions on the GPT for this GPO in the
SYSVOL share in this domain, youd see file security like the AD security shown above. Figure
5.5 shows the ACL editor focused on the GPT for this GPO.
125
Chapter 5
Of course, because NTFS rights are a bit different from AD rights, figures 5.4 and 5.5 dont list
identical ACEs, but the same users and groups are listed in the ACL, and the control theyre
granted over the GPT is similar to the control granted in the GPC.
It isnt mere coincidence that the GPC and GPT have nearly the same rights assigned to them for
a particular GPO. When you create a GPO using the Group Policy MMC snap-in, several things
go on behind the scenes to ensure that the GPO has the correct security assigned to it. The
security rights granted to a new GPO are controlled based on simple inheritance. In the case of
the GPC, when a new GPO is created, a new GUID-named folder is created, like those shown in
Figure 5.3. This folder inherits the permissions granted to its parent folder, System\Policies.
The rights granted at the folder level control who in a domain can create, edit, and delete a GPO.
Similarly, on the GPT side, the same users or groups who have rights to create, edit, and delete
GPC objects are granted such rights over the GPTs parent folder. Because the GPT resides in
the SYSVOL share on domain controllers in a domain, this parent folder is found on the path
\\<domain>\SYSVOL\<domain>\policies.
When you view the security properties on a GPO from a Group Policy MMC snap-in (as shown
in Figure 5.2), youre viewing the security as its assigned on the GPC folder for that GPO. But
to be able to create, delete, or edit the GPO, you also need to have the corresponding rights in the
GPT folder for the GPO. In a default AD installation, if you keep the default groups that have
permissions to manage GPOs, you dont ever need to be concerned about the security
permissions applied to either the GPC or the GPT Policies folder. However, if you want to do
any customization to GPO delegation, you need to modify these default permissions on the GPC
or GPT.
126
Chapter 5
You may be inclined to ask why the Delegation of Control wizard provided with the Active Directory
Users and Computers and AD Sites and Services snap-ins doesnt allow you to customize the
delegation of GPO creating, deleting, and editing. Its a good question, and one with no easy answer.
The Delegation of Control wizard is essentially a shortcut to the ACL editor, so its a simple and rather
stupid tool. If you run the Delegation of Control wizard against a container such as a site, domain, or
OU, there appears to be a way to delegate creating GPC objects. However, this is in fact not what
occurs.
Because GPC objects are created under the special System\Policies folder in an AD domain, you
actually need to run the Delegation of Control wizard on that folder rather than on a particular site,
domain, or OU. Makes sense, right? However, simply running the Delegation of Control wizard
against the System\Policies container doesnt grant the rights needed to delegate creating GPOs.
This is because the Delegation of Control wizard does nothing to handle creating permissions in the
GPT in SYSVOL. As a result, if you use the Delegation of Control wizard to delegate the creating of
GPOs to a new group, then as a member of that group, try to create a GPO in the domain, youll get
an Access Denied message. Later in this section, Ill describe the methods you can use to
successfully delegate creating, deleting, and editing of GPOs.
The first step to correctly delegate GPO administration is knowing which rights confer which
capabilities. Lets look at exactly what rights you need on the GPC and GPT to be able to view,
edit, create, and delete GPOs. Table 5.2 below shows the rights that must be granted on the
System\Policies folder or a GPC to confer a particular GPO management capability. (These
rights correspond to the ACL editor view shown in figures 5.2 and 5.4.) The Apply Group Policy
permission isnt listed because it doesnt affect delegation of GPOs.
Right
Full Control
Read
View the GPO and its properties in the Group Policy MMC snap-in
but not open the GPO for editing.
Write
View and edit the GPO. (Write doesnt confer the ability to read a
GPO as well; that permission must be explicitly granted.)
Delete GPOs.
Table 5.2: The rights used on GPC objects to delegate GPO management.
Table 5.3 below lists the corresponding NTFS rights that must be set on the GPT folders to grant
capabilities like those listed in Table 5.2 above.
Right
Full Control
Modify
View the GPO. When you select the Read & Execute right, the List
Folder Contents and Read rights are granted automatically.
Write
Table 5.3: The rights used on GPT objects to delegate GPO management.
127
Chapter 5
Its possible to confer one set of rights on the GPC portion of a GPO and another set on the GPT
portion. The results, as you can imagine, arent good. For example, you can grant Write access to a
GPO in the GPC. This theoretically lets you edit the GPO, and indeed, you can open and edit the
GPO just fine in the Group Policy MMC snap-in. However, if you dont have the corresponding Write
permission on the GPT portion of the GPO, any changes you make to the GPO are lost without any
kind of warning or message about a lack of access. It seems that the Group Policy MMC snap-in only
checks to ensure that you have the correct permissions on the GPC before allowing you to edit that
GPO.
Of course, creating and editing GPOs is only one side of the delegation equation. The other side
is linking and un-linking GPOs from a site, domain, or OU.
Linking GPOs
Once you understand the delegation process for creating, deleting, and editing GPOs in your AD
domains, the next step is to decide who can link these GPOs to sites, domains, and OUs. As I
mentioned above, while delegating control of tasks such as creating GPOs requires setting
security rights on the GPC and GPT, delegating the linking and un-linking of GPOs is done at
the container level.
For example, if you want a group of administrators in the Finance OU to be able to link GPOs to
its own OU, you need to set security rights on the OU rather than on the GPC or GPT for the
GPOs. Fortunately, unlike delegating the creating of GPOs, where you have to worry about
security on both AD and SYSVOL, delegating GPO linking only involves setting AD security on
the container objects in question.
There are actually two rights that you can grant to a user or group at the container level.
Remember from Chapter 3 the discussion of the gPLink and gPOptions attributes that are present
on container objects. The gPLink attribute contains the GUIDs of all GPOs linked to the selected
container. Figure 5.6 shows the contents of the gPLink attribute on the HQ OU in a test domain
using the ADSI Edit tool.
128
Chapter 5
The Value(s) text box shows a string containing the LDAP DN of a GPO in the domain. The
ability to write to the gPLink attribute on a given site, domain, or OU container object is what
gives a user or group the ability to link and un-link GPOs to that container.
In addition to being able to manipulate the gPLink attribute, you can delegate the ability for a
user or group to use the Block Policy Inheritance feature, described in Chapter 3. The gPOptions
attribute on a container object controls whether this feature can be used. If the user or group can
write to this attribute, they can enable or disable this feature. If they cannot write to this attribute,
they cannot change it. Thus, even if you allow someone to link a GPO to their OU, for example,
you can prevent him or her from disabling upstream GPOs by not granting sufficient
permissions on the gPOptions attribute.
There are two ways to delegate security rights (and thus be able to link and un-link GPOs) for the
gPLink and gPOptions attributes. You can use:
The Delegation of Control wizard to grant rights to users and groups in your domain
Ill explain how to delegate security rights using the ACL editor. The Delegation of Control
wizard is only good for one-time ACL changes, and eventually, youll have to use the ACL
editor anyway.
First start the Active Directory Users and Computers MMC snap-in. (If youre granting rights to
users or groups on site objects, start the AD Sites and Services snap-in.) Lets suppose you have
an OU called HQ, and you want to grant linking and un-linking rights to an administrative group
in this OU called HQ Group Policy Admins. The first thing you need to do is get to the ACL
129
Chapter 5
editor for the HQ OU. Right-click the HQ OU, then choose Properties from the shortcut menu. In
the Properties dialog box, click the Security tab. Figure 5.7 shows the ACL editor for this OU.
To grant (or revoke) rights for the gPLink and gPOptions attributes on this OU, click Advanced
to see additional permissions. Figure 5.8 shows the advanced ACL editor view.
130
Chapter 5
To delegate the linking and disable inheritance rights on this OU, click Add, then add the HQ
Group Policy Admins group to the ACL. Select the group, and the Permission Entry dialog box
appears, where you can assign the actual rights to the gPLink and gPOptions attributes. This
dialog box has two tabsObject and Properties. Object is selected by default and shows the
permissions available on the OU object itself. However, youre interested in the Properties tab.
Click this tab, then set permissions on the individual properties on this OU. Figure 5.9 shows the
Properties tab as well as the permissions for gPLink and gPOptions.
131
Chapter 5
Figure 5.9: The permissions on properties (attributes) that you can assign on an OU.
As you can see in Figure 5.9, both gPLink and gPOptions have Read and Write permissions
associated with them. Read permissions are required for a user or computer processing GPOs
because it needs to be able to read the gPLink attribute to see which GPOs are linked to the site,
domain, or OU in question. However, the Write permission is of more interest here. By selecting
the Write gPLink permission, you grant the HQ Group Policy Admins group the ability to link
GPOs to the HQ OU. And by selecting the Write gPOptions permission, you grant this group the
ability to enable or disable inheritance on this OU.
How will you know if youve successfully granted or revoked from an administrator the ability
to link or un-link GPOs to or from a container object? When the administrator hasnt been
granted the Write gPLink permission, then attempts to create a GPO or add a link to an existing
GPO from a container object, that option will be grayed out.
You can see this, for example, in the Active Directory Users and Computers snap-in. If you
right-click HQ OU, choose Properties from the shortcut menu, then click the Group Policy tab in
the Properties dialog box, youll see the familiar Group Policy dialog box (shown in Figure
5.10), where the New, Add, Options, and Delete buttons are all grayed out. Removing the Write
permission on gPLink effectively prevents this user from adding any new GPOs or linking
existing ones to this OU. And because the user cant change the gPLink attribute, he or she also
cant delete a GPO or its link from this dialog box.
132
Chapter 5
Figure 5.10: The Group Policy dialog box after the gPLink Write permission has been revoked.
Interestingly enough, the Block Policy Inheritance check box is also grayed out, even though this
user still has Read and Write permissions for the gPOptions attribute. Now, I personally think
that users should still be able to block policy inheritance in this situation, but apparently the
person at Microsoft who coded this UI didnt think so! Another seemingly odd thing is that if a
user has Write permission on gPLink, but not on gPOptions, he or she can select the Block
Policy Inheritance check box, but then receives an error, indicating that the change cant be
made. Youd think that the better way to handle this would be to gray out the check box, as
shown in Figure 5.10 above.
Now that Ive discussed how you can delegate GPO creating, editing, deleting, and linking, its
time to pull it all together and go through a real scenario where you delegate OU administration
in your AD domain.
Putting GPO Delegation into Practice
Lets suppose that youve installed your AD domain, and now you want to use your newfound
knowledge about GPO delegation to delegate the management of GPOs in your domain. The first
thing youll do is delegate the ability to create, edit, and delete GPOs. Remember from the
discussions so far that these are domain-wide rights. That is, a GPO exists in a domain in a single
placein the GPC (and GPT). So when you delegate administration of GPO creation, deletion,
and editing, you do so across the domain. If you grant users the ability to create GPOs in a
domain, they can create as many as they want until you stop them. On the other hand, if you
grant users the ability to link a GPO to the Finance OU, theyre fairly limited to how much
damage they can do.
133
Chapter 5
The point is that delegating GPO creation and deletion is pretty much an all-or-nothing task, one
that should be done with prudence. Because each new GPO creates its corresponding GPC and
GPT, which starts out at just under 1 megabyte (MB) in size, a user who creates thousands of
GPOs just for the fun of it can seriously affect seemingly unrelated things, such as AD and
NTFRS replication traffic on your network. So consider GPO creation (and deletion) a rare right
that shouldnt be abused!
That said, you do have some ability, once a GPO has been created, to go back and remove
permissions to prevent a user from deleting it or even editing it. Ill talk in this section about how
to delegate the creation process from scratch as well as how to change existing permissions on a
GPO to prevent further changes.
Making Changes to the Policies Folder
As I mentioned in the previous section, delegating the creation of GPOs is controlled using the
permissions contained in the GPC System\Policies folder in an AD domain and the NTFS file
permissions on the SYSVOL-based Policies folder on your domain controllers. Therefore, if you
want to grant new rights to create GPOs, you need to make changes to these folders.
To reiterate, you only have to manually modify GPC and GPT permissions when youre delegating
the creation of GPOs to a new user group. To grant users the ability to modify or delete a GPO, you
can use the ACL editor.
Lets suppose youve created a special domain-wide global group called GPO Admins. You want
to be able to give this group the ability to create, delete, and edit GPOs in your domain. Youll
then delegate editing and linking rights on an as-needed basis to those groups that require them.
Ill walk through this entire scenario now to describe the challenges and complexities of
implementing a truly flexible GPO delegation.
Depending on the size of your environment, you may make some groups responsible for creating,
editing, and deleting GPOs and delegate to others the ability to link GPOs. This is important to keep
in mind as you plan your GPO implementation because the various groups dealing with GPOs must
be in sync at all times.
Open the Active Directory Users and Computers MMC snap-in, focused on your domain
specifically, the domain controller in your domain that is currently the primary domain controller
(PDC) operations master)and drill down to the System\Policies folder.
To focus on a particular domain controller in the Active Directory Users and Computers snap-in, rightclick the domain name at the top of the left-hand (scope) pane, then choose Connect to Domain
Controller. In the Change To dialog box, type the name of the domain controller that has the PDC
operations master role for your domain. The reason I suggest the PDC operations master to focus on
for your GPC changes is that its the domain controller that the Group Policy snap-in focuses on by
default whenever you edit the GPO. Focusing on the same domain controller each time you make
changes to a GPO (whether using the MMC snap-in or directly on the GPC or GPT) ensures that two
people dont edit the same GPO on two different domain controllers and potentially overwrite each
others changes.
Right-click this folder and choose Properties from the shortcut menu. Then in the Properties
dialog box, click the Security tab. When you open the ACL editor on this folder, you see the
134
Chapter 5
default GPO permissions that are listed in Table 5.1 earlier in this chapter. At this point, youre
ready to grant create, edit, and delete permissions to the GPO Admins group.
Click Add, then select the GPO Admins from the list. Now that youve added an ACE for the
group, you need to modify the permissions youre granting to it. How do you know which
permissions to grant to a group to convey sufficient results? Well, from Table 5.2 earlier in this
chapter, you know that you need to grant at least the Create All Child Objects and Delete All
Child Objects permissions to give the group the ability to create and delete GPOs.
If you dont grant the Delete All Child Objects permission, the group members can create but not
delete GPOs in the domain.
You can also grant Read permission, but you dont need to, because the Authenticated Users
group, of which all users defined in the domain are members, already has Read access to the
System\Policies folder by default. Figure 5.11 shows the necessary permissions to grant the GPO
Admins group the ability to create, edit, and delete GPOs in your domain.
Figure 5.11: The permissions on the GPC-based System\Policies folder required to delegate creating,
deleting, and editing of GPOs.
At this point, youre only half done. To really allow the GPO Admins group to be able to create,
delete, and edit GPOs, you also have to grant the equivalent rights in the GPT. The easiest way
to do this is to log on to a domain controller in your AD domain and change the NTFS
permissions on the folder.
135
Chapter 5
Be careful which domain controller youre focused on when you make the change. Just as with the
System\Policies folder discussed above, its a good idea to change GPT permissions on the PDC
operations master for your domain because this is the server, by default, that the Group Policy MMC
snap-in focuses on when creating, editing, and deleting GPOs.
Log on to the PDC operations master, navigate to the volume where youve defined SYSVOL on
that server, then drill down to the Policies folder under the SYSVOL share. The path will look
something like this:
%systemroot%\sysvol\sysvol\<domain>
where <domain> is the name of your domain. In the domain folder, there should be at least two
foldersPolicies and Scripts. If you right-click Policies, then choose Properties from the
shortcut menu, you can set security on the GPT. In the Properties dialog box, click the Security
tab, then add the GPO Admins group and grant it the appropriate rights to create, edit, and delete
GPOs. In this case, the Modify permission will accomplish your goal, so grant GPO Admins the
Modify permission on the Policies folder (see Figure 5.12).
Figure 5.12: The permissions on the GPT-based Policies folder required to delegate creating, deleting, and
editing GPOs.
Youve now completely delegated creating, deleting, and editing GPOs to the GPO Admins
group. The next step is to delegate linking to other user groups. Then Ill show you how to
modify existing GPO permissions to change access to a GPO.
Lets say you have an OU called Finance that wants to be able to link to some GPOs in your
domain. In the Finance OU is a group called Finance GPO Admins, to whom youll delegate the
ability to link and un-link GPOs. As I mentioned earlier in this chapter (see Linking GPOs),
136
Chapter 5
you need to grant linking permissions on the container (for example, site, domain, or OU) where
the linking is to occur. So as an administrator, youll grant linking permissions to the Finance
GPO Admins group on the Finance OU.
The person who is changing security on the OU must have the rights to do this. In many cases, OU
administrators themselves may be able to grant this permission. On the other hand, you may want a
higher-level administrator to do this; you may not want to delegate the ability to change permissions
on an OU to the administrator of the OU!
To delegate the linking permission, start in the Active Directory Users and Computers snap-in
and right-click the Finance OU. Choose Properties from the shortcut menu, then in the Properties
dialog box, click the Security tab. In the familiar ACL editor, click Advanced. In the advanced
ACL editor view, click Add to add the Finance GPO Admins group as the target group for the
new ACE. The Permission Entry dialog box will appear. Click the Properties tab to set
permissions on the OUs properties (attributes), then select the Read gPLink and Write gPLink
permissions.
You can also grant the Finance GPO Admins group the ability to block policy inheritance on the
OU by granting the Read gPOptions and Write gPOptions permissions. Figure 5.13 shows what
the resulting ACE looks like after youve granted linking permissions on the Finance OU.
Figure 5.13: The permissions required to delegate linking and un-linking of GPOs.
Once youve granted these permissions, the Finance GPO Admins group will be able to link any
GPOs that it has Read permissions on to the Finance OU. This is an important point. If there are
GPOs in your AD forest that you dont want to allow certain administrators to link to, you need
137
Chapter 5
to set permissions on those GPOs to prevent them from even being read. Remember that, by
default, all GPOs are created with an ACE that allows the built-in Authenticated Users group
Read and Apply Group Policy permissions. If there are particular GPOs that administrators
shouldnt link to, you need to remove the ACE and replace it with a similar one that grants
access only to the intended target group.
Remember, too, that once you remove this ACE, no users or computers will be able to read or
process the GPO, so make sure that you replace it with one that grants the access you really need.
An administrator needs at least the Read permission to be able to link to the GPO. As I
mentioned in Chapter 3, the Apply Group Policy permission controls which users and computers
actually process the policy, and an administrator doesnt have to be able to link to that GPO.
Modifying Permissions on Existing GPOs
As I alluded to above, you may need to modify the permissions on existing GPOs rather than
modify permissions directly on the System\Policies and SYSVOL folders to delegate new GPO
creation. If this is the case, I suggest using the Group Policy snap-in ACL editor instead of
modifying permissions on each GPOs GPC and GPT folders. This minimizes mistakes and
ensures that the permissions that you intended are indeed applied. I can think of a couple of
examples where you might want to go back and modify existing GPO permissions.
In one situation, lets suppose youve decided to use the GPCO group to delegate creating and
deleting GPOs. As I mentioned earlier in this chapter (see Default Rights), when you use this
group, the ACE that is written to the newly created GPO is created for the user account that
created the policy rather than the GPCO group. This means that, in the future, only that user can
modify or delete the GPO. This may not be a desirable scenario, so it might be worthwhile to
modify permissions on that GPO to give additional users or groups the Write or Modify
permission. You can do this in the Group Policy MMC snap-in by focusing on that GPO and
changing its security properties. (I discussed how to do this in How GPO Delegation Works
earlier in this chapter.)
In another case, you might want to delegate administration of the two built-in GPOsDefault
Domain Policy and Default Domain Controllers Policy. By viewing the properties of these two
GPOs from MMC, you can determine their GUIDs, and you can modify the System\Policies and
SYSVOL Policies folders to allow users other than Domain Admins, local Administrators, and
Enterprise Admins to edit them.
Linking GPOs to a Site Object
Now I want to say a word about site-linked GPOs. Everything Ive discussed in this chapter so
far applies to creating and linking site GPOs, but you need to be aware of a few minor
differences. The first and most obvious one is that to link GPOs to a site, you use the AD Sites
and Services MMC snap-in. You simply right-click a site object in the snap-in, choose Properties
from the shortcut menu. This is shown in Figure 5.14. Then in the Properties dialog box, click
the Group Policy tab as you would in the Active Directory Users and Computers tool.
138
Chapter 5
Figure 5.14: Linking GPOs to a site object in the AD Sites and Services snap-in.
The principal difference between site-based GPOs and domain- or OU-based GPOs is where
theyre created by default. If youre using the MMC snap-in to create and link a GPO to a site in
one step, the GPO is automatically created in the forest root domain. If you have a multi-domain
AD forest, you need to have GPO creation permissions on the GPC and GPT in the forest root
domain to create and link site-based GPOs in one step. Otherwise, you can create a GPO, then
link it in any domain in your forest to a site object.
Chapter 5
Users security group has Read and Apply Group Policy permissions on that GPO, no one else
who links to the GPO may be able to process it unless they too modify the permissions. This is
another good argument for having a centralized group control GPO creation and maintenance
and allowing your OU administrators to simply link and un-link GPOs.
Second, remember that you have to first remove the Authenticated Users ACE from the default
GPO permissions before you can effectively use security groups to filter the GPOs effects. This
is because Authenticated Users includes every user and computer in your AD forest. You wont
have any luck filtering a GPO if that ACE is still in place. Remember, however, that when you
remove that ACE and add a new security group, only those users and computers that are part of
the new group will be able to view and process the GPO.
Finally, be aware that security-group filtering applies to the whole GPO. For example, it might
be nice if you could filter Folder Redirection for one set of users and Administrative Templates
for another set of computers in a single GPO. No can do! However, you do have some
granularity of control in the Software Installation feature in GPOs, and Ill talk about that next.
Security-Group Filtering for Applications
When I first encountered GPOs, I thought itd be really nice to have more granular control of
security-group filtering. That would allow me, in a single GPO, to control which users and
computers processed which features. Unfortunately, for the most part, security-group filtering of
a GPO is an all-or-nothing affair.
The good news is that Microsoft does provide more fine-grained control when youre using the
Software Installation feature in a GPO to publish or assign applications to your users. If you
publish or assign several applications in a single GPO, you can control which user or computer
groups will see them. If they cant see them, the applications wont get installed. Software
Installation is a kind of down-market version of the Microsoft SMS user and computer group
based Software Advertisement feature.
For an explanation of publishing and assignment, see Chapters 1 and 3.
For example, suppose you have a domain-linked Software Installation GPO and you want to use
it to deploy all of your applications using the Software Installation feature in Group Policy.
However, you want to be able to control who receives certain applications in the GPO. You can
do this by modifying permissions on the individual applications that youve published or
assigned. Figure 5.15 shows a GPO with two applications deployedMicrosoft Office 2000 and
Win2K Administration Tools.
140
Chapter 5
Lets say you want to give everyone access to Office 2000, but you want only certain members
of an administrator group to have access to Win2K Admin Tools. Perhaps youve removed the
Authenticated Users ACEwhich grants all users and computers Read and Apply Group Policy
permissions on a GPOand replaced it with a security group that is targeted to specific users or
computers. Now you want to set permissions on Win2K Admin Tools so that only members of a
particular administrative group receive it.
Before the group members can read the permissions you assign to Win2K Admin Tools, they
must have permission to process the GPO as a whole. Thus, before you use security-group
filtering on an application, the GPO has to be visible and available for processing by all users (or
computers).
That said, Ill show you how to set permissions on the two applications shown in Figure 5.15 to
meet these requirements. The first thing you need to do is edit the GPO, so start the Group Policy
MMC snap-in, focused on Domain Software Installation Policy. Next, drill down to the User
Configuration, Software Settings, Software Installation node, where your two applications have
been deployed. Then right-click Office 2000 and choose Properties from the shortcut menu. In
the Properties dialog box, click the Security tab to show the permissions on the application (see
Figure 5.16).
141
Chapter 5
The only permission that a user or computer needs to receive the deployed application from the
GPO is the Read permission. As you can see in Figure 5.16 above, the Authenticated Users
group, by default, has Read permission on all deployed applications. This means that all users
who process this GPO will receive these applications. Office 2000 is fine the way it is, but you
need to modify the permissions on Win2K Admin Tools to only allow selected administrative
groups to receive it.
You edit that applications security permissions just like any other ACL editor operation. In this
case, however, first remove the Authenticated Users ACE that grants all users access to this
application by clicking Remove in the ACL editor. A message appears, as shown in Figure 5.17.
Figure 5.17: The warning message that appears when you try to remove an inherited ACE.
You cant delete the Authenticated Users ACE because its been inherited from a parent
container, so you need to break inheritance between this application and its parent. On the
Security page of the Properties dialog box, clear Allow Inheritable Permissions from Parent to
Propagate to This Object, then click OK. Another dialog box appears, asking whether you want
to copy all inherited ACEs to this object and break inheritance, remove all inherited ACEs from
142
Chapter 5
this object, or cancel the operation altogether. Because you dont want to remove all inherited
ACEs (just Authenticated Users), click Copy, then Apply.
This breaks the security that the application inherits from its parent container object. However, it
may not be apparent what the parent container for an application is. To find out, we have to go
back to Chapter 2. In fact, the parent container for an application is a folder in the GPC called
Packages. The Packages folder is contained in the Class Store in the GPC (see Figure 5.18).
Figure 5.18: The Packages folder in the GPC, from which deployed applications inherit permissions.
As you can see in Figure 5.18, the right-hand (results) pane shows the two applications that are
deployed in the GPO, represented as packageRegistration objects in the GPC.
Getting back to our example, once youve broken inheritance between the application and the
Packages container, you can remove the Authenticated Users ACE and add your new group
permissions. Figure 5.19 shows the resulting ACL for Win2K Admin Tools.
143
Chapter 5
This figure shows three user groups addedHQ Group Policy Admins, Server Admins, and the
built-in Server Operatorsand granted each Read permissions to this application. Thus, the next
time a member of one of these groups logs on to the domain, Win2K Admin Tools will be
advertised to his or her desktop, ready for installation. No other users will receive the
applicationas youd expect!
The example above describes the two applications as per-user deployments. Thus, any securitygroup filtering you do on these applications needs to be based on user groups, rather than computer
groups, because the applications are processed by users, not computers. If one or both of these
applications is deployed per computer (assigned), youll need to use computer groups to filter which
computers receive which applications.
144
Chapter 5
include kiosk-type computers, or single-function computers, which present users with a different
desktop than they see at their own workstations.
This need also applies to an environment using Windows Terminal Server (WTS) environment.
Users log on to Windows terminals using the same credentials they normally use on their own
computers, but while theyre logged on, you may not want their home GPOs to process.
In these cases, Microsoft has provided an interesting workarounda feature known as loopback
processing. Loopback processing is enabled on individual computers using a GPO-based
Administrative Template policy. When a user logs on to a computer that is using loopback
processing, the computer overrides the user accounts own home GPOs and temporarily
applies any GPOs that it processes instead.
To enable loopback processing, you need to open a Group Policy snap-in focused on a GPO and
drill into Computer Configuration, Administrative Templates, System, Group Policy. Figure 5.20
shows where the loopback policy setting is located in a GPO.
Loopback can work in two modesMerge and Replace. Each mode determines how userspecific policy is merged into a users existing user-specific GPO-based settings. In Merge
mode, when a user logs on to a computer that has loopback processing enabled, any user-specific
GPO policy that the computer is processing will be merged with any policy that the user brings
from GPOs that he or she normally processes. Figure 5.21 attempts to illustrate how this works.
145
Chapter 5
In the figure above, Joe User has an account in the Finance OU, and he normally logs on to a
computer in that OU as well. A Finance GPO provides Joes computer- and user-specific policy.
User-specific policy may include Folder Redirection, Administrative Template lockdown, IE
Maintenance policy, and so on. When Joe User logs on to the computer labeled Kiosk in the
Kiosks OU, the user-specific policy that he typically receives in his own OU can be overridden
using loopback processing.
If you use loopback processing in Merge mode, any user-specific policy settings that have been
defined on the Loopback GPO will be merged with Joes home policy settingsthose that
were applied from the Finance GPO. For example, perhaps Joe normally receives a Folder
Redirection policy from the Finance GPO that redirects his My Documents folder to a server
share but leaves other folders (like Start Menu, Desktop, and so on) where they are by default.
Now lets say that in the Loopback GPO, you create a Folder Redirection policy that redirects all
users Desktop folders to a server share. Using Merge mode, the result is that Joes My
Documents and Desktop folders are redirected to server shares. If any of these user policy
146
Chapter 5
settings conflict during the merge process, the policy defined on the Loopback GPO will
override what was defined on the Finance GPO.
If you use loopback processing in Replace mode, any user policy that Joe User receives from the
Finance GPO will be completely replaced by what is defined on the Loopback GPO (see Figure
5.21). Joes My Documents folder will no longer be redirected to the server share; his Desktop
folder will be redirected instead.
To enable loopback processing, make sure youre in the Group Policy snap-in as shown in Figure
5.20, then open User Group Policy Loopback Processing Mode. In the Properties dialog box,
click Enabled, then specify a mode (see Figure 5.22).
You can see how loopback processing can be ideal in a Windows terminal environment. You can
lock down certain aspects of a users desktop when he or she logs on to a terminal but let the user
roam free when he or she is sitting at their own computer. To use this approach, simply enable
loopback processing using one of the two modes I described above on a GPO that is processed
by your terminal server(s). Then, either on that same GPO or on different ones, define a set of
user-specific policy settings that will take effect when any user logs on to a terminal.
I recommend that you start using loopback processing in Replace mode rather than Merge mode.
As you can imagine, calculating the RSoP for a user who is receiving the results of multiple
merged GPO settings can be a nightmare unless you have a really good lock on what policies
youve set in your environment. Using Replace mode, you always know that the only policies a
user is getting are the ones defined on the GPOs that are processed by the computer with
loopback processing enabled.
147
Chapter 5
Summary
In this chapter, I described ways to work around some challenging issues in your GPO
infrastructure. Delegation, security-group filtering, and loopback processing are all tools that,
once you master them, can make using GPOs more worthwhile. When you use delegation, the
key is to understand the differences among delegating creation, editing, and deletion of GPOs,
and linking and un-linking them, and what permissions enable each.
I also discussed the GPCO security group and some important differences between the
Delegation of Control wizard and setting ACLs directly. With respect to security-group filtering
of GPO processing, the key is to keep it simple and balance security-group filtering with proper
GPO linking. Finally, loopback processing gives you a way of overriding users native user
policy settings when they log on to specialized computers in your AD infrastructure. In the next
and final chapter, Ill look at tools and techniques for managing and troubleshooting your GPO
infrastructure.
148
Chapter 6
Probable Cause
Potential Solutions
One or more
GPOs hang
when a user
logs on or a
149
Chapter 6
Problem
Probable Cause
Potential Solutions
computer starts
up.
A single GPO
isnt processed
at all, or only
parts of it are
processed.
150
Chapter 6
Problem
Probable Cause
Potential Solutions
regardless of whether its changed since the
last time. Of course, this increases the time it
takes to process policies when a computer
starts up or a user logs on, but it can ensure
that a policy is always enforced.
A single GPO
isnt processed
at all, or only
parts of it are
processed.
A single GPO
isnt processed
at all, or only
parts of it are
processed.
The wrong
GPOs are
being
processed.
The wrong
GPOs are
being
processed
The wrong
GPOs are
being
processed
151
Chapter 6
Problem
Probable Cause
Potential Solutions
can use the Group Policy MMC snap-ins Link
Search feature to find all of the links to a
particular GPO: In the Active Directory Users
and Computers MMC snap-in, select a
container object such as a domain or OU,
right-click it, then choose Properties from the
shortcut menu. Click the Group Policy tab and
highlight the GPO that you want to search for
links to. Click Properties, then the Links tab.
Select the domain in which you want to
search for links, then click Find Now. All links
to the GPO are displayed (see Figure 6.4).
No GPO
processing is
occurring
152
Chapter 6
Figure 6.1: Enabling the Administrative Template policy to limit the amount of time that GPO-based scripts
(logon, startup, and shutdown) will run.
Figure 6.2:Using the History key in the registry to verify what version of the GPO ran most recently.
153
Chapter 6
Figure 6.3: Using policy to ensure that a CSE always processes a GPO, regardless of whether its changed
since the last processing cycle.
Figure 6.4: Using the Group Policy MMC snap-ins Link Search feature to find all of the links to a GPO.
154
Chapter 6
As you can see, gpresult.exe supports four options: Verbose mode (/V), Super Verbose mode
(/S), Computer Settings Only (/C), and User Settings Only (/U). There are a few differences
between Verbose mode and Super Verbose mode.
The main difference is that in Super Verbose mode, registry values that are set by
Administrative Template policy, and use the REG_BINARY data type, are fully
displayed; in Verbose mode, the contents of binary registry values arent displayed
In Super Verbose mode, any applications made available using Software Installation
policy are listed, whereas in Verbose mode, theyre not
In Verbose mode, each GPO version is listed as a single value. However, in Super
Verbose mode, the version information is broken down by GPT and GPC so that you can
see whether any synchronization problems exist between them.
155
Chapter 6
One noticeable piece of information that gpresult.exe doesnt provide is information about any
security settings that have been delivered using GPO. This is an unfortunate limitation that
makes the tool less valuable. The tool will show that you received security policy from one or
more GPOs, but it instructs you to use the security configuration and analysis MMC snap-in to
view actual security policy. Unfortunately, the security configuration and analysis snap-in
doesnt tell you which GPOs are delivering which security policy; it only tells you what effective
policy is currently running on the computer. For this more detailed RSoP functionality, you have
to turn to a tool like FAZAM 2000 from Full Armor or wait until Microsoft delivers it in the next
version of Windows.
The last two modes in gpresult.exe are Computer Settings Only and User Settings Only. They let
you display GPO policy per user or per computer, so that you can exclude one or the other from
a report. (The default is to present both). This helps minimize the amount of data the tool returns.
You can also use the /c or /u option with the /v or /s option to select the verbosity level.
In general, gpresult.exe is a good tool for giving you an overall sense of which GPOs are being
processed by the current user and computer. You cant run the tool remotely against a different
computer/user combination, but you can get some useful information out of it when you run it
locally. Figure 6.6 shows some sample gpresult.exe output. As you can see, the first part of the
report shows a lot of useful information about the computer and user running the report,
including the site the computer is in (SanFrancisco), the users distinguished name in AD
(CN=Administrator,CN=Users,DC=mar-elia,DC=com), the groups they belong to, and the
security rights they have on the domain.
Figure 6.6: Using gpresult.exe to display details of the computer and user running a report.
156
Chapter 6
The second part of the report (not shown here) lists the GPOs processed by the user and
computer, and its organized by CSE (for example, Administrative Template, Software
Installation, Folder Redirection, and so on).
The gpresult.exe tool is quite useful for identifying when a particular Administrative Template
policy is being applied because it lists individual registry entries set by a given GPO. It also
provides some summary information about each GPO, and this can be handy when youre
troubleshooting problems. This information includes things like the GPOs friendly name, its
GUID, version information, and what its linked to. This information is shown in Listing 6.1.
The user received Application Management settings from these GPOs:
Domain Software Installation Policy (v1.0)
Revision Number:13 (Active Directory) 13 (Sysvol)
Unique Name:{7D48C869-4882-40D7-A2A7-97193664F282}
Domain Name:mar-elia.com
Linked to:Domain (DC=mar-elia,DC=com)
While gpresult.exe isnt a full-featured RSoP tool, itll do in a pinchsuch as when you need to
find out whats happening on a workstation or server right now.
Group Policy Object Verification Tool (gpotool.exe)
The Group Policy Object Verification tool (gpotool.exe) in the Win2K resource kit, is valuable
for ensuring that your GPO infrastructure is functioning properly. Rather than focusing on the
effects of GPOs on a single workstation or user, as gpresult.exe does, gpotool.exe surveys all
GPOs in a given domain and ascertains their health. It does this by querying each domain
controller in a domain and verifying whether the GPT and GPC are in sync (that is, of the same
version). If not, it reports errors.
gpotool.exe also provides a bit more control over the scope of the search using a number of
command-line options. These are shown in Figure 6.7 and listed below.
Chapter 6
/domain:nameSearches in a domain other than the one in which its runningthat is,
you can perform cross-domain consistency checks on GPOs.
/checkaclIs supposed to validate whether the permissions on the GPT for a given GPO
are consistent with those on the GPC. However, in tests that I ran using this option, after
changing permissions on a GPT for a GPO, gpotool.exe registered no problems
whatsoever. So my guess is that this feature wasnt quite implemented!
/verboseInstead of merely reporting back that GPOs are OK, lists version and other
information on all GPOs that you report on. Listing 6.2 shows an example of the verbose
output on a GPO reported by gpotool.exe.
Policy {BB5758D9-30FF-4BC5-A262-482321D9F928}
Policy OK
Details:
DC: yquem.mar-elia.com
Friendly name: HQ Lockdown Policy
Created: 3/11/2001 2:52:04 AM
Changed: 5/1/2001 3:39:56 AM
DS version:
3(user) 4(machine)
Sysvol version: 3(user) 4(machine)
Flags: 0
User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-702011D2-842D
00C04FA372D4}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-0
0A0C90347FF}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D509E-11D1-A
7CC-0000F87571E3}]
Functionality version: 2
Listing 6.2: Finding information about a GPO using the verbose option in gpotool.exe.
In this listing, gpotool.exe reports the following on the HQ Lockdown Policy GPO:
The details of the domain controller on which the policy was found
The friendly name for the policy, when it was created and last changed, and its current
GPC (DS) and GPT (Sysvol) versions
The Flags field shows whether user or computer policy settings have been disabled on the
GPO. In the previous listing, a value of 0 indicates that both computer and user settings
are enabled on this GPO.
The User and Machine extensions fields show the GUIDs of the CSEs used in this GPO
(or example, the GUID {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} corresponds
to the IE Maintenance CSE, which has been set in this GPO)
158
Chapter 6
The functionality version corresponds to the version of the Group Policy snap-in tool that
was used to create this GPO.
Lets look at an example of how gpotool.exe finds problems in an environment. Lets say you
suspect that there is a problem with the HQ Lockdown Policy GPO on one of your domain
controllers. Using the tool with the following syntax, you can zero in on the problem:
gpotool /gpo:HQ Lock /dc:yquem
You use the /gpo option to search for this GPO. You dont need to enter the entire GPO friendly
name; you can enter just the first few characters. (You cant enter another part of the name, such
as Lockdown.) You also use the /dc option to specify a domain controller by the name of Yquem,
which is where you want to focus your reporting. Figure 6.8 shows the output of this command.
This figure shows that there is a problem on this GPO because the version on the GPT (196613)
is different than the version on the GPC (196612). In this case, because the version on the GPT is
greater, you might infer that AD replication problems on this domain controller are preventing
the latest GPO changes from replicating to the GPC. A quick look in the AD event log on this
server should confirm such a problem.
Network Connectivity Tester (netdiag.exe)
Another useful Win2K resource kit utility is Network Connectivity Tester (netdiag.exe). This tool
has many capabilities, but its basically designed to validate that all network-related aspects of
your Win2K device are functioning correctly. Netdiag.exe can do everything from checking the
status of your network cards to verifying that all of the correct DNS entries are registered for a
given domain controller. If youre having a problem like that described in Table 6.1, where none
of the GPOs for a given computer or user in your domain are being processed, this is the tool to
use.
159
Chapter 6
Netdiag.exe detects problems with modems, network interface cards (NICs), infrared portsyou
name it, this tool finds it. It even has a facility to fix certain basic problems (for example, DNS
registrations that are missing). In Debug mode, the tool lists an amazing array of data, including
routing information on each NIC installed, current Transmission Control Protocol (TCP) ports
connected or listening on, detailed AD configuration information, and so on. Its range is really
quite extensive. Listing 6.3 shows all of the tests that netdiag.exe can perform.
Ndis - Netcard queries Test
IpConfig - IP config Test
Member - Domain membership Test
NetBTTransports - NetBT transports Test
Autonet - Autonet address Test
IpLoopBk - IP loopback ping Test
DefGw - Default gateway Test
NbtNm - NetBT name Test
WINS - WINS service Test
Winsock - Winsock Test
DNS - DNS Test
Browser - Redir and Browser Test
DsGetDc - DC discovery Test
DcList - DC list Test
Trust - Trust relationship Test
Kerberos - Kerberos Test
Ldap - LDAP Test
Route - Routing table Test
Netstat - Netstat information Test
Bindings - Bindings Test
WAN - WAN configuration Test
Modem - Modem diagnostics Test
Netware - Netware Test
IPX - IPX Test
IPSec - IP Security Test
Listing 6.3: A list of tests available in netdiag.exe.
For the purposes of troubleshooting GPOs, the tests of interest are the DNS test and domain
membership test. The DNS test verifies that a server, workstation, or domain controller is
correctly registered with its DNS servers, while the domain membership test ensures that the
membership between the device where the utility is being run and the domain is valid.
The syntax for performing just the DNS test is as follows:
netdiag /test:DNS
160
Chapter 6
I ran this utility from a domain controller in my domain. Note that netdiag.exe runs a number of
tests by default without explicitly specifying them (for example, the domain membership and
NetBT transports test). As you can see at the end of the output, the DNS test failed with errors
indicating missing entries on the DNS server that Im pointing at. At this time, I can wait to see
if the missing entries replicate from another DNS server, or I can use netdiag.exes /fix option to
try and fix the problem.
The /fix option compares the records registered by the domain controller in DNS with the ones
that should be registered; theyre well known for a given domain controller in a domain. If it
finds one or more records missing, it registers them for the server. The syntax for this command
is:
netdiag /fix
Listing 6.4 shows the results reported by netdiag.exe after I ran this command on my domain
controller with the DNS problem.
DNS test . . . . . . . . . . . . . : Failed
[FIX] re-register DC DNS entry _ldap._tcp.SanFrancisco._sites.marelia.com.
on DNS server 192.168.1.151 succeed.
FIX PASS - netdiag re-registered missing DNS entries for this DC
successful
y on DNS server 192.168.1.151.
[FATAL] No DNS servers have the DNS records for this DC registered.
Listing 6.4: The output of the netdiag.exe /fix option.
161
Chapter 6
This listing shows that netdiag.exe was able to fix the missing DNS entry, which was in the
_tcp.SanFrancisco._sites.mar-elia.com zone.
Software Installation Diagnostics (addiag.exe)
Software Installation Diagnostics (addiag.exe) is another Win2K resource kit utility that
provides a wide range of troubleshooting functionality related to GPOs and, more specifically, to
Software Installation in GPOs. This utility is a veritable treasure trove of functionality. It
provides not only detailed information on applications that have been installed using GPO-based
Software Installation but also general GPO information, such as GPO history (GPO version
numbers registered during the last policy-processing cycle).
This tool also lets you enable some Software Installationrelated logging using command-line
options. Normally, you must enable this logging using Administrative Template policy or
registry hacks on a given computer. Lets take a look at how you can use addiag.exe to
troubleshoot GPO-based Software Installation issues. Lets suppose you want to find out what
applications have been installed using Software Installation on a particular workstation. The
following syntax will provide the answers youre looking for:
addiag /test:ServerApps
This form of the command will dump a list of applications installed for both the computer and
the user using GPO-based Software Installation. Figure 6.10 shows an example of the output for
this command.
162
Chapter 6
Figure 6.10 shows the following information:
The GPOs GUID, friendly name, which is Domain Software Installation Policy (v1.0),
and the applications it deploysMicrosoft Office 2000 SR-1 Premium and the Win2K
Administration Tools.
Each installed application, along with its object GUID, its unique product code, and the
options, or package flags, which the administrator chose when the application was
deployed. For example, in the previous figure the Win2K Administration Tools
application was assigned on a per-user basis. In addition, I enabled the option to have the
application installed by a file-extension association (OnDemandInstall in the figure) was
also checked.
The OrphanOnPolicyRemoval flag means that the administrator chose not to have the
application uninstalled when the GPO carrying that application no longer applies to this
user.
Another feature of addiag.exe that I mentioned earlier is its ability to enable various logging
features related to Software Installation on a Win2K device. Using the /trace option, addiag.exe
lets you enable four types of logging. Table 6.2 lists these options and describes what they do.
Ill discuss logging further in Enabling GPO Logging later in this chapter.
Trace Option
Description
AppmgmtOn
CstoreOn
MSIOn
UserEnvOn
Table 6.2: The trace logging options that are available in addiag.exe.
Addiag.exe is a useful tool for providing information on your GPO-based software installations.
But sometimes you just need to know what policies are being applied to a particular computer or
user. This is where a tool like FAZAM 2000 comes in handy.
FAZAM 2000
FAZAM 2000 from FullArmor Corporation (http://www.fullarmor.com/) performs several GPOrelated functions, including letting you calculate RSoP and manage all of your domain GPOs
from a single interface. Ill talk more about these features in Managing GPOs later in this
chapter. In this section, Ill focus on this tools troubleshooting capabilities.
Two main features provide diagnostics. The first is a simple function in the Auditing and
Diagnostics module called Client Side Auditing. This tool, shown in Figure 6.11, provides a
163
Chapter 6
filtered view of the application event log, showing only events related to GPO processing. This
makes it easier to scan the event log for interesting events.
Figure 6.11: Using the Client Side Auditing feature in FAZAM 2000 to show events related to GPO processing.
The other feature in FAZAM 2000 is its ability to perform remote diagnostics. Its like a
graphical version of gpresult.exe, but it can also provide information on remote computers and
users. Specifically, you connect to a computer of interest using the remote diagnostics feature,
then FAZAM 2000 displays all of the GPOs and their current policy settings for the currently
logged-on user and selected computer. This feature is handy for pointing out when you might
have conflicting policy settings among several GPOs being applied to a given user or computer.
164
Chapter 6
Windows Installer log filesFor Software Installation specifically, log applicationinstallation details for applications deployed using Group Policy.
Once you create the Diagnostics key under CurrentVersion, you need to add values particular to
the type of logging you want to carry out. Table 6.3 describes the required values and what kinds
of logging they perform.
Registry Value (Name, Type, Value)
Logging Capability
RunDiagnosticLoggingGlobal
REG_DWORD = 0x1
RunDiagnosticLoggingGroupPolicy
REG_DWORD= 0x1
RunDiagnosticLoggingIntellimirror
REG_DWORD=0x1
RunDiagnosticLoggingAppDeploy
REG_DWORD= 0x1
Table 6.3: The registry values required to enable event-log auditing of GPOs.
Once youve enabled event logging, the application event log generates a new log entry for each
step that a computer and user go through as they process their applicable GPOs.
You can create a custom .adm template file to enable GPO application event logging on all
computers in your Win2K infrastructure. The following .adm template snippet will add the
RunDiagnosticLoggingGlobal flag to computers that process the GPO that contains it:
CLASS MACHINE
CATEGORY !!Custom
POLICY !!GPOLogging
KEYNAME Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
EXPLAIN !!GPOLogging_Help
VALUENAME RunDiagnosticLoggingGlobal
165
Chapter 6
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY ; Custom
[strings]
GPOLogging=Enable Verbose GPO Logging
GPOLogging_Help=By enabling this policy, you are turning on verbose logging of all GPO events in
the application event log
Custom=Custom Preference
You can actually scroll through each event log to follow which GPOs are processed and whether
any high-level errors are generated during a particular step. Figure 6.12 shows an example of one
such event-log entry after enabling verbose global logging.
GPO-related events typically appear in the application event log from one of three sources. Each
source represents a different set of policy processing.
UserenvThe event source responsible for enumerating the applicable GPOs and
figuring out which ones apply or dont, as shown in Figure 6.12
166
Chapter 6
In some cases, a log event might return some fairly obscure error messages, which you may find
no help at all. Listing 6.5 shows the text returned by one such event.
The Group Policy client-side extension Security was passed flags (17)
and returned a failure status code of (5).
Listing 6.5: An error message returned by the application event log during GPO processing.
How do you know what these flags and status codes mean? The flags refer to error messages that
are part of the Win2K DLL responsible for handling much of the processing of GPOs and user
profiles, userenv.dll. The actual error codes can be found in the header file for this DLL
userenv.h in the Microsoft Platform Software Developer Kit (SDK).
Table 6.4 shows the values and a description of the flags related to GPO. These flags are given in
hexadecimal (hex) values, but the event log shows decimal values, so you need to convert them.
Flag Value in Hexadecimal
(and Decimal)
Description
0x00000001 (1)
0x00000010 (16)
0x00000020 (32)
0x00000040 (64)
The policy is set to output status in verbose mode to the event log.
0x00000080 (128)
No changes were detected for this GPO from the last processing
cycle.
0x00000100 (256)
The network-link speed has changed between the last time the policy
was processed and the current processing cycle.
Table 6.4: The flags that are shown in GPO-specific event-log entries.
The values shown in the event log, like the ones in Listing 6.5, are displayed in decimal notation
and are calculated using a bitwise operation on the relevant flags shown in Table 6.4. For
example, Listing 6.5 shows a flag value of 17. You do a bitwise OR operation on the 0x1 and
0x10 flags shown in the table to obtain the hex value, which is 11. Thus, the flag value of 17
indicates that the policy being reported on is a computer policy and that its a background refresh
event, as opposed to a policy that is processed when a user logs on or a computer starts up.
The failure status codes shown in Listing 6.5 are simply Win32 error codes. You can figure out
what those errors are by looking in the winerr.h header file in the platform SDK or simply typing
the following at a command prompt:
Net helpmsg <#>
where <#> is the decimal error code. In Listing 6.5, Win32 error code 5 is Access Denied.
Usermode Logs
Usermode logs are a set of log files that you can activate in the %systemroot%\debug\usermode
folder on a Win2K system. Depending on what youve activated, this folder contains several log
files of interest. These logs provide very detailed logging of what is actually happening during
167
Chapter 6
GPO processing. If you dont obtain the information that you need from the application event
log, these usermode logs are your next point of investigation.
The userenv.log File
The main log file that contains detailed trace information on GPO and user-profile processing is
userenv.log. This file is created by default when you install Win2K, but to enable verbose
logging of policies and profiles, you need to set the following registry value:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userenvdebuglevel= REG_DWORD 0x10002
Scanning through the userenv.log file to troubleshoot GPO problems can be a tedious process.
This log file is very low-level, so to find what youre looking for, you need to exercise patience.
Figure 6.13 shows an example of the output from this log, with verbose logging enabled.
Figure 6.13: The output of the userenv.log file with verbose logging enabled.
Youll immediately notice a couple of things about the userenv.log file. First, no event dates are
shown, only times. This means that you have to guess that the most recent events occurred on the
current day. Next, the log file is filled, as youd expect, from top to bottom, so newer events are
at the end, not the beginning, of the file.
The figure shows some useful information. First, you see that GPO processing starts at
23:03:19:260. At 23:03:19:280, you see an operation called PingComputer. This is where the
workstation processing the GPO tests its network connection to the domain controller that is
providing that GPO. If the workstation detects a fast link, as is shown here, normal policy
processing occurs. If it detects a slow link, this is where you can discover it, and then see which
CSEs are being skipped as a result.
168
Chapter 6
Figure 6.14 shows the output a little further on in this log. It shows how each GPO is evaluated
to determine whether anything has changed since the last processing and, if something has
changed, which CSE has to process which GPO.
Figure 6.14: The userenv.log file also shows how GPOs are processed.
At the top of the figure, you see that a GPO has been found, that the computer processing it has
access to it, and that its friendly name (display name) is Default Domain Controllers Policy.
After all GPOs are found that are applicable to this computer and user, each CSE then figures out
which GPOs it needs to process and does so in turn. You see this towards the bottom of the
figure, where the following are processed sequentially: the registry extension (that is,
Administrative Templates), Folder Redirection, disk quota, then scripts.
Other Log Files
You can enable other logs in the usermode folder to provide additional troubleshooting. These
additional logs, and the registry values required to enable them, are shown in Table 6.5 below.
Log Function
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPEditDebugLevel = REG_DWORD
0x10002
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPTextDebugLevel =
REG_DWORD 0x10002
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Diagnostics\FdeployDebugLevel=
REG_DWORD 0x0f
HKLM\Software\Microsoft\Windows
169
Chapter 6
Installation processingproduces
appmgmt.log
NT\CurrentVersion\Diagnostics\AppmgmtDebugLevel=
REG_DWORD 0x9b
Figure 6.15: Enabling verbose Software Installation logging using Administrative Template policy.
Depending on how much verbosity you need, you can choose a number of different levels of
logging. After enabling logging on a Win2K system, application-installation logs are stored in
one of two places:
170
Chapter 6
In Software Installation Diagnostics (addiag.exe) earlier in this chapter, I mentioned that you
can also enable Software Installation logging using addiag.exe. It does the same thing as
Administrative Template policy, shown in Figure 6.15. However, addiag.exe doesnt give you a
choice of the logging level; it enables all logging. Each application installation generates its own
unique log file, which has a name using the form msi*.log, where * is some unique set of
hexadecimal characters.
As Figure 6.16 shows, the contents of a Software Installation log file are fairly esoteric. Unless
you have some in-depth knowledge of how the Windows Installer technology works, your best
bet is to log only errors. That will give you a better chance of discovering problems without
having to wade through a lot of unrelated messages.
Managing GPOs
Now that Ive discussed all the ways that you can instrument your GPO infrastructure to
discover and troubleshoot problems, lets look at some of the more day-to-day management
challenges that youre likely to face and ways to handle them.
Managing your GPO infrastructure involves a number of key tasks, which fall outside the scope
of basic troubleshooting, including:
Planning for new GPOs and seeing their potential effect on users and computers in a
forest
171
Chapter 6
Some of these capabilities are available out-of-the-box, but most of them either dont exist yet or
are available with third-party tools. In this section, Ill talk about each of these capabilities and
how you can achieve them using available techniques and tools.
RSoP
Ive referred to the idea of RSoP several times in this book. RSoP is the ability to view and plan
for the effects of GPOs on a particular user-and-computer combination. You need to perform
real-time analysis of the effects of multiple GPOs on a given user or computer in a given OU or
domain. You also need to be able to perform what-if scenarios before you move a user or
computer to a new OU or change its group membership. Its these two requirements that really
encompass RSoP.
In Group Policy Result Tool (gpresult.exe) earlier in this chapter, I described how the
gpresult.exe utility, to a small degree, lets you view the current effective policy on a given user
and computer. However, you cant run this tool against remote computers easily, and it cant
help you if you want to perform what-if scenarios on future changes.
This is where RSoP tools like FAZAM 2000 come in. FAZAM 2000 has a planning and analysis
module that lets you create what-if scenarios and experiment with the effects of moving a user or
computer into new OUs or new groups (or removing them from groups). Figure 6.17 shows an
example of the kinds of scenarios you can create with FAZAM.
Figure 6.17: Creating a scenario using the what-if planning feature in FAZAM 2000.
In this figure, Im asking the tool to tell me what my effective policy will be if the user account
for user Darren Mar-Elia, logged on to the computer called Yquem, is added to the HQ Users
group. Im also telling the tool to include in the calculation site-based policy for the San
172
Chapter 6
Francisco site and the local GPO. Once I complete the scenario, FAZAM calculates my new
effective policy settings and reports three things.
User hierarchyWhich GPOs apply to the chosen user from which containers
Computer hierarchyWhich GPOs apply to the chosen computer from which containers
Resultant policyWhat the effective policy settings are at the computer and for the user.
As you can see in this figure, Darren Mar-Elia at Yquem is the scenario I established, and the
resulting user and computer policy hierarchies are shown in the scope pane on the left. The
results pane on the right shows a portion of the individual policy settings that the user and
computer in my scenario will receive. From this information, I can determine what effect adding
my user account to the HQ Users group will have.
You can see that if you have a large GPO infrastructure and are making frequent changes to both
GPOs and users or computers, this kind of functionality can be very useful. Microsoft has plans
to provide some RSoP tools in the next version of Win2K, but for now, youll need to rely on
tools like FAZAM 2000 to provide this valuable capability.
Backing Up and Restoring GPOs
Another function missing from the Win2K product line is the ability to easily back up and restore
individual GPOs. You can, of course, use backup utilities to back up the System State on a given
173
Chapter 6
domain controller, including AD and SYSVOL. Unfortunately, the restore process isnt granular
and doesnt allow you to restore selective parts of these elements.
Remember that a GPO consists of two partsthe GPC and the GPT. This means that a backup
utility needs to back up both AD and SYSVOL components for a particular GPO, then restore
them, while maintaining any unique elements of that GPO. In addition, because container objects
like sites, domains, and OUs link to a GPO by its GUID, you need to ensure that when the
backup utility restores a GPO, it re-creates its original GUID in AD. Otherwise, you have to relink container objects to the new GPO.
Fortunately, FAZAM 2000 (and the reduced functionality version, called FAZAM 2000 RFV,
that comes in the Win2K resource kit) provides a backup and restore capability that lets you back
up individual GPOs to a file system, then restore them to the original domain or, what is more
interesting, to other domains and even other forests. Figure 6.19 shows FAZAM 2000s backup
capability.
174
Chapter 6
doesnt support a few of the policy functions that are present in AD-based GPOsfor example,
Software Installation or Folder Redirection policy.
Despite these limitations, local GPOs do provide some interesting capabilities. First, if you dont
have an AD infrastructure supporting your Win2K devices, you can of course use local GPOs to
manage policy. The challenge here is to manually edit each local GPO on each workstation or
server in your enterprise to set local policy. Well, thats not exactly the case.
Because local GPOs are stored in the local Win2K file system, and not spread across AD and
SYSVOL, you can simply copy the contents of the %systemroot%\system32\GroupPolicy folder
from one computer to the next, and the policy settings that you set on the source are used by the
destination. This makes it easy to set local GPO policy the way you want on one computer, then
clone it to all of the other Win2K devices without using special tools.
Another neat thing about local GPOs is that you can use them to view the effective security
policy on a given computer. For whatever reason, Microsoft decided to provide this view of
effective policy in the Security Settings node in the Group Policy MMC snap-in but not in any
other nodes. The local GPO shows a view of the local security setting compared to the effective
settingsthose that are being enforced by AD-based GPOs. You can see this in Figure 6.20
below.
Figure 6.20: Viewing the effective security policy compared to local security policy in a local GPO.
In this figure, the Local Setting column shows what audit policy has been set in the local GPO
in this case, none. However, based on information received from AD-based GPOs that this
computer has processed, the Effective Setting column says what the current audit policy really is
for this computer. This can come in handy when youre trying to troubleshoot security-related
problems in your AD infrastructure. Unfortunately, however, there is no way to know which
175
Chapter 6
AD-based GPO delivered these auditing settings to the computer. This is where a more fullfeatured RSoP tool comes in handy.
Summary
In this chapter, I started by discussing some of the most common problems youre likely to
encounter in your GPO infrastructure. Then I moved on to describe useful tools for
troubleshooting GPOs. From there, I examined the multitudinous logging options available to
you to keep track of what your GPOs are really up to. Finally, I discussed some of the
management issues with AD and local GPOs and the tools that you can use to address them.
Id like to thank you all for reading and supporting this book, and I hope its been as useful for
you to read as it was fun for me to write!
176
Appendix A
Meaning
ACE
ACL
AD
Active Directory
API
CA
Certificate Authority
COM
CRL
CSE
client-side extension
CTL
Dfs
DHCP
DLL
dynamic-link library
DN
distinguished name
DNS
EFS
GPC
GPO
GPT
GUID
globally unique ID
ICS
IE
Internet Explorer
IEAK
IP
Internet Protocol
IPSec
IP Security
ISV
LDAP
LSDOU
MMC
NIC
NTFRS
NTFS
NT File System
OS
operating system
OU
organizational unit
PDC
PKI
RAS
177
Appendix A
RIS
RSoP
SAM
SCM
SDK
SMS
TCO
TCP
UI
user interface
UNC
WFP
Win2K
Windows 2000
WSH
WTS
178