MCTS Guide to Configuring

Microsoft Windows Server 2008

Active Directory

Chapter 7: Configuring Group Policy

Objectives
Describe the architecture and processing of GPOs
Configure group policy settings
Work with security templates
Manage and monitor group policies
Configure group policy preferences

MCTS Windows Server 2008 Active Directory 2 2

Group Policy Architecture
Group policy architecture and function involve the
following components:
GPOs
An object containing policy settings that affect user and computer
operating environments and security. Can be local or Domain AD
objects.
Replication
Ensures that all domain controllers have a current copy of each
GPO
Scope and inheritance
The scope of a group policy defines which users and computers
are affected by its settings
Creating and linking
GPOs are created in the Group Policy management console and
can be linked to one or more AD containers
MCTS Windows Server 2008 Active Directory 3
Group Policy Objects (GPOs)
A GPO contains policy settings for managing many
features of domain controllers, member servers,
member computers, and users
Two main types of GPOs:
Local GPOs
Domain GPOs

MCTS Windows Server 2008 Active Directory 4

Local GPOs
Local GPOs are stored on local computers, and are
edited via the Group Policy Object Editor snap-in
Settings in local GPOs that are inherited from
domain GPOs cant be changed on the local
computer.
Only settings that are undefined or not configured
by domain GPOs can be edited locally

MCTS Windows Server 2008 Active Directory 5

 New Local GPOs in Windows Vista or 7
and Server 2008
New policies allow setting of different policies
depending on who logs on to the computer:
Local Administrators GPO
Local Non-Administrators GPO
User-specific GPO
If these policies are used, they are processed in the
above order, especially for conflict resolution (last policy
setting takes precedence).

Activity 7-1: Working with Vista Local GPOs, Pg. 256-257, In step 16.
advuser1 to be changed.

6
Domain GPOs
Domain GPOs are stored in Active Directory on
domain controllers
Consists of two separate parts: a group policy
template (GPT) and a group policy container (GPC)
GPT and GPC have naming structure (32
hexadecimal digits) and folder structure (2 subfolders,
Machine and User).
Knowing GPO structure is important for resolving
issues.

MCTS Windows Server 2008 Active Directory 7

Group Policy Templates
A Group Policy Template contains all the policy
settings that make up a GPO as well as related
files, such as scripts, and is saved in the Sysvol
share folder on a domain controller.
Upon creation of a GPO, several files and
subfolders are created (exact number may vary)
but each GPT folder will contain at least three
items:
GPT.ini
Machine
User

Activity 7-2: Browsing GPTs, Pg. 259

8
Group Policy Containers
Is an AD object stored in the System\Policies folder.
Contains GPO properties and status information but
no actual policy settings.
Information contained in
a GPC:
Name of the GPO
File path to GPT folder
Version number
Status (disabled or enabled)

Activity 7-3: Viewing the Properties

of a GPC, Pg. 260-261
Steps 1-7 Only

9
Group Policy Replication
GPCs which are AD objects are replicated during
normal Active Directory replications.
GPTs are replicated by one of the following
methods:
File Replication Service (FRS):
Used only when running in a mixed environment of differing
Windows Server operating systems such as Win Server
2003/2008 and Win server 2000.
Distributed File System Replication (DFSR) which is more
reliable and efficient than FRS:
Used when all DCs are running Windows Server 2008
Replication problems can be diagnosed with the
tools Gpotool.exe that can be downloaded from
Microsoft Download Center Website.

MCTS Windows Server 2008 Active Directory 10

Creating and Linking GPOs
Primary tools for managing, creating, and editing
GPOs are Group Policy Management Console
(GPMC) and Group Policy Management Editor
(GPME)
If editing a GPO that is already linked to a container,
changes in policy settings take effect as soon as
clients download them.
Client computers download GPOs at restart while
user GPOs are downloaded at the next logon.
When you are changing several policy settings at
once, you better test them individually.
11
Editing an Existing GPO

To edit, right click the GPO in GPMC and click Edit,

which will open the GPO in GPME.
It is possible to make changes to the Default
Domain Policy, but not advisable.
Recommended method for making changes to
domain policies is when creating a new GPO and
linking it to the domain.

MCTS Windows Server 2008 Active Directory 12

Creating a New GPO
Two ways to create a new GPO with the GPMC:
Right click the container youre linking the GPO to and select
Create a GPO in this domain, and Link it here
Right click the Group Policy Objects folder and click New
Best practice is to create GPOs that focus on a
category of settings, then name the GPO
accordingly.
For example if you need to configure policy settings
related to Network node under Computer
Configuration, create a GPO named
CompNetwork.

Activity 7-4: Creating, Linking, and Unlinking GPOs.

13
Pg. 265-266.
Using Starter GPOs
A Starter GPO is a template for creating GPOs
(Not a GPT)
New GPO wizard includes option to use a Starter
GPO
Stored in the Starter GPOs folder in GPMC
To use a Starter GPO, select one in the Source
Starter GPO list box in the New GPO Wizard, or
right click a starter GPO in the starter GPOs folder
and click New GPO from Starter GPO
To create a Starter GPO, right click the Starter
GPOs folder and click New.

Activity 7-6: Creating and Using Starter GPOs, Pg. 268-269

14
Group Policy Scope and Inheritance
The scope of a group policy defines which objects
(users or Computers) in AD are affected by settings
(enabled or disabled) in the policy.
If two GPOs are applied to an object, and a setting
is configured on one GPO but not the other, the
configured setting is applied
Policies are applied in this order:
Local policies
Site-linked GPOs
Domain-linked GPOs
OU-linked GPOs

MCTS Windows Server 2008 Active Directory 15

Understanding Site-Linked GPOs
GPOs linked to a site object affect all users and
computers physically located at the site.
In a singular site and domain environment, it is
better to use domain GPOs
Site GPOs can be confusing for mobile users that
is why it should be used with lots of caution and
only when there are valid reasons for different sites
to have different policies.

MCTS Windows Server 2008 Active Directory 16

Understanding Domain-Linked GPOs
GPOs at domain level should contain settings that
apply to all objects in the domain
Account policies can be defined only at the domain
level
Best practices suggest always setting account
policies and a few critical security policies at the
domain level.

MCTS Windows Server 2008 Active Directory 17

Understanding OU-Linked GPOs
Fine-tuning of group policies should be done at the OU level
Users and computers with similar policy requirements should
be located in the same OU
Since OUs can be nested, so can GPOs applied to them.
Because OU-Linked policies are applied last, they take priority
over site and domain policies
GPOs applied to nested OUs should be used for exceptions to
policies set at the higher level OU, for example, all full-time
employees in the Engineering Department need complete
access to Control Panel, but part-time employees should be
restricted from using it. You can configure a policy allowing
Control Panel access in a GPO linked to the Engineering OU,
then you create an OU under the Engineering OU that
contains part-time employees accounts and link a GPO to it
that restricts use of Control Panel.
18
Group Policy Settings
Settings in Computer configuration take priority
over settings in User Configuration, should there be
a conflict.
Three folders under the Policies folder:
Software Settings
Windows Settings
Administrative Templates

MCTS Windows Server 2008 Active Directory 19

Policies in the Computer Configuration
Node
Applies to computers regardless of who logs on to
the computer
Contains most of the security related settings in the
Account Policies and User Rights Assignment.
Computer configuration policies are uploaded to a
computer when the OS starts and are updated
every 90 minutes thereafter
Some policy changes may require a restart

MCTS Windows Server 2008 Active Directory 20

Computer Configuration: Software Settings

Contains the Software Installation extension, which

can be configured to install software packages
remotely
Applications are deployed with the Windows
Installer service, which uses MSI files
Software packages are assigned to target
computers, making installation mandatory next time
the computer starts

MCTS Windows Server 2008 Active Directory 21

Computer Configuration: Windows Settings

The Windows Settings folder contains four

subnodes:
Scripts (Startup/Shutdown)
Allows the creation of scripts to be run during startup or shutdown
Deployed Printers
Can deploy printers to computer by specifying the UNC path to a
shared printer
Security Settings
Contains nodes for setting security policies, such as those related
to accounts
Policy-based QoS
Enables administrators to manage the use of network bandwidth

MCTS Windows Server 2008 Active Directory 22

Security Settings Subnode: Account
Policies
Account policies must be linked to the domain to have any
effect
Account Policies contains three subnodes:
Password Policy
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Account lockout policy
Account lockout duration, set between 0- 99999 minutes, the account is
unlocked automatically after this number of minutes passes.
Account lockout threshold, set to value 0-999 that determines how many
times a users password can be entered incorrectly.
Reset account lockout counter after: is set to value between 0-99999
minutes that must elapse between failed logon attempts before the failed
logon attempts counter is reset to 0.
23
Security Settings Subnode: Local Policies

Applies to what users can and cant do on the local

computer to which they log on to.
Usually defined in GPOs linked to OUs containing
computer accounts
Three subnodes of Local Policies:
Audit Policy: Audit events occurring on a computer including
logon and logoff and file and folder access.
User Rights Assignment: Defines the action the user can take
on a computer such as shutting down the system, logon locally
and changing the system time.
Security Options: Almost 80 settings can be found such as
Network Access and User Account Control.
24
Auditing Object Access
Auditing involves considerable overhead. A single
object access, such as opening a file, can create
several log entries.
Windows Server 2008 logs successful logon events
and certain other events by default, even though
auditing is not enabled by default.

Activity 7-12: working with Password Policies, pg. 285-286

Activity 7-13: working with Account Lockout Policy, pg. 286-287

25
Additional Security Settings Subnodes
13 more subnodes under Security Settings:
Event Log
Restricted Groups
System Services
Registry
File System
Wired Network (IEEE 802.3) Policies
Windows Firewall with Advanced Security
Network List Manager Policies
Wireless Network (IEEE 802.11) Policies
Public Key Policies
Software Restriction Policies
Network Access Protection
IP Security Policies on Active Directory

MCTS Windows Server 2008 Active Directory 26

Computer Configuration: Administrative
Templates
Administrative Templates folder has the following subnodes:
Control Panel
Network
Printers
System
Windows Components

MCTS Windows Server 2008 Active Directory 27

Policies in the User Configuration Node

Policies set under the User Configuration node

follow a user wherever he or she logs on
Policies under User Configuration node are more
focused on the users environment, such as
Windows features that can and cant be accessed

MCTS Windows Server 2008 Active Directory 28

User Configuration: Software Settings
Performs the same function as in Computer
Configuration, but with important differences in
options and execution
Software package can only be assigned to a
computer, but there are two options:
Published
Isnt installed automatically; includes a link to the application in
Programs and Features or Add/Remove Programs
Assigned
Applications are advertised as a link on the start menu

MCTS Windows Server 2008 Active Directory 29

User Configuration: Windows Settings
Windows Settings contains seven subnodes:
Remote Installation Services
Scripts (Logon/Logoff)
Security Settings
Folder Redirection
Policy-based QoS
Deployed Printers
Internet Explorer Maintenance

MCTS Windows Server 2008 Active Directory 30

 Chapter Summary
Group policy architecture and function involves these
components: GPOs, replication, scope and inheritance,
and creating and linking GPOs. Domain GPOs consist of a
GPT stored in the Sysvol share and a GPC stored in Active
Directory
You use the GPMC to create, link, and manage GPOs and
the GPME to edit GPOs.
Starter GPOs are like template files
GPOs can be linked to sites, domains, and OUs. Policies
are applied in this order, and the last policy setting applied
takes precedence when conflicts exists
Computer Configuration and User Configuration nodes
contain three subnodes: Software Settings, Windows
Settings, and Administrative Templates

31
Chapter Summary (cont.)
The Security Settings node in Computer
Configuration contains the Account Policies sub-
node with settings that affect all domain users.
Administrative Templates can control hundreds
of settings on computers and for users.
Security templates are used to transfer security
settings easily from one GPO or computer to
another and can be used to analyze a
computers current settings against a security
database created from one or more security
templates.

32