38,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Improve and reimagine your organization's security stance, desktop standards, and server administration with centralized management via Group Policy.
Key Features
- Explore advanced filtering techniques for Group Policy Objects
- Interact with Group Policy through GPMC and PowerShell
- Practical guide covering the daily and advanced administration of group policy
Book Description
This book begins with a discussion of the core material any administrator needs to know in order to start working with Group Policy. Moving on, we will also walk through the process of building a lab environment to start testing Group Policy today. Next we will explore the Group Policy Management Console (GPMC) and start using the powerful features available for us within that interface. Once you are well versed with using GPMC, you will learn to perform and manage the traditional core tasks inside Group Policy. Included in the book are many examples and walk-throughs of the different filtering options available for the application of Group Policy settings, as this is the real power that Group Policy holds within your network. You will also learn how you can use Group Policy to secure your Active Directory environment, and also understand how Group Policy preferences are different than policies, with the help of real-world examples. Finally we will spend some time on maintenance and troubleshooting common Group Policy-related issues so that you, as a directory administrator, will understand the diagnosing process for policy settings.
By the end of the book, you will be able to jump right in and use Group Policy to its full potential.
What you will learn
- Become familiar with the Group Policy Management Console
- Create, link, and filter new policies
- Secure your users and devices using Group Policy
- Maintain and troubleshoot Group Policy
- Administer Group Policy via PowerShell
- Control your Active Directory environment efficiently with Group Policy settings
Who this book is for
If you are an IT professional who works with Windows Servers or are interested in an Active Directory environment then this book is for you. General knowledge of Microsoft Windows, how Windows Server fits into an enterprise’s infrastructure and also some existing knowledge of an Active Directory domain environment is expected.
Jordan Krause is a six-time Microsoft MVP, currently awarded in the Cloud and Datacenter Management category. He has the unique opportunity to work daily with Microsoft networking and remote access technologies as a senior engineer at IVO Networks. Jordan specializes in Microsoft DirectAccess and Always On VPN. Committed to continuous learning, Jordan holds Microsoft certifications as an MCP, MCTS, MCSA, and MCITP Enterprise Administrator, and regularly writes articles reflecting his experiences with these technologies. Jordan lives in beautiful west Michigan (USA), but works daily with companies around the world.Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 446
Veröffentlichungsjahr: 2018
Ähnliche
Mastering Windows Group Policy
Copyright © 2018 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Commissioning Editor: Pavan RamchandaniAcquisition Editor: Meeta RajaniContent Development Editor: Arjun JoshiTechnical Editor: Sayali ThanekarCopy Editor: Safis EditingProject Coordinator: Jagdish PrabhuProofreader: Safis EditingIndexer: Mariammal ChettiyarGraphics: Jisha ChirayilProduction Coordinator: Arvindkumar Gupta
First published: November 2018
Production reference: 1291118
Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.
ISBN 978-1-78934-739-5
www.packtpub.com
Contributors
About the author
Jordan Krause is a six-time Microsoft MVP, currently awarded in the Cloud and Datacenter Management category. He has the unique opportunity to work daily with Microsoft networking and remote access technologies as a senior engineer at IVO Networks. Jordan specializes in Microsoft DirectAccess and Always On VPN. Committed to continuous learning, Jordan holds Microsoft certifications as an MCP, MCTS, MCSA, and MCITP Enterprise Administrator, and regularly writes articles reflecting his experiences with these technologies. Jordan lives in beautiful west Michigan (USA), but works daily with companies around the world.
About the reviewers
Neville Sanford is a Sr System Administrator for a national construction law firm. He has over 20 years' experience of working with Microsoft products. From NT 4 to the latest tech, he has worked on many projects over the years. Neville has worked with Microsoft Group Policy for many years, first implementing it in 2005. Neville is married and has 2 children. In his spare time he and his family run a mobile laser tag company.
Anderson Patricio is a Canadian Microsoft MVP and he is an IT Consultant based in Toronto, his areas of expertise are around Microsoft Exchange, Skype for Business, Azure, System Center and Active Directory. Anderson is an active member of the Exchange Community and he contributes in forums, blogs, articles, and videos. In Portuguese, his website contains thousands of Microsoft Tutorials to help the local community, besides of his speaking engagements at TechED in South America and MVA Academy training courses.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
Packt.com
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Table of Contents
Title Page
Copyright and Credits
Mastering Windows Group Policy
Contributors
About the author
About the reviewers
Packt is searching for authors like you
About Packt
Why subscribe?
Packt.com
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Group Policy - The Basics
Terminology
What is Group Policy?
Active Directory Group Policy versus Local Group Policy
Local Group Policy
Active Directory Group Policy
What does Group Policy look like?
Requirements for Group Policy
Who can use Group Policy?
Hierarchy of Group Policy processing
Levels of GPO processing
Local Policy
Site-level policies
Domain-level policies
OU-level policies
GPO workflow
Building a lab to test Group Policy today
Domain Controller
Windows 10 Client
Configuring the Windows Server 2016 Domain Controller
Configuring the Windows 10 client
Summary
Group Policy Management Console (GPMC)
Technical requirements
Launching the console locally
Server Manager – the most common way
Microsoft Management Console (MMC) snap-in
Start menu
GPMC.MSC
Accessing Group Policy remotely
Installing the GPMC on another server
RSAT on Windows 10
Exploring the GPMC
Summary
Daily Tasks in Group Policy
Default policies and permissions
Default Domain Policy
Authenticated users
Default Domain Controllers Policy
Permissions
Modifying an existing GPO
Using the newest GPMC
Editing settings inside a GPO
Quickly finding your settings
An annoying Internet Explorer popup
Updating the default password policy
Not configured versus enabled versus disabled
Example – configuring Teredo
Creating a new GPO
Naming your GPOs
Creating the GPO
Configuring the policy to apply a desktop wallpaper
More on GPO links
The difference between GPOs and GPO links
The GPO link warning message
Linking our new GPO
Creating and linking new GPOs at the same time
Linking at the site level
Deleting a GPO link versus deleting a GPO
Deleting a GPO link
Deleting a GPO
Disabling GPO links
Everyday command-line tools
GPUpdate
Background refresh
Foreground refresh
GPUpdate.exe switches
GPResult
Sending the output to a file
Checking GPResult data from a remote machine
Resultant Set of Policy
Summary
Advanced Filtering of Group Policy Objects
Link order precedence
OUs trump domains
Multiple GPOs linked at the same level
Changing the order of link precedence
Seeing the big picture
Blocking GPO inheritance
Enforcing GPOs
Will enforcing GPOs affect GPO precedence?
User settings versus computer settings
Disabling half of a GPO
Exercises with OUs and links
Creating or deleting OUs
OUs inside ADUC
OUs inside GPMC
Default containers that are not OUs
Moving machines from one OU to another
OUs protected from accidental deletion
A warning on cross-domain policy linking
Filtering GPOs with security filters
How to filter a GPO to a particular Active Directory group
Filtering to specific users or computers
Security filtering – permission changes
How to block a GPO from a particular Active Directory group
Filtering GPOs with WMI filters
WMI filters could cause a performance hit
Applying a WMI filter to our GPO
Summary
Deploying Policy Settings
Managed versus unmanaged policies
Administrative Templates
ADMX/ADML files
Self-regulating policies
Special registry keys
Sticky preferences
Unmanaged Policies versus Group Policy Preferences
Preferences can usually be overwritten by a user
Preferences stick around after the GPO is removed
Creating or importing new templates
How can you tell the difference?
Computer configuration policies
Idle-time lockout policy
What about Windows 7?
Launching an application upon login
Configuring certificate auto-enrollment
Startup and shutdown scripts – running scripts at the computer level
Disabling Local Group Policy processing
User configuration policies
Remove the shutdown button
Locking down display settings
Prohibiting access to the Control Panel and Settings
Logon and logoff scripts – running scripts at the user level
Group Policy loopback processing
What's really happening?
Merge mode
Replace mode
How to do it?
Summary
Group Policy Preferences
How is a preference different from a policy setting?
Create, Replace, Update, or Delete
Green and red marks
Green and red lines
How to change them
Green and red circles
Internet Explorer tabs
The Common tab
Stop processing items in this extension if an error occurs
Run in  logged-on user's security context
Remove this item when it is no longer applied
Apply once and do not reapply
Item-level targeting
Implementing Preferences
Modifying the power options
Environment variables
Registry keys
Drive mappings
Creating a printer connection
Forcing an Internet Explorer proxy server
Summary
Group Policy as a Security Mechanism
Password rules and regulations
A plethora of security settings
Windows Firewall with Advanced Security
Location of WFAS policy settings
General settings 
Inbound Rules
Outbound Rules
Connection Security Rules
Forcing Windows Firewall to always be enabled
An aside about WFAS Profiles
Disabling Windows Firewall by policy
Creating a rule to allow inbound traffic
Creating a rule to block outbound traffic
What about conflicting rules?
Configuring GPO to clear local WFAS rules
Manipulating Local Users and Groups
Denying access to Command Prompt
Prohibiting user software-installation
Disabling IPv6 via Group Policy
User Account Control
Configuring UAC via GPO
User Account Control – Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
User Account Control – Behavior of the Elevation Prompt for Standard Users
User Account Control – Detecting Application Installations and Prompting for Elevation
User Account Control – Running All Administrators in Admin Approval Mode
Blocking USB Drives
Summary
Group Policy Maintenance
Documenting Group Policy
Commenting inside GPOs
Generating a GPO report
Searching Group Policy
Searching for GPOs
Filtering settings
Filtering by keywords
Filtering by your own comments
Filtering by settings that have been modified
Clearing the filter
Starter GPOs
Creating a Starter GPO
Editing a Starter GPO
Using a Starter GPO to build finalized GPOs
Backing up and restoring GPOs
Backing up GPOs
Permissions needed to back up a GPO
Backing up a single GPO
Backing up all GPOs at once
Restoring GPOs
Permissions needed to restore an existing GPO
Permissions needed to restore a deleted GPO
Two ways to restore a GPO
Managing backups
Relinking restored GPOs
Exporting and Importing WMI Filters
Implementing ADMX/ADML files
Importing a new ADMX file
The location for placing ADMX files
The location for placing ADML files
The Central Store
Creating the Central Store
Verifying Central Store is working
Importing new ADMX/ADML files into the Central Store
Delegating permissions to manage Group Policy
Delegation to edit GPOs
Delegation to link GPOs
Delegation to create new GPOs
Additional delegation capabilities
Summary
Group Policy Troubleshooting
Troubleshooting tools and procedures
GPUpdate
GPResult and RSOP
RSOP
GPResult
User or computer results – not usually both
GPO permissions
Map out policy settings
Is the GPO disabled?
Watching for inheritance blocking
Looking out for Enforced GPOs
Conflicting settings
Is your operating system supported?
Windows Event Logs
GPO version numbers
Checking Domain Controller synchronization
Version numbers triggering the client
Checking the replication status via GPMC
Detecting slow links
Changing slow-link detection behavior
The trouble with FRS
What's wrong with FRS?
Which one am I running?
Group Policy results wizard
Running the report
Group Policy Modeling
Summary
PowerShell for Group Policy Administration
Importing PowerShell Group Policy modules
PowerShell for GPOs and Links
Creating new GPOs
Deleting GPOs
Linking a GPO
Disabling a GPO Link
Deleting a GPO Link
Creating a new Starter GPO
Enforcing a GPO
Disabling GPO enforcement
Setting inheritance blocking on an OU
Configuring security filtering on a GPO
GPO information and reporting
Viewing information about a GPO
GPO Reports
RSOP data via PowerShell
GPO permissions via PowerShell
Viewing current GPO permissions
Setting GPO permissions
Removing GPO permissions
Using PowerShell to back up and restore GPOs
Backing up a single GPO
Backing up all of the GPOs
Restoring a GPO
Remotely running GPUpdate
Using PowerShell Help
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
Preface
Technology is ever-changing. New pieces of technology arrive on our doorsteps almost daily, often replacing old or outdated items. The race is always on for the fastest processors, the highest pixel counts, the safest cars, and smartphones with screens as big as my head. You get the idea. This is as true in the Microsoft-driven data center as it is in consumer electronics. With every new version of the Windows operating system, both client and server, we see parts and pieces come and go. Out with the old, in with the new, as they say. To give you some examples, it wasn't very many years ago that we were talking about things such as IPv6, Network Access Protection (NAP), and Windows Vista as the latest and greatest things since sliced bread. As technology progresses, so does our mentality about what is important. IPv6 is still a thing, obviously, but it's no longer the topic that everyone is telling doom and gloom stories about. Almost nobody uses it inside their networks, because it's simply not as critically important as everyone thought, and IPv4 networks are still working just fine (before you get huffy with me, remember that I said inside the network). NAP was a terrific idea, I still think so, but nobody took the time to learn and implement it, and so it is officially dead. And Windows Vista? I don't feel like I need to throw many words around here. Suffice to say that my Vista installer disk is safely tucked away, right next to my installation disc for Windows ME.
Turning things around, what are the topics we drool over today? It seems like marketing teams are still drawn to any and every way to use the word "cloud". In addition to that, we are starting to add some terminology such as software-defined networking and hyperconverged infrastructure. We don't even bother with giving new versions of Windows cool names anymore. Starting with Windows 7, operating system names got ultra boring. Now we're not even progressing beyond Windows 10, but just tagging numbers on the end, like 1709, 1803, and 1809.
Am I ever going to get round to actually making a point? It's possible. My entire thought process here is simply that Microsoft technologies come, and Microsoft technologies go. However, and this is a big however, there are some bits of the Windows Server operating system that have become so commonplace, so essential to the way that we do IT business, that when we think about them, we can't fathom that they would ever disappear or be replaced. These are often referred to as the "core infrastructure" pieces inside a Microsoft-driven data center. You can probably name these as well as I can, and maybe even add a few more. The things I'm talking about here are things like Active Directory Domain Services (ADDS), Domain Name System (DNS), and, you guessed it, Group Policy.
This book is all about Group Policy. This means that naturally, this book is also all about Active Directory and the core infrastructure services, because Group Policy is so ingrained in Active Directory that you cannot have one without the other. Group Policy is a management technology that has been around and built into our Windows Servers for a very, very long time. Being one of the core infrastructure technologies and so tightly integrated with AD, I expect that Group Policy is one of those few items in the Server operating system that will outlive our IT careers. I fully expect to see Group Policy continue to be utilized in Microsoft environments 10 or even 20 years down the road.
Group Policy is one of the most important and, at the same time, one of the most under-utilized pieces of Microsoft technology that has ever existed. Perhaps this is not the case for your company, but I have a fairly unique day job that allows me to interact with new IT departments on a daily basis, and I often get a glimpse into how much (or how little) said company is using Group Policy in order to manage their users and devices. The sad truth is that many are hardly scratching the surface of what this technology can do for them, and these folks spend unnecessary time, money, and effort trying to accomplish tasks in a less efficient manner.
Who this book is for
If you are an IT professional working with Windows Servers in an Active Directory domain environment, then this book is for you. Desktop administrators will also benefit from a knowledge of Group Policy, allowing you to centrally manage every aspect of your organization's workstations. A basic knowledge of Microsoft Windows, how Windows Server fits into an enterprise's infrastructure, and some knowledge of an Active Directory domain environment, will aid you in understanding the concepts covered in the book.
What this book covers
Chapter 1, Group Policy - The Basics, gets us comfortable with the different types of Group Policy and creates an understanding as to how it works. We will also use this time to build a test lab that will be used throughout the book.
Chapter 2, Group Policy Management Console (GPMC), explores the primary interface for interacting with Group Policy and all of its associated settings.
Chapter 3, Daily Tasks in Group Policy, tackles many of the commonplace items that you, as a Group Policy administrator, would need to accomplish on a daily basis.
Chapter 4, Advanced Filtering of Group Policy Objects, dives deeper into GPMC to explain the different ways that Group Policy settings can be filtered so that they only apply to users, workstations, or servers of your choosing.
Chapter 5, Deploying Policy Settings, takes us into the Group Policy Editor, where we begin crafting GPOs into usable objects inside our domain. Here, we learn how to start making real changes to our workstations by deploying policy packages to them.
Chapter 6, Group Policy Preferences, showcases the differences between policies and preferences, and spends time working with the settings available on the preferences side of the house.
Chapter 7, Group Policy as a Security Mechanism, portrays numerous ways that Group Policy can be used to enhance your overall security strategy. Security is possibly the greatest benefit of all the services offered by Group Policy.
Chapter 8, Group Policy Maintenance, gets into the less exciting, but need-to-know tasks associated with maintaining your Group Policy environment and ensuring that it runs well for years to come.
Chapter 9, Group Policy Troubleshooting, helps guide the troubleshooting process whenever diagnosing an issue inside Group Policy. Most troubleshooting involves hunting down improper links or filters, but there is also potential for some under-the-hood issues.
Chapter 10, PowerShell for Group Policy Administration, takes what we know about Group Policy and shows us how to accomplish it via PowerShell. This helps to automate tasks, and allows interaction with Group Policy strictly from a command-line interface.
To get the most out of this book
Being familiar with the Microsoft Windows operating systems will put you a step ahead when reading this book. We will be interacting with Windows Server 2016 and Windows 10, but Group Policy has been included with the Windows Server operating system for many years. You do not have to be running the latest and greatest operating systems in order to follow along with this book, though you will learn why it is always best to be using the newest versions of Windows when interacting with the Group Policy management tools.
If you have access to a Windows Server 2008 or newer system, you should be able to easily follow along with everything that we are doing in this book. If you've never seen Windows Server before, it is available as a trial download from Microsoft's website. You'll need a place to install this operating system though, which means you will need either a piece of hardware capable of running Windows Server, or access to a virtualized infrastructure, such as Hyper-V or VMware, in order to spin up a new virtual server.
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781789347395_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Or you can also type MMC from a command prompt or PowerShell prompt and open it that way as well."
Any command-line input or output is written as follows:
Invoke-GPUpdate -Computer LAPTOP2
Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Probably the easiest and quickest way to open a PowerShell window is to right-click on the Start button, which invokes the quick admin menu."
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Reviews
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.
Group Policy - The Basics
I mentioned in the preface to this book that Group Policy is often underutilized in our corporate environments, and I genuinely believe that to be true. It's not a centralized management technology for our servers and workstations—no, it is the centralized management technology for our servers and workstations. Group Policy is built right in; there are no extra parts to install or configure, and there are no extra costs or add-ons that are required. When you build an Active Directory domain, you automatically build everything that is needed to start using Group Policy to push configuration and security settings to all of the users and devices attached to that domain.
If your day job requires you to touch Domain Controller servers, you should have a working knowledge of Group Policy to do your job well. Even if you work in IT desktop support and never interact with the Windows Server operating system, you can still help your company to build more manageable, more secure computers for your workforce by understanding what is possible with the Group Policy engine. Wouldn't it be great to be able to make intelligent suggestions to the Active Directory team about settings or policies that might be pushed out to those desktop computers that are under your jurisdiction?
Terminology
Let's back the train up a little. Some of you know all of this, and may in fact know everything that we discuss in this first chapter. But some will not, and we need to cover our bases. We have already thrown around some terms that are uber important to know and understand as we progress, and there will be more, so let's take a minute to spell out some of the things we are going to be referencing throughout this book:
Active Directory Domain Services
(ADDS)
: More commonly referred to as simply AD, this is a directory or a listing of all the users and computers that are part of your organization. It's sort of like a really important Rolodex.
Domain Controller
(DC)
: A server that is running the ADDS role, and therefore stores the information about your organization's directory, is known as a Domain Controller. Most environments have multiple DCs, each of which stores a copy of the directory data because this Active Directory data is so important, you definitely don't want to lose it!
Active Directory Users and Computers
: One of the tools (probably the most common one) that is used to interact with the data that is stored inside AD. Active Directory Users and Computers is a great place to stop for information about, surprise surprise, any user or computer that is joined to your domain.
Active Directory Sites and Services
: Businesses like to grow and make money, and often this means that a company will eventually span multiple geographic locations and network subnets. AD Sites and Services is a tool that helps to organize your physical sites as they pertain to the information stored inside Active Directory.
Group Policy
: Gives centralized management capabilities of both user and computer settings for the machines and user accounts that are part of your Active Directory domain environment.
Group Policy Object (GPO)
: These are objects created and stored inside Active Directory that contain the settings that you are applying to users and computers.
Group Policy Management Console
(GPMC)
: The primary interface that administrators use to interact with Group Policy settings.
Group Policy Management Editor (GPME)
: The interface opened when editing a Group Policy Object. GPME is what you use to place settings into GPOs.
Organizational Unit
(OU)
: Inside Active Directory, you organize your domain hierarchy by placing device and user objects inside containers known as OUs. Each domain object can only be a member of one OU at any given time. This will be important to remember later.
What is Group Policy?
Group Policy is a toolset inside the Microsoft Windows Server operating systems that enables IT administrators to centrally manage many aspects of both their domain user accounts, as well as domain-joined computer accounts. In fact, it can even be used without a domain in the mix, but we'll talk more about that in a few minutes.
Most of the time, Group Policy is used when you need to publish or issue out settings to a wide (or narrow) base of users or client desktop computers within a corporate environment. Group Policy is incredibly useful for these kinds of tasks, and can save IT departments countless man-hours as opposed to putting these same settings into place on all of their computers in a manual fashion. While Group Policy provides desktop administrations with a ton of flexibility and extra free time, it can become even more powerful when you realize that computer accounts inside Active Directory include desktop/laptop computers as well as servers. Most companies have separated roles for Desktop Administrators and Server Administrators, but both can benefit greatly from the powers that are stored inside Group Policy. In today's information-security-focused mindset, where are we most often putting that focus? Certainly, we are somewhat putting that focus on the users and their devices, making sure that those computers aren't influenced in a negative way from outside forces, but I would say that the majority of our network-security provisioning is placed on the server infrastructure side. The servers in your network are the devices that are providing services and storing your data. Keeping that data safe is a big, big deal. Securing your servers is essential in today's world, and there are many ways that Group Policy can be used to enforce that security.
All of this sounds good on paper, but that doesn't mean anything unless you know how to set up, configure, and really use Group Policy. That is the entire purpose of this book. We will be hands-on, as much as possible, as we discuss Group Policy, its management consoles, and the ways that you can use it right now in your network. There will be many step-by-step examples of establishing and distributing common settings that companies are using to secure their environments. We will also cover examples of settings that are not so commonly used, but probably should be. There are many ways to spend money on third-party solutions to have management capabilities of your company devices, but for anyone who really takes some time to dig into Group Policy, I think you will be surprised at how many of those capabilities already exist and are just waiting to be tapped into.
Active Directory Group Policy versus Local Group Policy
So far, I have mentioned Active Directory about a million times, so based on this section heading, you are probably assuming that we are discussing Active Directory Group Policy. That is correct, but it is also important to note and understand that the AD perspective is not the only way to think about Group Policy settings.
Local Group Policy
Every Microsoft Windows operating system (starting with Windows XP) has a grouping of configuration settings that is accessed and structured in a similar way. These configuration settings can be used and tweaked to manage and manipulate the workstation or server to your heart's content. This locally-stored conglomeration of settings that exists individually on each machine is known as Local Group Policy, or sometimes simply Local Policy. These local settings could certainly be used on a machine-by-machine basis to administer your entire workforce, but there is nothing centralized about it. You would be talking about massive man-hours to accomplish all of these changes.
If you're sitting in front of a Windows computer right now, Local Group Policy can be accessed by clicking Start | Run, typing GPEDIT.MSC, and pressing Enter:
Throughout this book, we will spend much more time in an interface quite like this one so as to explain the text and settings shown here—but for the purposes of explaining Local Group Policy, this Local Group Policy Editor console is the place where you could make administrative changes to the workstation. The changes you make here take effect immediately, so don't poke around too much, or at least read over the descriptions of the settings very well!
Active Directory Group Policy
Local Group Policy is great and is a wonderful way to test new settings and to poke around and find out what kind of restrictions you can put into place on your workstations, but running the Local Group Policy Editor on every workstation in your environment and configuring all of the same settings sounds like an administrative nightmare. How do we overcome the centralized administration challenge? This is where we up-shift and start talking about Active Directory Group Policy.
Active Directory Group Policy takes all of these local policy settings and makes them available anywhere inside your domain. The interface for editing policies and settings is almost exactly the same as the local policy editor, but an additional layer of technology is introduced by being integrated with Active Directory. Inside AD-based Group Policy, you have the ability to create a policy (or hundreds of different policies) and quite easily choose which users and/or which computers that those policies apply to. In an organization that is making good use of Group Policy, it is very normal to see dozens of different Group Policy Objects (GPOs) that are being assigned to all sorts of different users, computers, or groups of users or computers. AD Group Policy stores its information on your Domain Controller servers, which is an incredibly nice aspect from an IT perspective because it means you don't need additional servers or infrastructure to utilize Group Policy.
For the rest of this book, we will be focusing on using Group Policy within an Active Directory domain environment.
What does Group Policy look like?
The bulk of interaction between an administrator and Group Policy will be via a Microsoft Management Console (MMC) called the Group Policy Management Console (GPMC). Chapter 2, Group Policy Management Console (GPMC), is all about this console so we won't discuss it too much here, but the primary things to remember are that the GPMC is the place you will visit to both configure settings and filter where you want them to apply, and that you will be able to launch and tap into this console from many different places within your environment.
Here is a quick screenshot of the GPMC for your viewing pleasure:
Another piece of the Group Policy puzzle that is important to understand is the placement and storage of its data. As mentioned, for the remainder of this book, we will be focusing on Active Directory Group Policy. In this setting, the data for Group Policy settings is stored on your Domain Controller server or servers. Small environments may only have one DC, but any SMB or larger will have multiple servers that are hosting this same role. In some cases, an organization may have hundreds of DCs. When multiple DCs are present, the Group Policy settings and data are replicated among all of them, so the failure of one node does not result in the loss of this data. We will dig deeper into the details on what information is stored, and where, in Chapter 8, Group Policy Maintenance.
Who can use Group Policy?
Any IT administrator who is working within a Microsoft domain environment, or those who are building networks from the ground up can use Group Policy. It benefits everyone involved—the IT administrator as well as the end users. AD and domain administrators will interact with the Group Policy Management Console on a regular basis to establish settings and design the rollout process for those settings to get to their respective users and computers. End users benefit from Group Policy by having preconfigured workstations that they know to be company-appropriate and, most importantly, secure. In fact, in my eyes, the ability to place security settings and requirements on to users and computers is the single biggest reason that every company should be utilizing Group Policy. We will, of course, spend some time securing your devices within this book.
Hierarchy of Group Policy processing
To make use of Group Policy, you don't really have to understand how it works under the hood. You configure GPOs, which contain settings, and then you instruct Active Directory on who or what those GPOs need to apply to. Then, when those computers and users are connected to the corporate network, and therefore connected to Active Directory, they will automatically receive those GPO settings and put them into place on the computers. In other words, Group Policy processes those settings automatically.
What is very important to understand about Group Policy processing is the hierarchy that it follows. As with most Microsoft technologies, Group Policy processing follows a tree-scheme, where the application of settings flow down branches of a tree. There are four levels—also known as tiers or branches—in which Group Policy processing happens.
Levels of GPO processing
The four unique levels of hierarchy for Group Policy processing are called Local, Site, Domain, and OU. Let's spend a few minutes going through each one so that you can understand how they are different, and also how they fit together.
Local Policy
We already discussed Local Group Policy and using gpedit.msc to reference these settings. This is the Local Policy of a computer, and any settings that are plugged into Local Policy will process first when Windows starts. These settings affect the entire computer—it doesn't matter which users are logged in. It is very rare that companies would make use of Local Policy to push any settings, because it means that you would be manually touching each workstation to put these settings into place. That's not very time-friendly. What is most important to understand about Local Policy is that your settings that are plugged in at the local policy level may not always be in effect. Since Local Policy is first to apply, it means that any levels of the Active Directory Group Policy that we are about to cover in a minute will take priority over Local Policy. In other words, your computer might put your Local Policy settings into place, but milliseconds later during the boot process, those settings could be overwritten by AD policy settings.
Site-level policies
Something that is sort of outside the scope of this book, but is relevant here, is Active Directory Sites and Services. Inside any Active Directory environment, your DCs will automatically have this tool installed, called AD Sites and Services. The purpose here is to define your physical locations of the network, sites, if you will. The many small businesses have only a single site, and often they never have to even open this tool. Makes sense, as everything is always connected to the same site. However, as soon as you grow your business and expand to a second location, the network typically gets much more complex, and you now have IP subnets that are different between the two sites. Active Directory Sites are defined by what IP address space, or subnet, a computer is currently residing in. When your computer checks in with AD, it is automatically known what site you are part of based on the IP address of your computer.
Here is a quick picture of Active Directory Sites and Services, so you can see the layout and also see that the different sites are defined by which IP addressing spaces they contain:
Once your environment is large enough and you have defined your Sites inside this tool, you have now enabled Group Policy to be able to issue settings to computers (and users) based on the site that they reside in. Users follow the computers in this scenario. If a computer account is logging in and Group Policy recognizes it to be in the GrandRapids site, it will apply all GPO settings that are flagged for GrandRapids. The same is true of any users that log into that computer; since the computer is currently sitting in GrandRapids, any user-based policies that are filtered for GrandRapids will also apply.
Domain-level policies
Some policies and settings are going to be things that you want to apply to all of the machines or users in the entire domain, and the appropriate place for those settings are domain-level GPOs. It's important to point out that the GPOs themselves are not different as we talk about all of these different policy levels—a GPO is a GPO. The level at which the GPO is linked is what we are talking about when we discuss these hierarchical levels. So far, we haven't discussed GPO links, and that is because we will spend a lot of time discussing links and linking when we start to cover the bases on filtering these GPO settings, in upcoming chapters. For now, we simply need to understand that some GPOs will contain settings that need to apply to everything in the domain, and these GPOs will be linked at the domain level.
In the following screenshot, the Default Domain Policy has been linked at the top level, or root, of the domain:
When you link a policy at the top of the domain, that GPO will filter down to each user account and device account that is present inside the domain to where it is linked, theoretically applying to all workstations, servers, and users. I say theoretically because there are a couple of reasons why a domain-level GPO might not actually apply to everything inside the domain. One of those reasons would be that the GPO was filtered to only apply to certain machines or groups (we will discuss this much more in chapter 4, Advanced Filtering of Group Policy Objects). Another reason is that some locations inside Active Directory may have inherency blocking enabled, which would stop GPOs from applying to any objects contained inside those locations. These locations that I am talking about are called OUs, and they are our next level of GPO processing.
OU-level policies
OUs are containing folders for computer and user accounts that are joined to your domain. OUs themselves are managed and manipulated by using the Active Directory Users and Computers tool, and this is the way domain administrators commonly keep all of their objects organized. In a simple environment, you may have an OU for Users and another OU for Computers. Getting a little more advanced may bring you separate OUs for Accounting, Finance, Human Resources, and so on. Taking full advantage of OUs will result in multiple OUs contained within larger-scope OUs. For example, you may have an OU for Accounting user accounts, and a separate OU for Accounting computer accounts. Or you could even create separate OUs for desktop computers versus laptop computers. Maybe one for tablets, one (or many) for your servers... the list goes on and on. If you wanted to get really crazy, you could create a different OU for every single one of your computers! (Please don't do this, as the admin who takes your job after you retire will loathe you because of it.)
Nesting OUs is a very common practice as well. Just like creating folders inside of other folders by using File Explorer, you can use AD Users and Computers to create OUs inside other OUs. This is important for making a clean structure to contain all of your domain objects, but it is also important to the Group Policy processing... er... process.
When you ask any administrator who has worked with Group Policy before, "Where does that GPO apply?" they will almost certainly start thinking in terms of "What OUs does this GPO apply to?" Applying Group Policy at the OU level is our default mentality when working with GPOs, because it is by far the most common tier to which settings are applied. Linking GPOs to particular OUs gives us extreme flexibility in handing different settings to different groups of people or machines. In contrast to the domain-level GPO shown earlier, here is a screenshot of a GPO that is being linked to only one OU (Human Resources). Even though many other OUs exist and contain objects, the settings inside the Firewall Settings GPO will only be applied to those machines that are sitting inside the Human Resources OU:
GPO workflow
Now that you know the four tiers of Group Policy processing, let's bring it back to the reason why this is even important. Certainly, you could start creating GPOs and handing out settings willy-nilly without knowing any of this, right? Yes, and you might get away with it for a long time as well, but eventually you'll have to troubleshoot a GPO or figure out where a particular setting is coming from, or perhaps why a setting is not showing up or not working. That is when this information comes into play.
It's also super helpful to know all of this when taking a new job at a new organization where you were not the original creator of the Group Policy infrastructure.
The four types of policy processing are listed in a particular order for a reason. This is the order that the workflow follows when Group Policy does its thing. When a computer boots, it processes the Group Policy settings in this order:
Local Policy
Site-level policies
Domain-level policies
OU-level policies
The machine flows through these policies from top to bottom, which is a good way to think about it, because when you are looking inside GPMC keeping a top-to-bottom mindset will also help you understand which policies are getting applied first. The settings contained within these policies are applied cumulatively, so they absolutely do have the capability to step on one anothers' toes. If you have conflicting policy settings among two tiers of GPOs, one of them is going to win and one is going to lose. Looking at this list will help you to determine which settings will exist at the end of a GPO processing cycle.
Looking at the processing order list brings to mind a few examples that may be helpful to round out your understanding on this topic:
Since Local Policy goes first, anything inside any Active Directory Policy has the potential to nullify or change that local policy setting.
Site-level policies received by a computer will change based on what physical location they are plugged into, so it is important to keep in mind that these settings can be fluid.
If there is a domain-level policy setting that contradicts a site-level policy setting, the domain-level policy applies last, and therefore wins the day. That setting will be the one that ends up on the client workstation.
If an OU-level policy applies that conflicts with a site-level or domain-level policy, the OU-linked policy will win every single time.
OUs have even more to consider, because you could easily have multiple GPOs linked to the same OU that could conflict with each other. In this case, one of them is going to win, and in my experience it isn't always the same GPO. This can be a little confusing for sure, so it is critical that you plan the filtering of your GPOs appropriately when creating them.
The capability to have OUs nested inside other OUs also brings some complication to this scenario. Remember the general rule is that Group Policy processes from the top down, so GPOs that are linked to a nested OU will most likely outweigh GPOs that are linked at a higher-level OU.
When a machine receives a GPO setting from a tier that is above the OU where it is sitting, it is known as inheriting that GPO. The term inheriting will be important when we later discuss inherency blocking and the reasons why you may want to do that. Here is an example based on previous screenshots. Computers inside the Human Resources OU will be receiving the settings from inside the Firewall Settings GPO, because it is linked directly to that OU. Computers inside the Human Resources OU may also be receiving settings from the Default Domain Policy, which is being applied at the domain level, and in this case those computers would be "inheriting" those settings from the Default Domain Policy.
Building a lab to test Group Policy today
Words are great, but getting your hands dirty and jumping into something is the best way to learn. If you don't have an Active Directory environment available to you right now, and if you have never configured a DC before, there is only one place to start—the beginning. Let's walk through a quick and simple lab build-out that will give you everything you need to start testing and working with Group Policy. We will utilize this lab environment throughout the book to showcase the features and settings that we are going to discuss.
For this exercise, we will be building two systems, and I will preface this with the expectation that you have either two pieces of hardware, or a virtualized environment of some sort upon which you will build these two systems. The virtualized environment could be a Windows Server running Hyper-V or VMware, or it could even be a Windows 10 Professional or Enterprise laptop. These specific versions of the operating systems include the ability to add the Hyper-V role to Windows 10, which will give you a fully-capable hypervisor platform that runs right on your laptop, with the ability to spin up two virtual machines that we can use for our lab, as long as your laptop has enough CPU and memory resources to run two VMs at a time.
