Group Policy
Administrative Templates
GPO administrative templates are, in most cases, a
set of text or Extensible Markup Language (XML)–based files that include
clearly defined settings that can be set to a number of different
values.
Administrative
templates are provided to give administrators easy access to many
configurable settings commonly used to manage server and workstation
computers and end users.
When a new GPO is created, a
base set of administrative templates are imported or referenced within
that policy. Additional administrative templates can be imported to a
particular policy to add functionality as required.
Windows 7 and Windows
Server 2008 R2 Central Store
Each GPO in the Active Directory forest will have a
corresponding folder stored in the sysvol folder on each domain
controller in the domain in which the GPO is created. If the domain
controllers in the particular domain are running Windows Server 2003,
each of these GPO folders would contain a copy of each of the
administrative templates loaded in that particular GPO. This created
many duplicated administrative template files and required additional
storage space and increased replication traffic.
Starting with the new
Group Policy infrastructure included with Windows Vista and Windows
Server 2008 and continuing with Windows 7 and Windows Server 2008 R2,
newly created GPOs only store the files and folders required to store
the configured settings, scripts, registry.pol, and other GPO-related
files. When the GPO is opened for editing or processed by a Windows
Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2
computer, the local copy of the administrative templates is referenced
but not copied to the new GPO folder in sysvol. Instead, the
administrative templates are referenced from files stored on the local
workstations or the domain central store.
The GPO central store is a file
repository that houses each of the next generation administrative
templates. The central store would contain all of the new ADMX and ADML
administrative templates and each workstation would reference the files
on the domain controller they are using to process group policies. With a
central store created, when a GPO is opened or processed, the system
first checks for the existence of the central store and then only uses
the templates stored in the central store.
The GPO central store
can be created within Active Directory infrastructures running any
version of Windows Server 2003, Windows Server 2008, or Windows Server
2008 R2 domain controllers.
Starter GPOs
Windows Server 2008
and Windows Server 2008 R2 Group Policy Management Console provide a new
feature of GPO management called starter GPOs. Starter GPOs are similar
to regular GPOs, but they only contain settings available from
administrative templates. Just as security templates can be used to
import and export the configured settings within the security section of
a policy, starter GPOs can be used to prepopulate configured settings
in the Administrative
Templates sections of the Computer Configuration and User Configuration
nodes within a GPO. After the release of Windows Server 2008 and
included in Windows Server 2008 R2, Microsoft released a set of
predefined starter GPOs for Windows Vista and Windows XP. The predefined
settings in these starter GPOs are based on information that can be
found in the Windows XP and Windows client security guide published by
Microsoft. These particular starter GPOs are read-only policies, but
administrators can create their own starter GPOs as needed by the
organization.
Policy Settings
Policy settings are
simply the configurable options made available within a particular GPO.
These settings are provided from the base administrative templates,
security settings, scripts, policy-based QOS, and, in some cases,
software deployment packages. Many policy settings correspond one to one
with a particular Registry key and value. Depending on the particular
settings, different values, including free-form text, might be
acceptable as a legitimate value.
GPO policy settings are
usually configurable to one of three values: not configured, enabled, or
disabled. It is very important for administrators to understand not
only the difference among these three values, but to also understand
what the particular policy setting controls. For example, a policy
setting that disables access to Control Panel will block access to
Control Panel when enabled but will allow access when disabled.
GPO policy settings apply to
either a computer or a user object. Within a particular GPO, an
administrator might find the same policy setting within both the
Computer Configuration and User Configuration nodes. In cases like this,
if the policy setting is configured for both objects, the computer
setting will override the user setting if the policy is linked to the
user object and the workstation to which the user is logged on.
Preference Settings
Group Policies have two main
setting nodes, including the Computer and User Configuration nodes. Each
of these contains two main nodes as well, the Policies and Preferences
setting nodes. The group policy extensions presented in the Preferences
node provide administrators with the ability to configure many default
or initial configuration and environmental settings for users and
computers. One really great feature of GPO Preferences is Item-Level
Targeting, which only applies a certain preference, such as setting the
Start menu on Windows 7 workstations to configure the power button to
perform a logoff instead of a computer shutdown, to only defined users
or groups within the Item-Level Target definition of that GPO. When a
user logs on to a workstation and has that preference applied, this will
be the initial setting, but users would be able to change that setting
if they desire. One important distinction that all GPO administrators
must make is that policies set and enforce settings, whereas preferences
configure initial settings but do not block the settings from changes.
Group Policy Object
Links
GPO links are the key to deploying GPOs to a
predetermined set of Active Directory computers and/or users. GPO links
define where the particular policy or policies will be applied in terms
of the Active Directory domain and site hierarchy design.
GPOs can be linked to Active
Directory sites, domains, and organizational units (OUs). Also, a single
GPO can be linked to multiple sites, domains, and OUs in a single
forest. This gives administrators the flexibility to create a single
policy and apply it to several different sets of computers and users
within an Active Directory forest.
The design of the Active
Directory infrastructure, including site design, domain and tree design,
and OU hierarchy, is critical to streamlining targeted GPO application.
Careful planning and consideration should be taken into account during
the Active Directory design phase with regard to how GPOs will be used
and how user, group, and computer objects will be organized.
GPO links can also be
disabled as required, to assist with troubleshooting GPO application or
processing.
Group Policy Link
Enforcement
Microsoft provides
administrators with many ways to manage their infrastructure, including
forcing configurations down from the top. GPO link “enforcement,”
historically known as “No Override,” is an option of a GPO link that can
be set to ensure that the settings in a particular policy will be
applied and maintained even if another GPO has the same setting
configured with a different value. GPO link enforcement is shown in Figure 2.
This function should be
used with caution because it might result in undesired functionality or a
different level of security than what is required to run a particular
service or application or manage a system. Before enabling GPO
enforcement on any policy, carefully research and test to ensure that
this will not break any functionality or violate an organization’s IT or
regulatory policy.
