Windows Server 2008 R2 : Group Policy Management for Network Clients - Group Policy Feature Set

The policy settings available within a particular policy or all policies can be extended by importing additional administrative templates. This can be accomplished by simply adding the correct ADMX and ADML files to the PolicyDefinitions folder on the local system or in the central store or by importing a legacy administrative template file with the ADM extension into a particular policy.

By default, the Windows Server 2008 R2 group policies administrative templates contain approximately 1,650 settings in the Computer Configuration node and another 1,450 in the User Configuration node. There are many more settings in the Windows Settings nodes and the Preferences node that extend this number dramatically. This, of course, makes detailing each of the settings a very inconvenient and lengthy process.

Many of the policy settings contained in both the Computer and User Configuration policy nodes apply only to specific Windows Server 2008 R2 role services such as the Encrypting File System, Remote Desktop Services, Network Access Protection, or the Distributed File System role services. For these particular services, as with any Group Policy settings, it is very important that the administrator understands the potential impact of configuring these settings. Before any production group policies are created, modified, or linked, the policy should be tested in an isolated environment and a rollback plan should be created and also tested.

Computer Configuration Policy Node

The Computer Configuration node of a group policy contains settings that are designed to configure and manage a Windows system. Many of the settings found in this node also exist in the User Configuration node, and when both settings are configured, different outcomes will result. In some cases, computer policy settings will always be used even if the user configuration policy setting is configured as well. In other cases, the last policy setting applied will be used. For example, in a local group policy, within each node under Administrative Templates\System\Scripts, there is a setting named Run Logon Scripts Synchronously and if this setting is configured in the Computer Configuration section, it will be enforced regardless of how the setting is configured in the User Configuration policy node.

At the root of the Computer Configuration node, there are three policy nodes named the Software Settings node, the Windows Settings node, and the Administrative Templates node. In domain group policies, these three nodes are located beneath the Computer Configuration\Policies node.

Computer Configuration Software Settings Node

The Software Settings node is used to add software application packages to the computers that process the particular policy. Prepackaged or custom Windows Installer MSI software packages can be added to this Software Settings node and used to automatically install software on the computer during the next reboot cycle. This is known as an assigned software package.

Computer Configuration Windows Settings Node

The Windows Settings node provides administrators with the ability to manage the overall security and configuration of the Windows system. The settings contained beneath the Windows Settings node can be used to define how local and domain users can interact with and manage the system and how the system will communicate across the network. The five nodes contained within the Windows Settings node are as follows:

• Name Resolution Policy— This node allows Group Policy administrators to create rules to build the content of the Name Resolution Policy Table to support DNSSEC implementations and to configure Windows Server 2008 R2 DirectAccess DNS settings centrally.

• Scripts (Startup/Shutdown)— The Scripts node allows administrators to add startup or shutdown scripts to computer objects.

• Deployed Printers— This node allows administrators to automatically install and remove printers on the Windows systems. Using the Group Policy Object Editor on Windows Server 2008 or Windows Server 2008 R2 systems, this node might not appear unless the Print Management console is also installed.

• Security Settings— This node is a replica of the local security policy, although it does not sync or pull information from the local security policy. The settings in this node can be used to define password policies, audit policies, software restrictions, Services configuration, Registry and file permissions, and much more.

• Policy-base QoS— The Policy-base QoS node can be configured to manage, restrict, and prioritize outbound network traffic between a source Windows system and a destination host based on an application, source, or destination IP address and/or source and destination protocols and ports.

Security Settings

The Security Settings node allows a security administrator to configure security levels assigned to a domain or Local Group Policy Object. This can be performed manually or by importing an existing security template.

The Security Settings node of the Group Policy Object can be used to configure several security-related settings, including file system NTFS permissions and many more settings contained in the nodes beneath Security Settings as follows:

• Account Policies— These computer security settings control password policy, lockout policy, and Kerberos policy in Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server domains and local systems.

• Local Policies— These security settings control audit policy, user rights assignment, and security options, including setting the default User Account Control settings for systems the policy applies to.

• Event Log— This setting controls security settings and the size of the event logs for the application, security, and system event logs.

• Restricted Groups— These settings allow the administrator to manage local or domain group membership from within this policy node. Restricted group settings can be used to add members to an existing group without removing any existing members or it can enforce and overwrite membership based on the policy configuration.

• System Services— These settings can be used to control the startup mode of a service and to define the permissions to manage the service configuration or state. Configuring these settings does not start or stop any services.

• Registry— This setting is used to configure the security permissions of defined Registry keys and, if desired, all subkeys and values. This setting is useful in supporting legacy applications that require specific Registry key access that is not normally allowed for standard user accounts.

• File System— This setting is used to configure NTFS permissions on specified folders on NTFS formatted drives. Also, enabling auditing and configuring folder ownership and propagating these settings to subfolders and files is an option.

• Wired Network (IEEE 802.3) Policies— This policy node can be used to configure additional security on wired network adapters to allow for or require smart card or computer-based certificate authentication and encryption.

• Windows Firewall with Advanced Security— This policy node allows administrators to configure the Windows Firewall on Windows client and Windows server systems. The configured settings can configure specific inbound or outbound rules and can define how the firewall is configured based on the firewall profile or network the system is connected to. The configuration can overwrite the local firewall rules or the group policy and local rules can be merged.

• Network List Manager Policies— Windows Firewall on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 uses firewall profiles based on the network. This setting node can be used to define the permissions end users have regarding the identification and classification of a new network as public or private to allow for the proper firewall profile to be applied.

• Wireless Network (IEEE 802.11) Policies— These policies help in the configuration settings for a wide range of devices that access the network over wireless technologies, including predefining the preferred wireless network, including the service set identifier (SSID) and the security type for the network. This node includes Windows Vista and later releases and Windows XP compatible policies.

• Public Key Policies— These settings are used to specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate. Public Key Policies are also created and are used in the distribution of the certificate trust list. Public Key Policies can establish common trusted root certification authorities. Encrypting File System settings use this policy node as well.

• Software Restriction Policies— These policies enable an administrator to control the applications that are allowed to run on the Windows system based on the file properties, including the filename. Additionally, software restrictions can be created based on certificates or the particular network zone from which the application is being accessed or executed. For example, a rule can be created to block application installations from the Internet zone as defined by Microsoft Internet Explorer.

• Network Access Protection— This setting can be used to deploy the configuration of the Network Access Protection client. These policy settings allow an administrator to require a client health check before granting access to the network.

• Application control policies— This node enables Group Policy administrators to create rules that define which security groups or specific users can run executables, scripts, or Windows Installer files and can also be used to granularly define which file paths, filenames, and digitally signed publishers of files will be allowed or denied on the computers these policy settings apply to.

• IP Security Policies on Active Directory— IP Security (IPSec) policies can be applied to the GPO of an Active Directory object to define when and where IPSec communication is allowed or required.

• Advanced Audit Policy Configuration— This node can be used to define more detailed and granular audit settings for use on Windows Server 2008 R2 and Windows 7 systems.

Computer Configuration Administrative Templates Node

The Computer Configuration Administrative Templates node contains all of the Registry-based policy settings that apply to the Windows system. These settings are primarily used to control, configure, and secure how the Windows system is set up and how it can be used. This is not the same as the security settings configuration where specific users or groups are granted rights because the configuration settings available within the administrative templates apply to the system and all users who access the system. Many settings, however, are not applied to users who are members of the local administrators group of a system.

User Configuration Policy Node

The User Configuration node contains settings used to configure and manage the user desktop environment on a Windows system. Unlike the computer configuration settings that define system settings and restrict what users can do on a particular system, the user configuration settings can customize the desktop experience for a user, including setting Start menu options, hiding or disabling Control Panel applets, redirecting folders to network shares, restricting write access to removable media, and much more. At the root of the User Configuration node are three policy nodes named the Software Settings node, the Windows Settings node, and the Administrative Templates node, but the settings contained within these nodes are different from the settings included in the Computer Configuration node, and in a domain group policy, these nodes are located beneath the User Configuration\Policies\ node.

User Configuration Software Settings Node

The Software Settings node in the User Configuration section of a policy allows administrators to publish or assign software applications to individual users to which the policy applies. When a packaged software application is assigned to a user, it can be configured to be installed automatically at user logon or it can just be available in the Control Panel Programs applet for installation by the user the same as when it is published. When a packaged application is published to a user, it can be installed by that user by accessing the application in the following section of Control Panel:

• Windows Server 2008 and Windows Server 2008 R2— Control Panel, Get Programs

• Windows Vista— Control Panel, Programs, Get Programs and Features

• Windows 7— Control Panel, Programs, Get Programs

• Windows XP— Control Panel, Add or Remove Programs, Add New Programs

User Configuration Windows Settings Node

The Windows Settings node in the User Configuration section of a policy allows administrators to configure logon scripts for users, configure folder redirection of user profile folders, define software restriction policies, automatically install and, if necessary, remove printers, and configure many Internet Explorer settings and defaults.

User Configuration Administrative Templates Node

User Configuration Administrative Templates are the most commonly configured policy settings in domain group policy deployments. Settings contained within the User Configuration Administrative Templates node can be used to assist administrators with the automated configuration of a user’s desktop environment. Of course now with domain group policy preferences, many of these newly available settings will also be highly used once Group Policy administrators begin to explore and find the best ways to use preference settings.