Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
programming4us
Windows 7

Group Policy and the GPMC (part 3) - Advanced Group Policy Settings

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
6/7/2011 5:54:00 PM

6. Advanced Group Policy Settings

Occasionally, you may need to modify the default Group Policy behavior as applied to users and computers within the domain. When necessary, you can use the following four settings for some special circumstances.

  • Block Inheritance

  • Enforced

  • Loopback Processing

  • Filtering

Use of these settings should be the exception. In other words, their usage should be minimal. Group Policy can be complex on its own, but when you start modifying the default behavior with these exceptions, it can make the environment even more complex and harder to maintain.

6.1. Block Inheritance

It's possible to block the inheritance of all GPOs for an OU. For example, you could create an OU for testing purposes and decide that you don't want to allow GPOs from the domain or parent OUs to apply. You can enable the Block Inheritance setting on the OU, as shown in Figure 12. In the figure, block inheritance has been enabled on the Testing OU.

Figure 12. Blocking inheritance of GPOs

You can enable block inheritance by right-clicking the OU and selecting Block Inheritance. Once this is set, there will be an icon of an exclamation point in a blue circle to indicate block inheritance is enabled.

When using block inheritance, there are two important points to remember:

  • You can block inheritance only at an OU. You can't block inheritance of a GPO.

  • All GPOs are blocked. You can't pick and choose which GPO to block.

6.2. Enforced

Very often you'll want to configure settings and ensure that they are not overwritten or blocked. Normally, the last GPO applied wins, but you can use the Enforced setting to override this default behavior. In other words, if the enforced GPO is the first one applied and other GPOs have conflicting settings, the GPO with the Enforced setting will always win. In addition, if any OUs have the Block Inheritance setting enabled, the GPO configured with the Enforced setting will not be blocked.

As an example, you may have configured different security settings in the Default Domain Policy that you want to ensure are applied to all users and computers in the domain. You don't want the settings overwritten by conflicting GPOs or by the Block Inheritance setting on an OU.

Figure 13 shows the Default Domain Policy GPO set to Enforced. This setting is enabled by right-clicking the GPO and selecting Enforced. A GPO that has the Enforced setting will have an icon of a lock to indicate that Enforced is enabled.

Figure 13. Configuring Enforced on a GPO


6.3. Loopback Processing

Loopback Processing is a Group Policy setting that will cause the computer Group Policy settings to take precedence over the user settings. Normally, the order in which GPOs are applied is as follows:

  1. Computer turns on and computer GPOs are applied.

  2. User logs on and user GPOs are applied.

Because the user logs on after the computer starts, the user settings are applied last and the user settings take precedence. However, loopback processing allows this behavior to be reversed. In other words, you can use the Loopback Processing setting to have the computer settings take precedence over the user settings.

Figure 14 shows the User Group Policy Loopback Processing Mode setting. The Loopback Processing setting is in the Computer Configuration => Policies => Administrative Templates => System => Group Policy node.

When configuring loopback processing, you have the choice of using Replace or Merge.

When configuring loopback processing, you have the choice of using Replace or Merge.

Replace

The computer settings defined in the computer's GPOs completely replace the settings that would normally apply to the user.

Merge

The computer settings defined in the computer's GPOs are combined with the user settings that apply to the user. If there are any conflicts, the computer settings in the computer's GPOs take precedence.

Figure 14. Configuring loopback processing

Exercise 4 demonstrates the default behavior of Group Policy and then shows how this can be reversed with loopback processing. In this exercise, you'll perform the following big-picture steps.

  • Create two test OUs named TestComputer and TestUser.

  • Place a computer in the TestComputer OU and a user in the TestUser OU.

  • Create a GPO to remove the Games link and link it to the TestComputer OU using the settings in the Computer Configuration node.

  • Log on to the computer, and verify that the Games link is still there.

  • Move the user account to the TestComputer OU, and verify that the GPO removes the Games link.

  • Move the user account back to the TestUser OU, and verify that the Games link returned.

  • Enable loopback processing on the GPO applied to the TestComputer OU. Verify that the Games link is removed.

Note that this exercise uses only one simple setting—Remove Games Link From Start Menu. However, by moving the accounts so that they move in or out of the scope of the GPO, you can see how the GPO applies. In addition, this shows the subtlety of how the User Configuration and Computer Configuration settings apply to users or computers in the scope of the GPO, as discussed earlier. Last, it shows how loopback processing can modify the default behavior.

Exercise: Using Loopback Processing

  1. Log on to the domain controller, and launch Active Directory Users and Computers via the Administrative Tools menu. Create two OUs with the following steps:

    1. Right-click the domain and click New => OU. Name the OU TestComputer.

    2. Right-click the domain and click New => OU. Name the OU TestUser.

    3. Locate the Windows 7 computer account of the computer you'll use. The computer account will be in the Computers container unless it has been moved. Drag and drop it into the TestComputer OU.

    4. Locate a Windows 7 user account you'll use to log on to the computer. You can use Administrator account for the domain if you're using a virtual environment. Drag and drop it into the TestUser OU.

    5. Keep Active Directory Users and Computers open.

  2. Launch the Group Policy Management console via the Administrative Tools menu. Create a GPO named RemoveGames linked to the TestComputer OU with the following steps:

    1. Browse to the Test Computer OU. Right-click the TestComputer OU, and select Create A GPO In This Domain And Link It Here. Name the GPO TestRemoveGames.

    2. Expand TestComputer. Right-click the TestRemoveGames GPO and select Edit.

    3. Browse to the User Configuration Policies Administrative Templates Start Menu And Taskbar node.

    4. Double-click Remove Games Link From Start Menu. Select Enabled and click OK.

    5. Leave the GPO open to modify later in this exercise.

  3. Log on to the Windows 7 computer using the test account. Click Start, and you'll see that the Games link still appears.

    The GPO applied to the computer in the TestComputer OU doesn't affect the user because the user account isn't in the scope of the GPO.

  4. Return to the domain controller. Drag and drop the user account from the TestUser OU to the TestComputer OU.

  5. Return to the Windows 7 system and launch a command prompt. Enter GPUpdate /Force to force Group Policy to be updated now (instead of waiting for the 90–120 minutes refresh cycle). When it completes, click Start.

    You'll see that the Games link has disappeared. Because the user account is now in the scope of the GPO, the user settings from the GPO apply.

  6. Return to the domain controller. Drag and drop the user account from the TestComputers OU back into the TestUsers OU.

  7. Return to the Windows 7 system and access the command line. Enter GPUpdate /Force again to update Group Policy. When it completes, click Start and verify that the Games link has returned.

  8. Modify the TestRemoveGames GPO to use loopback processing with the following steps:

    1. Return to the domain controller, and access the Group Policy Management Editor with the TestRemoveGames GPO open.

    2. Browse to the Computer Configuration => Policies => Administrative Templates => System => Group Policy node. Double-click the User Group Policy Loopback Processing Mode setting. Select Enabled and select Merge. Click OK.

  9. Return to the Windows 7 system and access the command line. Enter GPUpdate /Force again to force Group Policy. When it completes, click Start and verify that the Games link is no longer there.

  10. Access Active Directory Users and Computers on the domain controller, and return the user and computer accounts to their original locations. If you're using the virtual environment, the Administrator account should be returned to the Users container, and the Windows 7 account should be returned to the Computers container.


6.4. Filtering

GPOs normally apply to all users in the Authenticated Users group within the scope of the GPO. When users log in to a domain and are authenticated, they are automatically added to the Authenticated Users group, and the settings from the Default Domain Policy will apply to all users.

GPO filtering allows you to change the default behavior so that the GPO applies only to a specific group of users. Figure 15 shows the permissions for a Group Policy. The two most important permissions to understand are Read and Apply Group Policy, and you can see that these permissions apply to the Authenticated Users group.

Figure 15. Group Policy permissions

You can access the Security page with the following steps.

  1. Select the GPO in Group Policy Management.

  2. Select the Delegation tab.

  3. Click Advanced.

  4. Select Authenticated Users.

Read

This permission allows the settings in the GPO to be read. If only Read permission is applied, the GPO can be read but it won't be applied.

Apply Group Policy

This permission allows the settings in the GPO to be applied as long as the Read permission is also applied. If this setting is set to Deny for a group, the GPO will not apply to the group.

Other groups, such as the Domain Admins and Enterprise Admins, are granted other permissions that allow members to manage the GPO. These groups aren't assigned Apply Group Policy directly. However, since members of these groups become a member of the Authenticated Users group when they log on, GPOs will also apply to users in these groups.

What if you don't want a GPO to apply to a specific group, such as members of the Domain Admins group? You can then assign Deny Apply Group Policy to this group. Just as Deny takes precedence in NTFS, Deny takes precedence with GPO permissions.

On the other hand, you may want the GPO to apply only to a specific group. You can remove the Authenticated Users group, add another group, and assign the Read and Apply Group Policy permissions for the target group.

For example, if you want a GPO to apply only to a G_ITAdmins group that you've created, you would remove the Authenticated Users group and add the G_ITAdmins group.

Instead of adding groups from the permissions screen, you can also add groups from the Delegation tab. When adding groups to this tab, you're prompted to assign one of three permissions:

Read

Only Read permission is assigned. Apply Group Policy is not assigned.

Edit Settings

Read, Create All Child Objects, Delete All Child Objects, and some special permissions are assigned.

Edit Settings, Delete, Modify Security

Read, Create All Child Objects, Delete All Child Objects, and some special permissions that allow users to modify permissions are assigned.

It's important to note that none of the selections from the Delegation tab will automatically assign both Read and Apply Group Policy. If you use this tab, you'll also need to modify the permissions from the Security page shown earlier in Figure 15.

You can also use the Scope tab of a Group Policy to modify the security filtering. Figure 16 shows the Scope tab selected for a GPO. Notice in the Security Filtering section that the Authenticated Users group is shown.

Figure 16. Group Policy Management Scope tab used for filtering a GPO

To filter a GPO using Security Filtering, you would remove the Authenticated Users group by selecting it and clicking Remove and add another group by clicking Add. The Read and Apply Group Policy permissions will be applied to any group you add here.

7. WMI Filtering

Any GPO can have a single Windows Management Instrumentation (WMI) filter applied to it. A WMI filter can be used first to inspect the system to check for a condition, and if the condition is met, the GPO can be applied.

As an example, you may want to deploy a GPO only to Windows XP computers but not to Windows 7 computers. A WMI filter could be created and linked to the GPO. Before the settings are applied, the WMI filter determines whether the system is running Windows XP and applies the GPO settings for only the XP computers.

WMI filters use WMI Query Language (WQL), which is beyond the scope of this book. However, you can usually find a sample WQL script to include in a WMI filter if needed. The most important thing to remember is that the scope of the GPO can be modified by linking the WMI filter to the GPO.

Here are some examples of what a WMI filter is used to check:

  • The version of the operating system

  • How much space is available on a disk drive

  • Specific services running on a system

  • The time zone of a system

  • The existence of a specific hot fix

  • The existence of specific software

  • The make or model of the computer

8. Using Group Policy Results

Group Policy Results is a valuable tool that can be used to troubleshoot Group Policy. It allows you easily to determine what policies are being applied to a specific user when logged on to a specific computer. In addition, when there are conflicting settings, it helps you determine the winning GPO and applied setting.

Figure 17 shows a partial Group Policy Results report. It was run for a user named Sally on a computer named Win7 and is named Sally on WIN7. The report is formatted as a dynamic HTML page, allowing you to expand or hide elements of the report.

The report includes three tabs:

Summary

This page has sections for Computer Configuration and User Configuration. It identifies all of the GPOs that were applied and also lists any GPOs that may have been denied. A GPO could be denied because of Block Inheritance.

Settings

This tab lists all of the settings that are being applied. Details include the policy setting and the winning GPO that is applying the setting.

Policy Events

Group Policy–related events are listed here. These are the same events that can be viewed using Event Viewer but are filtered to show only Group Policy–related events.

Figure 17. Group Policy Results report

You should be aware of a few restrictions when running Group Policy Results:

  • The computer must be a member of the domain and currently reachable on the network. WMI is used to query the computer, and if it is down or unreachable, you can't create a report.

  • Only users who have logged on to the computer and have profiles on the computer can be included. WMI is used to identify who these users are, and you can select one of the users from a list.


9. Using Group Policy Modeling

Group Policy Modeling can be used when designing Group Policy. It helps domain administrators determine what the effect might be if a specific user logs on to a specific computer in different situations.

For example, you may be considering moving users or computers to different OUs. You could use the Group Policy Modeling tool to run a report to determine what the effective GPOs and GPO settings will be if this change is made.

You can also simulate the effect of the following situations:

  • Loopback processing is enabled.

  • Users or computers are in different security groups.

  • A WMI filter is applied.

  • A user logs on with a slow network connection.

Other -----------------
- Group Policy and the GPMC (part 1) - Enabling a GPO Setting & Applying Multiple GPOs
- Managing Windows 7 in a Domain : Anti-Malware Software
- Managing Windows 7 in a Domain : Understanding User Profiles (part 2)
- Managing Windows 7 in a Domain : Understanding User Profiles (part 1) - Standard Profiles & Roaming Profiles
- Managing Windows 7 in a Domain : Identifying and Resolving Logon Issues
- Managing Windows 7 in a Domain : Authentication vs Authorization
- Managing Windows 7 in a Domain : Joining a Domain
- Accessing Resources on a Network : Identifying and Resolving Network Printer Issues
- Accessing Resources on a Network : Understanding Permissions (part 2)
- Accessing Resources on a Network : Understanding Permissions (part 1) - SIDs, DACLs & NTFS
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server