Chapter 8 Group Policy Architecture
Computer Configuration Windows Settings Security Settings Registry
Sets NTFS permisions on registry keys on target computers
Computer Configuration Windows Settings Security Settings File System
Sets NTFS permissions and controls auditing and inheritance on files and folders on target computers
Accounts: Limit local account use of blank passwords to console logon only
enabled by default, this policy disallows network users from logging on to the computer if their password is blank
Microsoft network server:connect clients when logon hours expire
enables by default, if a user accounts has restricted hours, thier sessions are disconnected from file shares if theyre connected outside valid logon hours. IF ITS DISABLED, USERS CAN CONTINUE TO WORK AFTER LOGON HOURS EXPIRE IF THEY ARE ALREADY LOGGED ON.
There are two ways to create a GPO
1. Right click the GPO your linking it to and select "create GPO in this domain, and link it here". 2. Right click the group policy objects foldeer and click "new". Rule 2 is preferable.
Group policy architecture and functioning involve Gpo's - .
A GPO is an object containing policy settings that effect user and computer operating environments and security. GPO's - can be Local (stored on user's computers) or Active Directory objects linked to sites, domains, and OU's
Group Policy Objects
A GPO is the main component of group policies, contains policy settings for managing aspects of domain controllers, member servers, member computers and users.
MSI File
A collection of of files packaged into a single file with an .msi extention and contians the instuctions windows installer needs to install the application correctly.
Group Policy Replication
AD object GPC's are replicated during normal AD replication. GPC's located in the sysvol share are replicated by using; File Replication Service or distributed File System Replication
Computer Configuration Windows Settings Name Resolution Policy
Added in win 2008 r2, is used to deploy DNS security (DNSSEC)
Local Policies Audit Policy
Admin can audit events occuring on computers, including log on & off, file and folder Access, AD access and system and process events. Auditing can be for successful event, failed events or both By default no audit ploicies are defined on either Default GPO. Indows server 2012/r2 certian events are like logons and directory service are audited by default and can be changed only by using the command line tool "auditpol.exe events created by auditing are listed in the security log and can be viewed with event viewer.
Interactive Logon:Message text for users attempting logon
Allow administrator to define a message that users see on the log on screen
Restricted groups page 365
Allows the administrator to control the membership of both domain groups and local groups on member computers. by default this node is empty, you configure it by adding groups you want to restrict. THis istypically used for groups that require high security you can control members and members of properties of a grop. current members of the target group not on the list are removed (unless the admin account is among them) and those in the list that arent already members of the target group are added.
Computer Configuration Node
Applies policies to computers regardless of who logs on. Mosgt important is this node contains most of the security related settings in the accounts policies, user rights assignment, audit policy and security options nodes. Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter.
Domain GPO's
Are stored in Active Directory on Domain Controllers. Can be linked to a site, domain, or an OU and effect users and computers whose accounts are stored in these containers. A domain GPO is represented by an AD object, but it is composed of two parts- Group Policy template and Group Policy Container.
Elevation
Being promted for credentials
If you edit a GPO thats linked to an AD contianer 343
Changes are not saved, they take effect emmediately as soon as clients download them. By default client computers download GPO's at restart, and user policies are downloaded at next log on.
Blocking GPO Inheritance Page 350
Blocks GPO's Linked to parent objects from afecting child contianers. You can block inheritance on a domain or an OU.
Default GPO Inheritance Behavior
By default, GPO inheritance is enabled and settings linked to a parent object are applied to all child objects. Settings in a GPO linked to the domain object are inherited by all OU's and thier child objects in the domain. Settings in a GPO linked to a site are inherited by all objects in that site.
Replication Problems GPOTOOL.EXE 341
Can be diagnosed with GPOTOOl.EXE, which verifies the version number and status of GPO's on all DC's and reports any Discrepancies.
Turn off local group policy object processing
Causes member computers to ignore local GPO's. Doing so is a good idea to ensure that all policies are controlled from the domain.
The two main types of GPO's
Local and Domain
Local Security Policy
Enables you to edit policies in just the security settings node of the local GPO. You access this MMC via administrative tools in control panel or by entering secpol.msc at the command line.
Domain Policy Naming Structure GPT & GPC have this in common
Each GPO is assigned a globally unique identifier (GUID) a 128bit value represented by 32 hexadecimal digits that windows uses to to ensure unique object ID's. The GPT and GPC associated with the GPO are stored in a folder with the same name as the GPO's GUID
Domain Policy Folder Structure GPT & GPC have this in common
Each GPT and GPC has two subfoldes: Machine & User. The Machine folder stores info related to a GPO's computer configuration node. The User folder stores info about the User configuration node.
Computer Configuration Windows Settings Page 357
Contains four subnodes Name resolution policy Scripts (startup/shutdown
Computer Configuration Windows Settings Security Settings Application Control Policies
Contains the subnode AppLocker, which extends the function of software restriction policies. this policy can be used only on computers running windows 7/ windows 2008 r2 and later.
Computer Configuration Node Software Settings
Contians the software installation extention, which can be configured to install software packages remotely on computers, regardless of who logs on to the computer. Applications are deployed with the windows installer service, which ises installation packages caled MSI files
Computer Configuration Windows Settings Security Settings IP Security Policies on Active Directory
Controls IPsec policies on target computers. IPsec is a network protocol that provides secure, encrypted communication between computers
Computer Configuration Windows Settings Security Settings Wired Network IEEE 802.3
Controls a variety of authentication parameters on computers with wired connections to the network.
Computer Configuration Windows Settings Security Settings Network List manager policies
Controls aspects of the network identified by windows, such as location type, and network name and whether users can change information.
Computer Configuration Windows Settings Security Settings Windows Firewall with advanced Security
Controls firewall settings on windows vista and server 2008 and later computers.
Computer Configuration Windows Settings Security Settings Wireless Network Policies IEEE 802.11
Controls how wireless clients can connect to wireless networks, including network type (adhoc, or infrastructure), service set identifier (SSID), authentication, and encryption protocols
Computer Configuration Windows Settings Security Settings Public Key Policies
Controls parameters associated with public key infrastructure, including EFS and certificate handling
Computer Configuration Windows Settings Security Settings Event Log
Controls parameters of the main logs in event viewer on target computers. policies include log file sizez and retention parameters
Computer Configuration Windows Settings Security Settings Network Access Protection
Controls the NAP environment for target computers, including enforcement services, user interface, and servers used for health registration certificates.
Computer Configuration Windows Settings Security Settings Software Restriction Policies
Controls which software can run on a computer
Creating and Linking GPO's Page 341
Creating new GPO's and linking them to to containers is preferable to editing existing default GPO's.
When a GPO is created
Files and folders are created under the root folder, the number varies. Each has three items; GPT.ini Machine User
GPC & GPT Sync
GPC's replicate when active directory replication occurs, the interval is about 15 seconds, but can be longer between DC's on different sites. DFSR in the sysvol share (and the GPT) occur emmediately after a change is made. So starting with Win XP the client computer checks the version number of both components before applying GPO settings.
Group policy architecture and functioning involve Creating and Linking-
GPO's are created in group policy management console and can the be linked to one or more active directory containers. Multiple GPO's can be linked to the same container.
Site Linked GPO's PG 349
GPO's linked to a site object affect all users and computers physically located at the site. because sites are based on IP address, GPO processing determines from where a user is loggin on and from what computer based on that computers IP address. So users that log on from different sites may have different policies applied depending on where they log on.
Domain LInked GBPO's Page 349
GPO's set at a domian level should contian settings that you want to apply to all objects in a domain. THe default domain policy is configured and linked to the domain object by default and mostly defines user account policies. Accounts policies that affect domain logons can be defined only at the domain level.
Main tools for editing, creating and managing GPO's 341
Group policy Management console, (GPMC/Group Policy Management MMC) Group Policy mangement Editor, (GPME) The purpose of using these is to carry out changes to the security and or working environment for users and computers
Policies folder page 357
Have three folders in it; Software Settings, Windows Settings, and Administrative Templates Software and Windows settings have extentions in them
WMI Filtering Windows Management Instrumentation page 355
Is a windows technology for gathering management information about computers such as the hardware platform, OS version, available disk space, and so on. WMI filtering uses queries to select a group of computers based on certian attributes, and then applies or doesnt apply policies based on the results.
Group Policy containers
Is an AD object stored in the system/policies folder and can be viewed in AD users and Computers with the advanced features option enabled.
Unmanaged Policy Setting
Is persistant meaning it remains even after the user or computer falls out of the GPO's scope, until it is changed by anothe policy or manually. the policies already loaded in AD are managed, but you can customize group policy by adding your own policies which are unmanaged.
Local Computer Policy Object
Is processed first for all users and isthe only local GPO that effects the computer configuration. Local Admin and Non Admin GPO is processed next, if configured User specific GPO is processed last if configured. Any conflictingsettings are resolved in the same order. in other words, the last configured policy setting that is applied takes precedence.
Computer Configuration Windows Settings Security Settings Local Policies
Is so named because all settings in its subnodes pertian to security options applied to computers and what users can and cant do on the local computers to which they log on. because these policies affect computers, there defined in GPO's linked to OU's containing computer accounts THere are three subnodesAudit policy, us3er rights assignment and securtiy options
File Replication Service (FRS)
Is used if you have DC's in your domain that are running versions of Windows Server earlier than Windows Server 2008. DFS is not as efficient or reliable as DFSR
Distributed File System Replication (DFSR)
Is used when all DC's are running Windows server 2008 or later DFSR is more efficient and reliable than DFS, because it uses remote differential compression (RDC), and because of improvements in handling unexpected service shutdown tha could corrupt data. And cause it uses a multimaster replication scheme.
Group Policy Templates
Isnt stored in AD, it's in a folder in the SYSVOL share on a domain controller. It contians all the policy settings that make up a GPO as well as related files. such as scripts. Every GPO has a GPT associated with it. The local path to GPT folders on a domain controller is %\systenroot%\sysvolsysvoldomain\policies. %systemroot represents the drive letter and folder name where the windows OS is stored.
Policies are applied in this order page 348
Local Policies Site-Linked GPO's Domian-Linked GPO's OU Linked GPO's Policies defined in GPOs in AD take precedence over all local policies. OU linked GPO's have astronger precedence when conflicting policies exist.
GPT Folders
Look random, but two folders have the same name on every domain controller. The folder starting with 6AC1 is the GPT for the default domain controllers controller The folder starting with 31B2 is the GPT for the default domain policy
Additonal Local GPO's Local Administrators GPO
Mambers of the local admin group are effected by settings in this GPO. The default membership includes the local admin account and the domain admins global group when the computer is a domain member.
OU Linked GPO's Page 349
Moist fine tuninjg of group policies, particularly user policies should be done at the OU level. Because OU linked policies are applied last they take precedence ove site and domain policies ( with exception of account policies which can be applied only at the domian level)
info the GPC provides
Name of GPO, File path to GPT, Version, and Status
Computer Configuration Windows Settings Policy based QOS
New in Server 2008 enabled administrators to manage network bandwidth use on a per computer basis and prioritize network packets based on the type of data the packet carries.
Remote Differential Compression
Only data blocks tha have changed are transferred across a network.
Accounts: rename guest account
Similar to the rename admin account
Starter GPO page 346
Starter GPO's are GPO templates. An adminisgtrator creates a started GPO to be used ass a baseline for new GPo's. Starteer GPO's are stored in the starter GPO's folder in the GPMC. Starter GPo's dont contain all the nodes of a regular GPO, only the admin templates folder, and the computer configuration and user configuration is included.
GPC
Stores GPO properties and status information but no actual policy settings. Like a GPT the folder name of each GPC is the same as the GPO's GUID. The GPC is an active directory object that links the GPO to AD and is critical for replication to all DC's
GPC File Path to GPT
The GPCfilesyspath attribute specifeis the universal naming convention (UNC) path to the related GPT folder
GPC Version
The VersionNumber attribute should have the same session numbet as the GPT.INI file int the GPT Folder
GPC Name of GPO
The displayName attribute tells you the name of the GPO the GPC is associated with.
GPT Status
The flags attribute contains a value that indicates the GPO's status. The value 0 indicates the GPO is enabled The value 3 indicates the GPo is disabled.
Local GPO's Policy settings
The policy settings on a domain member computers can be effected by domain GPO's linked to the site, domain, or OU in active directory. Settings in local GPO's that are inherited from domain GPO's cant be changed on the local computer, only settings that are undefined or not configured by domain GPo's can be edited locally.
Group policy architecture and functioning involve Scope and Enheritance
The scope of a group policy defines which users and computers are affected by its settings. The scope can be a single computer (in the case of a local GPO) or an OU, a domain, or a site. Like permissions, policy settings applied to users and computers are inherited from the parent containers, like permissions inheritance, an administrator can override the default behavior of group policy inheritance.
Auditing Object Access page 359
There are two steps; 1. enable the audit object access policy for success, failure or both. 2. enable auditing on target objects for success, failure or both. After object access is enabled in group policy, you need to enable auditing on target object, such as a file or folder. you can do this by changing the system access control list for the object in the auditing tab of the advanced security settings dialog box for the object. by default when you audit a folder, the auditing extends to the subfolders and files.s
GPO Filtering Page 354
There are two types; Security Filtering and Windows management instrumentation (WMI) Filtering.
Computer Configuration Windows Settings Security Settings page 358
There sre hundreds , the most important are under the account policies and local policies because they contian baseline security options for your computer.
GptTmpl.inf
This file contains settings configured in the security settings node under computer configuration.
GPO root folder GPT.ini
This file contains the version number used to determine when a GPO has been modified. Everytime a GPO changes the version number is updated. Whenever a GPo is replicated the DC's use this number to determine whether the local copy of the GPO is up to date.
GPO root folder User
This folder caontains subfolders that store policy settings related to the user configuration node.
GPO root folder Machine
This folder contians subfolders that store policy settings related to the computer configuration node.
Local Policies Security Options
This subnode includes almost 100 settings, available policies are arganized into 15 catagories. You should configure "User Account Control Policies" right away.
Changing Default Auditing
To clear all audit subcatagories so that auditing is controlled only by group policy type auditpol /clear at the command prompt. this command stops all auditing on the computer where you run it, unless auditing is enables in the local policy or a GPO in the computers scope.
Local Policies User Rights Assignment
User rights define the actions users can take on a computer, such as changingsystem time, shutting down, logging on locally more than 40 user rights policies can be assigned, and for each policy you can add users or groups. the default DC policy specifies user rights assignmentspolicies that define the default actions users can take on DC's
Enforcing GPO Inheritance Page 350
When GPO inheritence is enforced the settings are applied to all child objects, even if the GPO with conflicting settings is linked to the contianer at a deeper Level. The GPO that is enforced has the strongest precedence of all GPO's in its scope. If muiltiple GPO's are inforced the GPO thats highest in the AD hierarchy has the strongest precedence. GPO enforcement overides GPO inheritance blocking.
Nested Ou's
When OU's are nested the GPO applied to the OU nested the deepest takes precedence overallother GPO's.
GPEDITE.MSC
When your run gpedit.msc you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes. The policies defined in this GPO, when configured on non domain member computers, apply by default to all users who log on to the computer.
Computer Configuration Windows Settings Scripts (startup/shutdown)
You can create scripts in a variety of scripting languages, including VB script, Jscript, and batch files startup scripts run when the computer starts up, and shut down scripts run before the computer shuts down. Scripts must be placed in the scripts folder under the GPO's GPT folder in the SYSVOL share.
Additonal Local GPO's User Specific GPO
a user specific GPO is created for each account (except fo guest) in the local Security Accounts Manager (SAM) database.
To access additional GPO's
add the Group Policy Object Editor snap-in to an MMc. Instead of accepting the default local computer policy, click browse to open the dialog box, then click the users tab and select one of the GPOs. Local GPO's are intended to be configured on non-domain computers, because domain GPO's take precedence over local GPO's. and administration is is centralized by using domain GPO's.
Member Of property
adds the target group to groups on the list that it isnt already a member of, but it doesnt remove the target group from existing memberships.
In The GPMC
all GPO's are stored in the Group policy objects folder, GPO's linked to AD container are displayed as shortcut objects in the contianer to which they are linked.
Additonal Local GPO's Local NON- Administrators GPO
all users who log on to the computer who arent members of the local admin group are effected by setting in this GPO, including domain users when the computer is a domain member.
Additonal Local GPO's
allow different policy setting based on who logs on to the computer. They arent configured, so they have no effect on users until they are configured. They have only a user configuration node, so policies are limited to user related settings.
Account: rename administrator account
allow you to rename the admin account. if set on a domain based GPO, the admin account on all member computers affected by the GPO is renamed
Group policy
allows admin to manage most aspects of computer and user environments centrally through active directory.
Interactive logon: Number of previous logons to cache
allows the computer to locally cache logon info so that users can log on to the computer ifno domain controller is available by default, 10 logons are cached. if set to 0, a dc must be available for a user to log on to the local computer.
AD folders Computers and Users Page 349
are not OU's, and cant have GPO's linked to them. Only Domain linked GPO's and Site linked GPo's affect objects in these folders.
Local GPO's
are stored on local computers and can be edited with the group policy object editor snap in. To use add the group policy editor to a custom MMC or enter gpedit.msc at the command line to open a already confugred MMC called Local Group Policy Editor.
Computer Configuration Windows Settings Security Settings Account Policies
contian settings that affect user authentication and logon A GPO with settings configured in account policies must be linked to a domain in order for these policies to have any effect on domain logons. If a gpo linked to an OU has settings configured in account policies, they only affect the account policy setting on the local computer accounts within the the scope of the GPO, which only pertains to local user accounts The default domain policy is configured with default account policies settings, and many administrators keep all account policies in this GPO.
Computer Configuration Windows Settings Security Settings Restricted Groups
controls group memberships for both domain groups and locl SAM groups. After policy is applied, existing members of the target group are deleted and replaced with the membership specified in the policy
User Account Control Policies page 363
determine what happens on a computer when a user attempts to perform an action that requires elevation. when user account control is enabled, users with administrative credentials run with regular user priviedges.When users attempt to perform an action requiring admin rights they are prompted for thier credentials Regular user accounts cant be elevated, but users accounts in the admin group can. by default the built in admin account doesnt require elevation
Accounts: Guest account status
disabled by default, but you can enable it with this setting.
Accounts: Administrator account status
enable or disable the local administrator account. In client OS's the administrator account is disabled by default
Interactive logon: Do not require CTRL+ALT+DEL
if this is enabled, users dont have to press ctrl+alt+del to log on to the local computer.
Managed Policy Setting
is applied to a user or computer when the object is in the scope of the GPO contianing the setting.when the object is no longer in the GPOs scope or the policy is set to not configured the setting on the user or computer reverts to its original state.
Computer Configuration Windows Settings Security Settings System Services
manages the startup mode and security settings of services on target computers
Interactive LOgon: Do not display last user name
prevents the logon screen from showing the username of the last logged on user disabled by default
Group policy architecture and functioning involve Replication -
replication of active directory based GPO's ensures that all domain controllers have a current copy of each GPO. Changes to GPO's can be made on any DC and are replicated to all other DC's.
A GPC is composed of
several attributes you can view in the attribute folder tab of its properties dialog box
File System page 366
the file system node enables an admin to configure permissions and auditing on files and folders on any computers that fall into the scope of the GPO on which the policy is configured. Similar to restricted groups, there are no File System Policies defined by default. so you must add a folder or file and then configure the settings as you would configure permissions and auditing on any file or folder.
Group Policy Scope Page 348
the scope of a group policy defines which objects in AD are effected by settings in the policy.
Security Filtering page 354
uses permissions to restrict objects from accessing a GPO. like any object in an AD, a GPO has a discretionary access control list (DACL) in which list of security principals are granted permission to access the GPO. userrs and computers accounts must have the read and apply group policy permissions for a GPO to apply them. by defualt the authenticated users special identity is granted these permissions to every GPO. Authenticated Users applies to both logged on users and computers.
