1.2.8 Group Policy Facts
GPOS are applied in the following order
1. The Local Group Policy on the computer 2. GPOs linked to the domain that contains the user or computer object. 3. GPOs linked to the organizational unit(s) that contain(s) the object (from the highest-level OU to the lowest-level OU).
Policy
A policy is a set of configuration settings applied to users or computers. Group policies allow the administrator to apply multiple settings to multiple objects within the Active Directory domain at one time. Collections of policy settings are stored in a Group Policy object (GPO). The GPO includes registry setting, scripts, templates, and software-specific configuration values.
Administrative Templates
Administrative templates are registry-based settings that can be configured within a GPO to control the computer and overall users experience such as: • Use of Windows features such as Bitlocker, Offline files and Parental Controls. • Customize the Start menu, taskbar or desktop environment. • Control notifications • Restrict access to Control Panel features. • Configure Internet Explorer features and options
Computer Configuration
Computer policies (also called machine policies) are enforced for the entire computer and are applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer. Computer policies include: - Software that should be installed on a specific computer - Scripts that should run at startup or shutdown - Password restrictions that must be met for all users accounts - Network communication security settings - Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree) • Computer policies are initially appplied as the computer boots, and are enforced before any user logs on.
Local Policies/User Rights Assignment
Computer policies include a special category of policies called user rights. User right identify system maintenance tasks and the users or groups who can perform these actions. Examples of user rights include: • Access this computer from the network (the ability to access resources on the computer through a network connection) • Load and unload device drivers • Allow log on locally (the ability to log on to the computer console) • Allow log on through Terminal Services (the ability to log on using a Remote Desktop connection) • Back up files and directories (does not include restoring files and directories) • Shut down the system • Remove a computer from a docking station
Local Policies/Security Options
Security options allow you to apply or disable rights for all users the Group Policy applies to. Examples of Security Options policies include: • Computer shutdown when Security event log reaches capacity • Unsigned driver installation • Ctrl+Alt+Del required for log on
Account Policies
Use Account Policies to control the following: • Password settings • Account lockout settings • Kerberos settings • Account policies are in effect only when configured in a GPO linked to a domain
File System
Use File System policies file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.
Software Restriction Policies
Use software restrictions policies to define the software permitted to run on any computer in the domain. • These policies can be applied to specific users or all users. You can use software restrictions to: - Identify allowed or blocked software - Allow users to run only the files you specify on multi-user computers. - Determine who can add trusted publishers - Apply restrictions to specific users or all users.
User Configuration
User policies are enforced for specific users. Users policy settings include: • Software that should be installed for a specific users • Scripts that should run at logon or logoff • Internet Explorer user settings (such as favorites and security settings) • Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree) • User policies are initially applied as the user log on, and often customize Windows based on user preferences.
Registry
You can use registry policies to: • Configure specific registry keys and values. • Specify if a user can view and/or change a registry value, view sub-keys, or modify key permissions.
Keep in mind the following about GPOs:
• GPOs can be linked to Active Directory domains, organizational units (OU), and containers. • A GPO applied to an OU affects the objects in the OU and sub-OUs • A GPO applied to a domain affects all objects in all OUs in the domain. • A local GPO is stored on a local machine. Computers that are not part of a domain use the Local Group Policy settings to control security settings and other restrictions of the computer.
individual settings within all GPOs are combined to form the effective group policy setting as follows
• If a setting defined in one GPO and undefined in another, the defined setting will be enforced (regardless of the position of the GPO in the application order). • If a setting is configured in two GPOs, the setting in the last applied GPO will be used. NOTE: The Local Group Policy is applied only when there are no GPOs linked to a domain or GPOs linked to an OU applied. GPOs linked to an OU override GPOs linked to a domain when both are applied.
A specific setting in a GPO can be
• Undefined, meaning that the GPO has no value for that setting and does not change the current setting. • Defined, meaning that the GPO identifies a value to enforce.
Local Policies/Audit Policy
• Use Audit Policy settings to configure auditing for events such as log on, account management, or privilege use