1. What is Group Policy?
Group Policy is an important and powerful feature included with Windows 2000 Active Directory. If you are familiar with System Policies in Windows NT you know that they had limitations, settings applied in the registry were sometimes difficult to reverse (known commonly as tattooing the registry) and it was near impossible to limit the scope of System Policies from applying to the entire domain (including Administrators and Servers).
Group Policy has very few of the limitations that System Policy had. Functionality has been provided for registry-based policy settings, security settings, software installation, scripts (computer start-up and shutdown, user logon and logoff), folder redirection, Software Distribution and can be extended to include more. Group Policy includes hundreds of settings that can be defined centrally by an administrator.
Group Policy is now much more scaleable using a variety of different methods to control the Group Policies that are applied and to which objects they are applied to, this is commonly known as Scope of Management (SOM). Group Policy Objects can be linked (applied) to groups of users or computers based on the Organisation Structure, all members of an OU for example would have the same GPO(s) applied. Group Policy Objects can also be applied based on the computers network location, for example all Computers in the same AD Site (a group of IP subnets) or from the Domain level.
As well as applying Group Policies at the Domain, AD Site and OU level, each Group Policy Object has an ACL so you can Apply or Deny Group Policy Objects based on a Users or Computers Group Membership, this is known as Group Filtering.
In addition to Group filtering, Microsoft introduced WMI filters in Windows 2003/Windows XP (See working with WMI Filters for more detail). WMI was made an integral part of the Windows 2000 (and then XP/2003) operating system and provides access to nearly every hardware and software object in the computing environment such as free disk space, total physical memory, network card configuration, hardware chassis type etc. Using a WMI Filter an Admin can ensure that only computers matching a specific criteria (for example “All computers running Windows XP”) will have a GPO applied.
As you can see, Group Policy is a very powerful and scaleable tool that can be used to help manage your clients, users and server environments from a central location.
2. What tools can I use to manage Group Policy?
With the original release of Windows 2000 Active Directory Microsoft provided us with the Group Policy Editor and ADUC, this did not fullfill the requirements, especially in medium to large enterprise environments where GPO soon became to difficult to manage using the provided tools.
So Microsoft (and other third parties) produced tools to help manage GPO. Some of the better known tools include:
3. What should I consider when deploying Group Policy?
This will vary depending on your delegation and organisation requirements, however some common pointers are
- Use the Default Domain Policy solely for Domain Account Policy settings, remember all settings in this policy are applied to all Users and Computers in the domain so you should limit the amount settings made in this GPO
- Use OUs to group computer objects that will share the same configuration, an example would be to separate Clients from Servers
- Use OUs to group user objects that will share the same configuration, an example would be to separate Admins from Standard Users
- Make sure you allow for exceptions to the standard configurations you are applying
- Think about how you will implement group based filtering to further define the scope of a GPO
- Think about how you will implement WMI based filtering to further define the scope
- Take care in your design to reduce or eliminate altogether the use of ‘No Override’ and ‘Block Inheritance’
- Define a standard and descriptive Naming Convention for your GPOs
The following white paper will assist you further in your planning your deployment:
http://www.microsoft.com/downloads/details.aspx?familyid=3ada804c-ba20-479d-9014-8f29427f3d96&displaylang=en
4. How can I configure Group Policy Refresh?
Group Policy Objects apply at Computer Start-up and User Logon (known as foreground Refresh). In addition to this, Group Policy Client Site Extension (CSEs) also applies in the background at default intervals, so in most cases there is no need to wait for reboots or user logoffs to apply new settings.
Group Policy Refresh is configurable using the Group Policy Management Console/Group Policy Editor. The Group Policy settings are stored in Computer Configuration/Administrative Templates/System/Group Policy. You can adjust the interval in which clients apply GPO and what is applied during the refresh.
The Group Policy refresh interval is fully configurable for Computers and Domain Controllers, a default value is set to 90 minutes for Computers and 5 minutes for Domain Controllers.
- To adjust this setting on computers (anything other than Domain Controllers) open the GPMC and edit the Group Policy Object that will be applied to all client objects. Open the path mentioned above and change the Group Policy refresh interval for computers.
- To adjust this setting on Domain Controllers open the GPMC and edit the Default Domain Controllers Policy (this is a standard GPO). Open the path mentioned above and change the Group Policy refresh interval for Domain Controllers.
You should take into consideration the overhead this will have on the network and other infrastructure by reducing this refresh interval. For example reducing the refresh interval to every few minutes will have an impact on your infrastructure as the client has to contact a domain controller each time a Group Policy Refresh is triggered. So far, we found no reason to alter the default settings.
You can also turn off background processing altogether using the Turn off background refresh of Group Policy. This could be helpful in situations where enforcing settings in the background may interrupt or affect a running application, in this case you might only want to enforce policy settings when the computer restarts and the user logs on.
5. What settings are not updated during a Background Group Policy Refresh?
Most Group Policy extensions are processed during a background refresh, however two are not:
- Folder Redirection
- Software Installation Policies
Both of these extensions are only processed during computer start-up and user logon, application of these policies during a users logon session may produce undesired results. For example, should a Software Installation Policy apply whilst a user is logged on, it is possible that a user could be using an application that this policy will try to upgrade or uninstall. This is not great for the user should their application stop working while they’re still using it!
Some additional information on configuring Folder Redirection processing on Windows XP can be found on this page.
6. How can I enforce a GPO setting each time background refresh is made?
It may be necessary for a policy setting to be applied even when Group Policy Objects have not changed. By default, the client extensions will only process Group Policy when an object or setting on the domains System Volume (SYSVOL share) has changed (there is an exception to this rule for Security Policies explained in ‘How frequently are System policies applied?’).
For example, if you were to create a GPO, apply it to all user accounts in your organisation and configure the Internet Explorer default home page, the setting would be made in each users browser. However, without any special configurations in the GPO, the user can simply change the home page to something else and the setting will not be reversed by the GPO until the Object was next changed or updated by the Group Policy Administrator. In this situation it would be much better to reapply the setting from the GPO at each background refresh of logon to reverse the users change.
When you use Group Policy to specify central settings you want to ensure that they are set at the client without the user being able to change them. To do this you must configure the specific Group Policy client-site extension to ‘Process even if the Group Policy Object has not changed’.
Open Computer Configuration/Administrative Templates/System/Group Policy and select the client extension you wish to change. In the case of the above example we would select ‘Internet Explorer Maintenance policy processing’ and select the ‘Process even if the Group Policy Object has not changed’ checkbox.
7. How frequently are Security Policies applied?
As we have seen, Group Policy updates are dynamic and occur at specific intervals in the background. If there have been no changes to Group Policy, the client computer still refreshes the security policy settings at regular intervals for the Group Policy object (GPO).
If no changes are discovered, GPOs are not processed, but the security policies are. For security policies, there is a registry value that sets a maximum limit of how long a client can function without reapplying non-changed GPOs. By default, this setting is every 16 hours plus the randomized offset of up to 30 minutes. Even when GPOs that contain security policy settings do not change, the policy is reapplied every 16 hours.
Although we have never seen a reason to change this interval, the following article describes how to configure this.
http://support.microsoft.com/?kbid=277543
8. Are there any guidelines for applying Security Policy though GPO?
Yes, Microsoft has kindly provided us with the Windows 2003 Security Guide. This is very helpful for planning your security implementation and even provides some pre-configured security templates you can directly load into your Group Policy Object.
Please see the following link for more information:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/win2003/w2003hg/sgch00.asp
To import one of these templates into a GPO, right-click the GPO in the GPMC and select ‘edit’, open Computer Configuration/Windows Settings and right-click Security Settings. Select ‘Import Policy’ and browse to the downloaded ‘.inf’ template. (The templates are text files so can viewed using any text editor).
9. Where can I find the GUIDs and DLL names for each GP Client-Site Extension (CSE)?
It is often helpful to know the GUIDs of each GP CSE, especially when troubleshooting a GPO problem.
To locate the GUID for each Group Policy extension look under:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GPExtensions
Some of the main ones are:
- Application Management {C6DC5466-785A-11D2-84D0-00C04FB169F7}
- Folder Redirection {25537BA6-77A8-11D2-9B6C-0000F8080861}
- IP Security {E437BC1C-AA7D-11D2-A382-00C04F991E27}
- Scripts {42B5FAAE-6536-11D2-AE5A-0000F87571E3}
- Security {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
The following link explains the process of identifying Group Policy Client-Side Extensions
http://support.microsoft.com/kb/216357
10. How can I set Group Policy Verbose logging?
In order to troubleshoot Group Policy more effectively you can enable verbose logging.
Enable Logging to Userenv.log:
Registry Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: UserenvDebugLevel = REG_DWORD 0x10002
A full log of GPO activities will then be created in %systemroot%\ Debug\UserMode\Userenv.log
Set this key to start verbose logging to the Application Event Log:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Set: RunDiagnosticLoggingGroupPolicy = REGDWORD 1
A more comprehensive log of Group Policy will be made to the Event Log
More help can be found on GPO troubleshooting on the following link:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp
11. How do I use Group Based Filtering and what is it?
New to Windows 2003 and Windows XP, you can use WMI filters to control the application of GPOs. Each GPO can be linked to one WMI filter, however, the same WMI filter can be linked to multiple GPOs. Before you can link a WMI filter to a GPO, you must create the filter. The WMI filter is evaluated on the destination computer (running either Windows XP or Windows Server 2003) during processing of Group Policy. The GPO will only apply if the WMI filter evaluates to TRUE. On Windows 2000–based computers, the WMI filter is ignored and the GPO is always applied.
In this example, an administrator wants to deploy an enterprise monitoring policy, but wants to target only Windows XP Professional–based computers. The administrator can create a WMI filter such as the following:
Select * from Win32_OperatingSystem where Caption = " Microsoft Windows XP Professional"
Most WMI filters use the Root\CimV2 namespace, and this option is populated by default in the GPMC user interface.
Because WMI filters are ignored on Windows 2000-based computers, a filtered GPO will always be applied on them. However, you can work around this by using two GPOs and giving the one with Windows 2000 settings higher precedence (using link order). Then use a WMI filter for that Windows 2000 GPO, and only apply it if the operating system is Windows 2000, not Windows XP Professional. The Windows 2000-based computer will receive the Windows 2000 GPO and will override the settings in the Windows XP Professional GPO. The Windows XP Professional client will receive all the settings in the Windows XP Professional GPO.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/deployguide/dmebb_gpu_yxso.asp
12. How do I use WMI Filters to control the scope of Group Policy and what is it?
A really nice new feature of Group Policy is the ability to apply Security settings to individual services running on groups of computers in your organisation.
The ability to delegate control (stop, start, pause etc) of a single service was always quite high in demand from Administrators, now this is possible through Group Policy. This feature is not available directly through the OS or the Computer Local Group Policy.
http://support.microsoft.com/?kbid=256345
13. Can I use Group Policy to control System Services?
A really nice new feature of Group Policy is the ability to apply Security settings to individual services running on groups of computers in your organisation.
The ability to delegate control (stop, start, pause etc) of a single service was always quite high in demand from Administrators, now this is possible through Group Policy. This feature is not available directly through the OS or the Computer Local Group Policy.
http://support.microsoft.com/?kbid=256345
14. How can I delegate Group Policy Tasks?
You can delegate Group Policy Tasks to users that are not members of Domain Administrators or Group Policy Administrators groups. There are two different roles you can delegate; the permission to create and edit GPOs and the permission to link Group Policy Objects. These can be completely separate roles if required.
Here are two of the easiest methods:
To delegate GPO Creation/Ownership to a user or group:
- Open the GPMC and select ‘Group Policy Objects’ in the Tree View. In the right-hand pane you should see two tabs, Contents and Delegation. Select ‘Delegation’ and Add the User or Group you want to delegate
- Open the GPMC and select the OU in which you would like to assign the delegation. In the right-hand pane you should see three tabs, select the ‘Delegation’ tab. Add the User or Group you want to delegate.
- SetGPOCreationPermissions.wsf
- SetSOMPermissions.wsf
15. How can I create custom template (ADM) files to extend Group Policy?
If you are familiar with System Policy from the NT4 world you could create your own Group Policy Templates using any text editor. The same applies for Group Policy. As usual the ADM files are editable in notepad, the easiest thing to start with is usually copy the format directly from am existing Microsoft ADM file. The standard Admin Templates can be found in the %systemroot%\INF directory, system.adm contains the main settings for Group Policy Administrative Templates.
The following white paper describes how to create additional templates and discusses the considerations you should make during this:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/confeat/regappgp.asp
To include your own custom Templates in a Group Policy Object, open the GPMC and right-click the name of the GPO you want to edit, select edit from the menu. Open either the User and Computer Configuration tree, highlight the Administrative Templates tree, right-click the Administrative Templates, select Add>/Remove Templates and browse to the new templates you want to add.
The following article also covers adding custom Templates to Group Policy:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307732
A great site for custom ADM files:
http://thethin.net/tsdownload.cfm#policies
16. Can I use Group Policy to configure MS Office 2000/2003?
This is possible by using the custom template (adm) files provided with the Office Resource Kits. You can download the Office 2000 or Office 2003 resource kits from Microsoft's website (http://www.microsoft.com/office/ork/2003/default.htm).
Once installed on your workstation browse to the %SYSTEMROOT%\INF folder where you will find the some new adm files, these are listed in the following article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307732
(Note: in Office 2003 the template files are named ending in “11” not “10”, for example when you installed the Office 2003 ResKit the Access Template file will be named Access11 and not Access10 as in the Office 2000 Reskit)
To include these Templates in a Group Policy Object, open the GPMC and right-click the name of the GPO you want to edit, select edit from the menu. Open either the User and Computer Configuration tree, highlight the Administrative Templates tree, right-click the Administrative Templates, select Add>/Remove Templates and browse to the new templates you want to add.
17. I added a custom template in the Group Policy Editor but not all the policy settings appear in the Administrative Templates tree, how can I view these?
Registry based Group Policy is separated into two separate categories, ‘Policy’ and ‘Preference’.
The ‘Policy’ settings are those defined under nominated Group Policy registry keys for the user or computer. The key locations are:
Computer policy:
HKLM\Software\Policies (preferred)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
User policy:
HKCU\Software\Policies (preferred)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
The above registry keys have special permissions applied to them that restrict a standard user from changing these setting directly through the registry editor.
‘Preference’ settings are any policy settings that are not contained under these registry keys. These settings are considered preference as the user can potentially change them.
By default in the GPMC and the Group Policy Editor you cannot view these settings. You must make the following change in the Group Policy Editor:
- Open the GPO you wish to edit (in GPMC right-click the GPO and select Edit)
- Open tree Computer (or User depending on your GPO) Configuration
- Highlight/Open Administrative Settings
- Right-Click Administrative Settings
- Select View
- Select ‘Filtering’
- Deselect the option ‘Show only policy settings that can be fully managed’
There some other helpful features in the view/filtering menu you might want to try out, such as showing only those policy settings that are configured.
18. How can I give non-GPO Admins a view of the settings in my Group Policy Objects?
The Group Policy Management Console will permit users who do not have full edit rights on a Group Policy Object to view the information in HTML format. As with most features in the GPMC, this is also scriptable so you could run a script to generate the reports and publish them on your Intranet.
The script GetReportsForAllGPOs.wsf can be found in the PROGRAM FILES\GPMC\SCRIPTS
after you have installed the GPMC on your workstation.
19. How can I view the contents of my Group Policy Object in the SYSVOL share?
You must get the GUID of the GPO from the Group Policy container (information contained in the directory service) and then match this to the Group Policy template (information contained in the SYSVOL on a domain controller).
To do this, open the GPMC and select the GPO you would like to work with. In the right-hand pane select the ‘Details’ tab. Make a note of the Unique ID, this is the GUID of the GPO.
In explorer open navigate to the sysvol share, as this is a DFS root you can access this through \\mydomain.com\sysvol and it will return connection to the nearest domain controller.
Open the sub-directory \\mydomain.com\Policies and open the directory with the same name as the GPOs GUID.
Now you can view the contents of the directory structure.
There is also a very helpful tool called GPOTool.exe which ships with the Windows 2000 Resource Kit, this tool can verify the consistency of Group Policy in your domain(s) to ensure replication is working correctly.
20. Where can I find a list of all Group Policy Configuration Settings?
MS provide a spreadsheet with the default settings, if you add any custom ADM files to your GPOs then you will need to document these settings yourself or reference the application’s documentation.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7821c32f-da15-438d-8e48-45915cd2bc14
21. Is it possible to automate common Group Policy tasks?
Yes. Most functions of the Group Policy Management Console are scriptable. When you install the GPMC you get an excellent set of example scripts (in both VBScript and Jscript) which in most cases can be used straight out of the box, with little or no modifications.
We also created a wrapper .NET Class that can be used in ASP.NET applications. Now of course you can use Powershell. www.gpoguy.com provide some cmdlets.
22. Is it possible to automate common Group Policy tasks?
A new feature in Group Policy is the control of local Group Memberships on workstations or servers. This feature can be useful but often can be found a little restrictive due to the fact that the groups/users you set to be members of the local group will be the only ones, all other groups or users will be removed. You can configure Restricted Groups in the Group Policy Editor under Computer Configuration/Windows Settings/Security Settings/Restricted Groups.
This is great in highly standardised, highly secure environments but for the most part you may just want to add a group to the local group and leave the existing membership as is. This can be done using a start-up script.
The below example is a a batch file you can use to update the local administrators group:
--------------
@echo off
net localgroup Administrators /add "domain\group_name"
--------------
Save the file as a .bat file and configure the script to run as a computer start-up script from the GPO being applied to all Computers in your organisation by adding the script in Computer Configuration/Windows Settings/Scripts.
This script will now run at computer start-up and update the local administrators group.
23. Can I control Local Group Memberships using Group Policy?
This following MS Article explains how to resolve this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;311511
24. I am trying to apply Security Zone settings to my Client through GPO, but the changes are not being applied?
One of the main considerations when working with Folder Redirection is the setting only applies when GPO is applied synchronously, background Group Policy refresh (every 90 mins by default) is also considered asynchronous processing so this is why Folder redirection never applies until the user makes a log off and on.
XP Clients have a mode called ‘Fast Logon Optimization’. When this is set, XP does not wait for a network connection before starting Windows, it loads the desktop using cached credentials then when the network becomes available GPOs are applied in the normal order, but this is seen as asynchronous GPO processing so Folder Redirection will not apply!!
Actually, the XP system then sets a flag as the GPO was applied but folder redirection wasn’t applied because it processed asynchronously, so at next user logon the flag will force the GPO to apply folder redirection. So for the setting to apply when XP is set in Fast Logon mode it takes two reboots (or two logoffs).
‘Fast Logon Optimization’ can be switched off so the behaviour returns to that of a Windows 2000 client, the policy setting for this is:
Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer
25. I get a "[strings] section is too long..." error when editing a GPO.
The following article explain the problem and provide a download to fix the problem.
http://support.microsoft.com/default.aspx?kbid=842933
26. My SysVol is filling up with ADM files! How can I go about fixing this?
SysVol can certainly increase in size depending on the amount of GPOs you have in your domain. Without GPO its possible your SysVol could be quite small, may be only holding login scripts of a few kb.
This can be problematic if for example you have >100Mb of ADM files in your SysVol and a DC at a remote location dies a death. Up on rebuilding the DC you have to replicate this information across a slow WAN link.
It doesn't have to be this way! By following the guide described within the link below you no longer have to store your ADM files in SysVol, provided you always administer GPOs from a single location (the location where you keep your most current ADM files).
http://support.microsoft.com/?id=816662#XSLTH4236121121120121120120
27. Is there a good mailing list (like ActiveDir.org) dedicated to Group Policy discussion?
Darren Mar-Elia runs an excellent discussion list at http://www.gpoguy.com/lists.htm.