Group Policy

From Wikipedia, the free encyclopedia

Group Policy is a feature of Microsoft Windows NT family of operating systems that provides centralized management and configuration of computers and remote users in an Active Directory environment. It is part of Microsoft's IntelliMirror technologies which aim to reduce the overall cost of supporting users of Windows. These technologies relate to management of disconnected machines or roaming users and include Roaming user profiles, Folder redirection and Offline Files.

Although Group Policy is usually used in enterprise environments, its usage is also common in schools, businesses, and other small organizations to restrict certain actions that may pose potential security risks: for instance, blocking the Windows Task Manager, restricting access to certain folders, disabling downloaded executable files and so on.

Contents 1 Overview 2 The three phases of using Group Policy 2.1 Creating and editing GPOs 2.2 Targeting GPOs 2.3 GPO application 3 Local group policy 4 Security 5 See also 6 External links

[edit] Overview

Group Policy can control a target object's registry, NTFS security, audit and security policy, software installation, logon/logoff scripts, folder redirection, and Internet Explorer settings. The policy settings are stored in Group Policy Objects (GPOs). A GPO is internally referenced by a Globally Unique Identifier (GUID). Each one may be linked to multiple websites, domains or organizational units. This allows for multiple machines or users to be updated via a change to a single GPO in turn reducing the administrative burden and costs associated with managing these resources.

Group Policies use Administrative Templates (ADM/ADMX) files to describe where registry-based policy settings are stored in the registry. Administrative Templates essentially describe the user interface that administrators see in the Group Policy Object Editor snap-in. On a single workstation, administrative templates are stored in the %WinDir%\Inf folder, while on a domain controller, they are stored for each domain GPO in a single folder called the Group Policy Template (GPT) in the Sysvol folder. ADMX is the new XML-based file format introduced in Windows Vista which contain configuration settings for individual GPOs.

User and computer objects may only exist once in the Active Directory but often fall into the scope of several GPOs. The user or computer object applies each applicable GPO. Conflicts between GPOs are resolved at a per attribute level.

Group Policies are analyzed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically, the period ranging from 60-120 minutes and controlled by a configurable parameter of the Group Policy settings.

Group Policy is supported on Windows 2000, Windows XP Professional, Windows Vista, Windows Server 2003 and Windows Server 2008. Windows XP Media Center Edition and Windows XP Professional computers not joined to a domain can also use the Group Policy Object Editor to change the group policy for the individual computer. This local group policy however is much more limited than GPOs for Active Directory.

In June 2006 Centrify Corporation announced Group Policy support for Mac OS X using their DirectControl software.

[edit] The three phases of using Group Policy

Group Policy can be considered in three distinct phases - GPO creation, targeting of the GPO and application of the GPO.

[edit] Creating and editing GPOs

GPOs are created and edited through two tools - the Group Policy Object Editor (Gpedit.msc) and the freely downloadable Group Policy Management Console (GPMC). GPEdit is used to create and edit single Group Policy Objects one at a time. Prior to GPMC, administrators wanting to document or inventory previously deployed GPOs would have to use Active Directory Users and Computers (ADUC) to interrogate each organizational unit individually, a very time-consuming and error-prone task. The GPMC simplified GPO management by providing tools to manage large numbers of group policies collectively. GPMC provides a number of features including GPO settings summarization, a simplified security pane for group filtering, GPO backup/restoration/cloning and more within a GUI that mimics ADUC. Editing a GPO from within GPMC still launches GPEdit. The friendly name of a GPO can also be determined from its GUID by using GPOTool.exe. This tool outputs all GPO GUIDs and their corresponding friendly name.

[edit] Targeting GPOs

After a GPO has been created it can be linked to an Active Directory site, domain or OU (Organizational Unit). It is most common for GPOs to be linked to Organizational Units.

[edit] GPO application

The Group Policy client operates on a "pull" model - every so often (a randomized delay of between 60 and 120 minutes, although this offset is configurable via Group Policy) it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs which will thereafter affect the behavior of policy-enabled operating system components and applications.

[edit] Local group policy

Local group policy (LGP) is a more basic version of the group policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the group policy for a single local computer, but unlike Active Directory group policy, can not make policies for individual users or groups. It also has many fewer options overall than Active Directory group policy. The specific-user limitation can be overcome by using the Registry Editor to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users; the same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure group policy available on TechNet. [1]. LGP can be used on a computer on a domain, and can it be used on Windows XP Home Edition.

Windows Vista supports Multiple Local Group Policy Objects which allows setting local group policy for individual users.

[edit] Security

A problem with the per-user policies is that they're only enforced voluntarily by the targeted applications. A malevolent user can interfere with the application so that it cannot successfully read its Group Policy settings (thus enforcing potentially lower security defaults) or even return arbitrary values. The user can also create a copy of the application at a writable location, and modify it such that it ignores the settings. One should rather see it that the Group Policy helps the user provide some safe defaults to help him enforce security for himself.

[edit] See also

• Group Policy improvements in Windows Vista
• Administrative Templates

[edit] External links

• Microsoft Group Policy page
• The Group Policy Management Console (GPMC)
• Step-by-Step Guide to Managing Multiple Local Group Policy Objects
• Group Policy Settings (in Excel format) and registry key equivalents, from Microsoft

v • d • e Microsoft Windows components Core Aero · ClearType · Desktop Window Manager · DirectX · Explorer · Taskbar · Start menu · Shell (namespace · Special Folders · File associations) · Search (Saved search · iFilters) · Graphics Device Interface · WIM · Next Generation TCP/IP stack (Server Message Block) · .NET Framework · Audio · Printing (XML Paper Specification) · Active Scripting (WSH · VBScript · JScript) · COM (OLE · OLE Automation · DCOM · ActiveX · ActiveX Document · Structured storage · Transaction Server) · Previous Versions · WDDM · UAA · Win32 console Management tools Backup and Restore Center · command.com · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Event Viewer · Management Console · Netsh · Problem Reports and Solutions · Sysprep · System Configuration · Task Manager · System File Checker · System Restore · Windows Installer · Windows PowerShell · Windows Update · WinSAT · Windows Easy Transfer Applications Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Mail · Magnifier · Media Center · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Sidebar · Snipping Tool · Sound Recorder · Windows Media Player (11) · Windows Speech Recognition · WordPad Games Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Purble Place · Solitaire · Spider Solitaire Kernel Ntoskrnl.exe · hal.dll · System Idle Process · Svchost.exe · Registry · Windows service · Service Control Manager · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection Services Autorun · BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Windows Error Reporting · Multimedia Class Scheduler · CLFS File systems NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · FAT32·FAT16·FAT12 · exFAT · CDFS · UDF · DFS · IFS Server Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows SharePoint Services · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Network Access Protection · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · Windows System Resource Manager · Hyper-V Architecture NT series architecture · Object Manager · Startup process (Vista) · I/O request packets · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows Resource Protection · LSASS · CSRSS · SMSS Security UAC · BitLocker · Defender · DEP · Protected Media Path · Mandatory Integrity Control · UIPI · Windows Firewall · Security Center Compatibility Unix subsystem (Interix) · Virtual DOS Machine · Windows on Windows · WOW64