Windows Server 2008 R2 Unleashed (200 page)

policy restricted an administrator from performing a specific function, the policy would

need to be changed and reapplied before the administrator could perform the function.

Starting with Windows Vista and Windows Server 2008 including continued support in

Windows 7 and Windows Server 2008 R2, additional user-only policies can be created to

provide override settings to either further restrict or reduce security to allow the particular

user to perform their tasks. As an example, if the local computer policy setting was

enabled to remove the Display applet from Control Panel, no users would be able to

access and modify the display settings of the system. If an Administrators local group

policy was created, this same setting could be set to disabled and any users who are

members of the local Administrators group would then have access to the Display Control

Panel settings.

1026

CHAPTER 27

Group Policy Management for Network Clients

For local administrators, the Administrators local group policy can be configured as stated

previously. Additionally, separate local user policies can be created for the Non-

Administrators users. If the system has local user accounts, specific local user policies can

be created for each user. This allows for very granular assignment of rights and functional-

ity for systems that use local accounts but require specific configurations and security

settings on a per-user basis.

By default, users logging on to Windows Server 2008, Windows Server 2008 R2, Windows

Vista, or Windows 7 will apply the local computer policy, followed by either the

Administrators or Non-Administrators policy and any local user-specific policy. An

example of how to use multiple policies can be a local computer policy that denies all

users from writing to removable storage and the Administrators local user policy that

allows read and write access to removable storage. Because the Administrators local user

policy is applied after the local computer policy, only administrators will be able to write

to removable storage media.

Domain Group Policies

Domain group policies are very similar to local group policies, but many additional

settings are included and these policies are managed and applied within an Active

Directory environment. For clarification, documentation might refer to local policies as

ptg

Local Group Policy Objects and group policies as domain-based policies. For the remainder

of this chapter, they will be referred to as local policies and domain policies.

Local policies are very close to domain policies, but there are several key differences.

Domain policies are managed using the Group Policy Management Editor, which allows

administrators to view all available settings or to filter out only configured settings when

managing a policy. Also, domain policies can be used to install software applications for

computers and users. Many settings that only apply to a domain environment are still

available in a local policy but when configured will not function if the computer is not a

member of an Active Directory domain. One of the biggest differences between domain

and local group policies is the separation of settings into the Policies and Preferences

nodes, which is detailed later in this chapter in the “Policies and Preferences” section.

Security Configuration Wizard

Windows Server 2008 R2 contains a tool called the Security Configuration Wizard

(SCW). The SCW contains different templates that can be applied to systems that meet

specific criteria.

For example, on a system running only the Windows Server 2008 R2 File Services role,

when examined and secured by the SCW, a File Server role template will be applied that

will configure the firewall, disable unnecessary services, and tune the system to provide

access to the necessary functions of the File Services role but not much else. The SCW

should be used only when properly tested because the security changes can impact func-

tionality if incorrect settings are applied to a system. Also, it is highly recommended to

configure the server 100% ready for production then run the Security Configuration

Wizard to perform the final lockdown. Alternatively, the SCW can be used to create the

Windows Group Policies

1027

necessary security template, which can then be exported and later imported into a domain

policy and applied to the necessary servers that match the appropriate configuration.

Additional information on how to use the Security Configuration Wizard is detailed in

Chapter 13, “Server-Level Security.”

Policy Processing Overview

When a Windows system contains multiple local policies or is a member of an Active

Directory domain, more than one policy will be processed when the computer boots or

when a user logs on. Each policy that applies to the particular computer or user is

processed sequentially and it is important to understand the policy processing order. In

cases where multiple policies have the same settings configured, but with different values,

the resulting setting value will match the last policy processed.

Policy Processing for Computers

Policy settings are applied to computers during computer startup, shutdown, and back-

ground refresh intervals. Policy processing for computer objects is performed in the

following order:

1. Local computer policy

ptg

2. Domain policies linked to the Active Directory site

3. Domain policies linked to the Active Directory domain

4. Domain policies linked to the organizational unit hierarchy in which the computer

account is located

27

Policy Processing for Users

Policy settings are applied to users during user logon, logoff, and background refresh inter-

vals. Policy processing for domain and local users is performed in the following order:

1. Local computer policy

2. Local Non-Administrators policy or local Administrators policy if these policies exist

3. Local user-specific policy; only applies if the user is a local user account and a policy

exists for the user

4. Domain policies linked to the Active Directory site

5. Domain policies linked to the Active Directory domain

6. Domain policies linked to the organizational unit hierarchy in which the user

account is located

Group Policy Order of Processing

When multiple policies are linked to a single Active Directory site, domain, or organiza-

tional unit, each policy will be applied sequentially. The order of policy application or

processing is based on the policy link order. The policy link with the number 1 associated

to the policy name is the last policy applied at the container and, therefore, takes prece-

dence for policy link order of processing; see Chapter 19.

1028

CHAPTER 27

Group Policy Management for Network Clients

Loopback Processing

When a user is processing domain policies, the policies that apply to that user are based

on the location of the user object in the Active Directory hierarchy. The same goes for

domain policy application for computers. There are situations, however, when administra-

tors or organizations want to ensure that all users get the same policy when logging on to

a particular computer or server. For example, on a computer that is used for training or on

a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop

environment must be the same for each user, this can be controlled by enabling loopback

processing in Replace mode on a policy that is applied to the computer objects. To explain

a bit further, if a domain policy has the loopback settings enabled and set to Replace

mode, any settings defined within that policy in the User Configuration node are applied

to all users who log on to the computer this particular policy is applied to. When loop-

back processing is enabled and configured in Merge mode on a policy applied to a

computer object and a user logs on, all of the user policies are applied and then all of the

user settings within the policy applied to the computer object are also applied to the user.

This ensures that in either Replace or Merge mode, loopback processing applies the

settings contained in the computer-linked policies last.

Group Policy Feature Set

ptg

The Group Policy Feature set is the collection of all the available settings within a group

policy. The available policy settings are created from the basic policy template, which

includes the general hierarchy, the local security policy, and the default administrative

templates stored in the local file system. The administrative templates that present their

settings within a policy are referenced from the files stored in the c:\windows\policydefi-

nitions folder or in the Active Directory domain central store.

The policy settings available within a particular policy or all policies can be extended by

importing additional administrative templates. This can be accomplished by simply

adding the correct ADMX and ADML files to the PolicyDefinitions folder on the local

system or in the central store or by importing a legacy administrative template file with

the ADM extension into a particular policy. For more information on the central store and

how to import ADM files to existing policies, refer to Chapter 19.

By default, the Windows Server 2008 R2 group policies administrative templates contain

approximately 1,650 settings in the Computer Configuration node and another 1,450 in

the User Configuration node. There are many more settings in the Windows Settings

nodes and the Preferences node that extend this number dramatically. This, of course,

makes detailing each of the settings a very inconvenient and lengthy process. Instead of

covering every setting, this section and many of the following sections in this chapter

highlight the types of settings available that might be the most common and useful

settings for managing Windows environments.

Many of the policy settings contained in both the Computer and User Configuration

policy nodes apply only to specific Windows Server 2008 R2 role services such as the

Encrypting File System, Remote Desktop Services, Network Access Protection, or the

Distributed File System role services. For these particular services, as with any Group

Group Policy Feature Set

1029

Policy settings, it is very important that the administrator understands the potential

impact of configuring these settings. Before any production group policies are created,

modified, or linked, the policy should be tested in an isolated environment and a rollback

plan should be created and also tested. For more information on how to plan for Group

Policy deployment, see Chapter 19.

Computer Configuration Policy Node

The Computer Configuration node of a group policy contains settings that are designed to

configure and manage a Windows system. Many of the settings found in this node also

exist in the User Configuration node, and when both settings are configured, different

outcomes will result. In some cases, computer policy settings will always be used even if

the user configuration policy setting is configured as well. In other cases, the last policy

setting applied will be used. For example, in a local group policy, within each node under

Administrative Templates\System\Scripts, there is a setting named Run Logon Scripts

Synchronously and if this setting is configured in the Computer Configuration section, it

will be enforced regardless of how the setting is configured in the User Configuration

policy node.

At the root of the Computer Configuration node, there are three policy nodes named the

ptg

Software Settings node, the Windows Settings node, and the Administrative Templates

node. In domain group policies, these three nodes are located beneath the Computer

Configuration\Policies node.

Computer Configuration Software Settings Node

27

The Software Settings node is used to add software application packages to the computers

that process the particular policy. Prepackaged or custom Windows Installer MSI software

packages can be added to this Software Settings node and used to automatically install

software on the computer during the next reboot cycle. This is known as an assigned soft-

ware package. More information regarding deploying software using Group Policy is

detailed later in this chapter in the “Deploying Software Packages Using Domain Group

Policy Objects” section.

Computer Configuration Windows Settings Node

The Windows Settings node provides administrators with the ability to manage the overall

security and configuration of the Windows system. The settings contained beneath the

Windows Settings node can be used to define how local and domain users can interact

with and manage the system and how the system will communicate across the network.

The five nodes contained within the Windows Settings node are as follows:

.
Name Resolution Policy—
This node allows Group Policy administrators to create

rules to build the content of the Name Resolution Policy Table to support DNSSEC

implementations and to configure Windows Server 2008 R2 DirectAccess DNS