Windows 7 / Networking

---

Domain Group Policies

Domain group policies are very similar to local group policies, but many additional settings are included and these policies are managed and applied within an Active Directory environment. For clarification, documentation might refer to local policies as Local Group Policy Objects and group policies as domain-based policies. For the remainder of this tutorial, they will be referred to as local policies and domain policies.

Local policies are very close to domain policies, but there are several key differences. Domain policies are managed using the Group Policy Management Editor, which allows administrators to view all available settings or to filter out only configured settings when managing a policy. Also, domain policies can be used to install software applications for computers and users. Many settings that only apply to a domain environment are still available in a local policy but when configured will not function if the computer is not a member of an Active Directory domain. One of the biggest differences between domain and local group policies is the separation of settings into the Policies and Preferences nodes, which is detailed later in this tutorial in the "Policies and Preferences" section.

Security Configuration Wizard

Windows Server 2008 R2 contains a tool called the Security Configuration Wizard (SCW). The SCW contains different templates that can be applied to systems that meet specific criteria.

For example, on a system running only the Windows Server 2008 R2 File Services role, when examined and secured by the SCW, a File Server role template will be applied that will configure the firewall, disable unnecessary services, and tune the system to provide access to the necessary functions of the File Services role but not much else. The SCW should be used only when properly tested because the security changes can impact functionality if incorrect settings are applied to a system. Also, it is highly recommended to configure the server 100% ready for production then run the Security Configuration Wizard to perform the final lockdown. Alternatively, the SCW can be used to create the necessary security template, which can then be exported and later imported into a domain policy and applied to the necessary servers that match the appropriate configuration.

Policy Processing Overview

When a Windows system contains multiple local policies or is a member of an Active Directory domain, more than one policy will be processed when the computer boots or when a user logs on. Each policy that applies to the particular computer or user is processed sequentially and it is important to understand the policy processing order. In cases where multiple policies have the same settings configured, but with different values, the resulting setting value will match the last policy processed.

Policy Processing for Computers

Policy settings are applied to computers during computer startup, shutdown, and background refresh intervals. Policy processing for computer objects is performed in the following order:

1. Local computer policy
2. Domain policies linked to the Active Directory site
3. Domain policies linked to the Active Directory domain
4. Domain policies linked to the organizational unit hierarchy in which the computer account is located

Policy Processing for Users

Policy settings are applied to users during user logon, logoff, and background refresh intervals. Policy processing for domain and local users is performed in the following order:

1. Local computer policy
2. Local Non-Administrators policy or local Administrators policy if these policies exist
3. Local user-specific policy; only applies if the user is a local user account and a policy exists for the user
4. Domain policies linked to the Active Directory site
5. Domain policies linked to the Active Directory domain
6. Domain policies linked to the organizational unit hierarchy in which the user account is located

Group Policy Order of Processing

When multiple policies are linked to a single Active Directory site, domain, or organizational unit, each policy will be applied sequentially. The order of policy application or processing is based on the policy link order. The policy link with the number 1 associated to the policy name is the last policy applied at the container and, therefore, takes precedence for policy link order of processing.

Loopback Processing

When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects. To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.