Group Policy Feature Set
The Group Policy Feature set is the collection of all the available settings within a group policy. The available policy settings are created from the basic policy template, which includes the general hierarchy, the local security policy, and the default administrative templates stored in the local file system. The administrative templates that present their settings within a policy are referenced from the files stored in the c:\windows\policydefinitions folder or in the Active Directory domain central store.
The policy settings available within a particular policy or all policies can be extended by importing additional administrative templates. This can be accomplished by simply adding the correct ADMX and ADML files to the PolicyDefinitions folder on the local system or in the central store or by importing a legacy administrative template file with the ADM extension into a particular policy. For more information on the central store and how to import ADM files to existing policies.
By default, the Windows Server 2008 R2 group policies administrative templates contain approximately 1,650 settings in the Computer Configuration node and another 1,450 in the User Configuration node. There are many more settings in the Windows Settings nodes and the Preferences node that extend this number dramatically. This, of course, makes detailing each of the settings a very inconvenient and lengthy process. Instead of covering every setting, this section and many of the following sections in this tutorial highlight the types of settings available that might be the most common and useful settings for managing Windows environments.
Many of the policy settings contained in both the Computer and User Configuration policy nodes apply only to specific Windows Server 2008 R2 role services such as the Encrypting File System, Remote Desktop Services, Network Access Protection, or the Distributed File System role services. For these particular services, as with any Group Policy settings, it is very important that the administrator understands the potential impact of configuring these settings. Before any production group policies are created, modified, or linked, the policy should be tested in an isolated environment and a rollback plan should be created and also tested. For more information on how to plan for Group Policy deployment.
Computer Configuration Policy Node
The Computer Configuration node of a group policy contains settings that are designed to configure and manage a Windows system. Many of the settings found in this node also exist in the User Configuration node, and when both settings are configured, different outcomes will result. In some cases, computer policy settings will always be used even if the user configuration policy setting is configured as well. In other cases, the last policy setting applied will be used. For example, in a local group policy, within each node under Administrative Templates\System\Scripts, there is a setting named Run Logon Scripts Synchronously and if this setting is configured in the Computer Configuration section, it will be enforced regardless of how the setting is configured in the User Configuration policy node.
At the root of the Computer Configuration node, there are three policy nodes named the Software Settings node, the Windows Settings node, and the Administrative Templates node. In domain group policies, these three nodes are located beneath the Computer Configuration\Policies node.
Computer Configuration Software Settings Node
The Software Settings node is used to add software application packages to the computers that process the particular policy. Prepackaged or custom Windows Installer MSI software packages can be added to this Software Settings node and used to automatically install software on the computer during the next reboot cycle. This is known as an assigned software package. More information regarding deploying software using Group Policy is detailed later in this tutorial in the "Deploying Software Packages Using Domain Group Policy Objects" section.
Computer Configuration Windows Settings Node
The Windows Settings node provides administrators with the ability to manage the overall security and configuration of the Windows system. The settings contained beneath the Windows Settings node can be used to define how local and domain users can interact with and manage the system and how the system will communicate across the network. The five nodes contained within the Windows Settings node are as follows:
- Name Resolution Policy: This node allows Group Policy administrators to create rules to build the content of the Name Resolution Policy Table to support DNSSEC implementations and to configure Windows Server 2008 R2 DirectAccess DNS settings centrally.
- Scripts (Startup/Shutdown): The Scripts node allows administrators to add startup or shutdown scripts to computer objects.
- Deployed Printers: This node allows administrators to automatically install and remove printers on the Windows systems. Using the Group Policy Object Editor on Windows Server 2008 or Windows Server 2008 R2 systems, this node might not appear unless the Print Management console is also installed.
- Security Settings: This node is a replica of the local security policy, although it does not sync or pull information from the local security policy. The settings in this node can be used to define password policies, audit policies, software restrictions, Services configuration, Registry and file permissions, and much more.
- Policy: base QoS-The Policy-base QoS node can be configured to manage, restrict, and prioritize outbound network traffic between a source Windows system and a destination host based on an application, source, or destination IP address and/or source and destination protocols and ports.
Security Settings
The Security Settings node allows a security administrator to configure security levels assigned to a domain or Local Group Policy Object. This can be performed manually or by importing an existing security template.
The Security Settings node of the Group Policy Object can be used to configure several security-related settings, including file system NTFS permissions and many more settings contained in the nodes beneath Security Settings as follows:
- Account Policies: These computer security settings control password policy, lockout policy, and Kerberos policy in Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server domains and local systems.
- Local Policies: These security settings control audit policy, user rights assignment, and security options, including setting the default User Account Control settings for systems the policy applies to.
- Event Log: This setting controls security settings and the size of the event logs for the application, security, and system event logs.
- Restricted Groups: These settings allow the administrator to manage local or domain group membership from within this policy node. Restricted group settings can be used to add members to an existing group without removing any existing members or it can enforce and overwrite membership based on the policy configuration.
- System Services: These settings can be used to control the startup mode of a service and to define the permissions to manage the service configuration or state. Configuring these settings does not start or stop any services.
- Registry: This setting is used to configure the security permissions of defined Registry keys and, if desired, all subkeys and values. This setting is useful in supporting legacy applications that require specific Registry key access that is not normally allowed for standard user accounts.
- File System: This setting is used to configure NTFS permissions on specified folders on NTFS formatted drives. Also, enabling auditing and configuring folder ownership and propagating these settings to subfolders and files is an option.
- Wired Network (IEEE 802.3) Policies: This policy node can be used to configure additional security on wired network adapters to allow for or require smart card or computer-based certificate authentication and encryption.
- Windows Firewall with Advanced Security: This policy node allows administrators to configure the Windows Firewall on Windows client and Windows server systems. The configured settings can configure specific inbound or outbound rules and can define how the firewall is configured based on the firewall profile or network the system is connected to. The configuration can overwrite the local firewall rules or the group policy and local rules can be merged.
- Network List Manager Policies: Windows Firewall on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 uses firewall profiles based on the network. This setting node can be used to define the permissions end users have regarding the identification and classification of a new network as public or private to allow for the proper firewall profile to be applied.
- Wireless Network (IEEE 802.11) Policies: These policies help in the configuration settings for a wide range of devices that access the network over wireless technologies, including predefining the preferred wireless network, including the service set identifier (SSID) and the security type for the network. This node includes Windows Vista and later releases and Windows XP compatible policies.
- Public Key Policies: These settings are used to specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate. Public Key Policies are also created and are used in the distribution of the certificate trust list. Public Key Policies can establish common trusted root certification authorities. Encrypting File System settings use this policy node as well.
- Software Restriction Policies: These policies enable an administrator to control the applications that are allowed to run on the Windows system based on the file properties, including the filename. Additionally, software restrictions can be created based on certificates or the particular network zone from which the application is being accessed or executed. For example, a rule can be created to block application installations from the Internet zone as defined by Microsoft Internet Explorer.
- Network Access Protection: This setting can be used to deploy the configuration of the Network Access Protection client. These policy settings allow an administrator to require a client health check before granting access to the network.
- Application control policies: This node enables Group Policy administrators to create rules that define which security groups or specific users can run executables, scripts, or Windows Installer files and can also be used to granularly define which file paths, filenames, and digitally signed publishers of files will be allowed or denied on the computers these policy settings apply to.
- IP Security Policies on Active Directory: IP Security (IPSec) policies can be applied to the GPO of an Active Directory object to define when and where IPSec communication is allowed or required.
- Advanced Audit Policy Configuration: This node can be used to define more detailed and granular audit settings for use on Windows Server 2008 R2 and Windows 7 systems.
Computer Configuration Administrative Templates Node
The Computer Configuration Administrative Templates node contains all of the Registrybased policy settings that apply to the Windows system. These settings are primarily used to control, configure, and secure how the Windows system is set up and how it can be used. This is not the same as the security settings configuration where specific users or groups are granted rights because the configuration settings available within the administrative templates apply to the system and all users who access the system. Many settings, however, are not applied to users who are members of the local administrators group of a system.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations