Group Policy Objects (GPOs) are a hugely powerful tool that can be used to deploy settings and configurations in an Active Directory environment. The power of Group Policy is often not fully understood by many users, which can lead to GPOs being misused or over-complicated when deployed. In order to avoid these pitfalls, it is important for the user who wishes to use GPO’s to know how they work and what their limitations are.
This article will detail some of the basics about how Group Policy works, as well as provide some pointers on what considerations might need to be taken into account before deploying them in your network environment.
What is GPO?
Group Policy Objects are a very important part of Microsoft’s Windows system. It allows you to control your workstation or server in an easy manner through Group Policy settings by applying them to the users and computers in an Active Directory domain.
The GPO has three types of components, which are user configuration settings, administrative templates, and computer configuration settings. The user configuration settings and computer configuration settings are applied to users and computers, respectively. The administrative templates part is where all the settings for the user and computer configurations come from.
Administrative templates used for GPO contain different settings such as Windows Update or Security Options. It also allows you to configure different things such as networking components like 802.1x, network drive mappings, and file permissions.
How does GPO work?
A GPO is actually a collection of different settings that are applied to your objects in the Active Directory environment. These elements are then either enabled or disabled depending on what you wish to configure for your users or computers. When you enable an element, it means that it will be applied to the group of objects that you have set it to.
When you disable an element, then it will not apply those settings or any configurations that were already existing. It is important to know what is group purchasing organization is, that they are processed from the bottom up, meaning that if there are 2 policies set for a user and they both have different configuration options that conflict with each other, then the policy that is processed last will override any previous settings.
This also means that GPOs are cumulative (meaning that the setting overrides the default configuration of the parent object). For example, if you set a password length for your users through domain policy and later set it to 16 characters through organizational policy, then the setting that will be used is 16 characters. This also applies to Windows Update, where if you choose to enable it for everyone in your domain and later on decide not to update them (due to company security), then all of your users will not receive updates.
However, GPOs are not completely cumulative; there are some that you need to be careful about. For example, if you are using folder redirection for user home folders and later on overwrite the configuration by setting it to “Not Configured”, then your settings will not be applied, because it means that you do not want to enable or disable the GPO.
What is the Best Practice?
The best practice for GPOs is to be conservative with what they do. If you need a user or computer to have certain settings set, then apply it through domain policy and let the GPO process all the way down. This will provide easier maintenance for your GPOs and prevent security risks such as an employee who has local administrator rights and deletes the configuration.
Why Is GPO Important?
It’s very simple: GPOs determine what settings will be created and enforced on the computers and users in a domain. Granting users local administrative rights, or setting group policies to prevent them from accessing the internet is an easy way to increase the security of a computer system.
The GPO system has been upgraded in Windows Server 2008 and later to allow cross-forest domain GPOs. You can then configure settings in one forest, and have them applied in another.
How To Read The Group Policy Management Editor
The Group Policy Management Editor is the tool used to manage GPOs. It allows you to view and modify settings in two nodes: Computer Configuration (which affects computers) and User Configuration (which affects users).
Computer Configuration (ConfigMgr/SCCM)
Computer configuration contains multiple nodes, which are designed to control different aspects of Windows computers. You can find specific nodes under both Computer Configuration and User Configuration.
User Configuration (ConfigMgr/SCCM)
User configuration contains user-based nodes, such as preventing them from accessing the internet or limiting what they can do on a shared PC. The settings under User Configuration are applied last, and only if the computer setting (Computer Configuration) does not conflict with them.
Keys to Defending Your Group Policy
There are a few keys to defending your group policies on your computer systems:
Group policy delegation: this is simply the process of delegating permissions and rights to specific users or groups within AD. This can be used in conjunction with group policies, for example, by delegating permissions and rights only to members of a highly trusted group, you can increase the security of GPOs significantly.
Number of Group Policies: the more GPIs (Group Policy Objects) that are applied to a system or user, the higher the risk is that something will go wrong. If each department creates its own GPI, it may cause conflicts with other departments’ policies. This also increases the risk and cost of management and downtime.
Versioning: Versioning is a newer feature in AD, and allows for GPOs to be set against specific versions or “trees” of settings within the group policy editor. This allows you to test out changes before deploying them to everyone, without having to create multiple policies for testing purposes.
Auditing: it’s important to always keep track of changes that are made in GPOs. This way, if something goes wrong (either maliciously or due to human error), you can easily revert back to the previous settings.
Hit Counts: hit counts simply allow administrators to control when group policies apply or refresh on computers and users. Setting a lower hit count for GPOs decreases the risk of them conflicting with other GPIs, but also increases management time and cost.
It’s easy to see how GPOs can be confusing, but it doesn’t have to be that way. With these keys in mind, you’ll never feel lost or alone again when managing your Group Policy Objects (GPOs). The more time and energy invested into understanding them now will pay off later for both productivity purposes as well as security reasons.
Photo credits: Unsplash