Windows Server 2008 R2 Unleashed (121 page)

an ADM subfolder to store all the legacy administrative template files referenced and

imported into the GPO.

registry.pol Files

ptg

Within a particular group policy, the settings are segmented into several sections. Many

settings with the GPO configure keys and values within the Registry. The configuration

status and value of these settings are stored within the registry.pol files in either the User

or Machine subfolders. The registry.pol file contains only the configured settings within

the GPO to improve processing.

gpt.ini File

When a GPO is created, a folder for the GPO is created within the connected domain

controller’s sysvol folder. At the root of that GPO folder is a file named gpt.ini. This file

contains the revision number of the GPO. The revision number is used when a GPO is

processed by a computer or user object. When a GPO is first processed, the revision

number is stored on the system and when subsequent GPO processing occurs, the refer-

ence number in the gpt.ini file is compared with the stored value on the local system

cache. If the number has not changed, certain portions of the GPO are not processed.

19

There are, however, certain portions of a GPO that are always processed, like scripts.

Each time a GPO is changed, the reference or revision number is increased, and even

though the gpt.ini file contains a single number, it actually represents a separate revision

number for the computer and user section of the GPO.

The default configuration of not processing certain GPO sections if the revision number

has not changed can be overridden. In some cases, even though the GPO has not

changed, the intended settings could have been changed by the user or a program and

sometimes forcing the entire GPO to always be processed is required.

This configuration setting is available in both the Computer Configuration and User

Configuration nodes of the GPO and is discussed later in Chapter 27.

594

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

Group Policy Administrative Templates

GPO administrative templates are, in most cases, a set of text or Extensible Markup

Language (XML)–based files that include clearly defined settings that can be set to a

number of different values.

Administrative templates are provided to give administrators easy access to many config-

urable settings commonly used to manage server and workstation computers and end users.

When a new GPO is created, a base set of administrative templates are imported or refer-

enced within that policy. Additional administrative templates can be imported to a partic-

ular policy to add functionality as required.

Windows 7 and Windows Server 2008 R2 Central Store

As stated earlier in this chapter, each GPO in the Active Directory forest will have a corre-

sponding folder stored in the sysvol folder on each domain controller in the domain in

which the GPO is created. If the domain controllers in the particular domain are running

Windows Server 2003, each of these GPO folders would contain a copy of each of the

administrative templates loaded in that particular GPO. This created many duplicated

administrative template files and required additional storage space and increased replica-

tion traffic.

ptg

Starting with the new Group Policy infrastructure included with Windows Vista and

Windows Server 2008 and continuing with Windows 7 and Windows Server 2008 R2,

newly created GPOs only store the files and folders required to store the configured

settings, scripts, registry.pol, and other GPO-related files. When the GPO is opened for

editing or processed by a Windows Vista, Windows 7, Windows Server 2008, or Windows

Server 2008 R2 computer, the local copy of the administrative templates is referenced but

not copied to the new GPO folder in sysvol. Instead, the administrative templates are

referenced from files stored on the local workstations or the domain central store.

The GPO central store is a file repository that houses each of the next generation adminis-

trative templates. The central store would contain all of the new ADMX and ADML

administrative templates and each workstation would reference the files on the domain

controller they are using to process group policies. With a central store created, when a

GPO is opened or processed, the system first checks for the existence of the central store

and then only uses the templates stored in the central store.

The GPO central store can be created within Active Directory infrastructures running any

version of Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2

domain controllers.

Starter GPOs

Windows Server 2008 and Windows Server 2008 R2 Group Policy Management Console

provide a new feature of GPO management called starter GPOs. Starter GPOs are similar to

regular GPOs, but they only contain settings available from administrative templates. Just

as security templates can be used to import and export the configured settings within the

security section of a policy, starter GPOs can be used to prepopulate configured settings in

Elements of Group Policy

595

the Administrative Templates sections of the Computer Configuration and User

Configuration nodes within a GPO. After the release of Windows Server 2008 and

included in Windows Server 2008 R2, Microsoft released a set of predefined starter GPOs

for Windows Vista and Windows XP. The predefined settings in these starter GPOs are

based on information that can be found in the Windows XP and Windows client security

guide published by Microsoft. These particular starter GPOs are read-only policies, but

administrators can create their own starter GPOs as needed by the organization.

How to enable starter GPO functionality and how to create and manage starter GPOs are

covered later in this chapter in the section, “Creating and Utilizing Starter GPOs.”

Policy Settings

Policy settings are simply the configurable options made available within a particular

GPO. These settings are provided from the base administrative templates, security settings,

scripts, policy-based QOS, and, in some cases, software deployment packages. Many policy

settings correspond one to one with a particular Registry key and value. Depending on the

particular settings, different values, including free-form text, might be acceptable as a

legitimate value.

GPO policy settings are usually configurable to one of three values: not configured,

ptg

enabled, or disabled. It is very important for administrators to understand not only the

difference among these three values, but to also understand what the particular policy

setting controls. For example, a policy setting that disables access to Control Panel will

block access to Control Panel when enabled but will allow access when disabled.

GPO policy settings apply to either a computer or a user object. Within a particular GPO,

an administrator might find the same policy setting within both the Computer

Configuration and User Configuration nodes. In cases like this, if the policy setting is

configured for both objects, the computer setting will override the user setting if the

policy is linked to the user object and the workstation to which the user is logged on.

Preference Settings

Group Policies have two main setting nodes, including the Computer and User

Configuration nodes. Each of these contains two main nodes as well, the Policies and

19

Preferences setting nodes. The group policy extensions presented in the Preferences node

provide administrators with the ability to configure many default or initial configuration

and environmental settings for users and computers. One really great feature of GPO

Preferences is Item-Level Targeting, which only applies a certain preference, such as setting

the Start menu on Windows 7 workstations to configure the power button to perform a

logoff instead of a computer shutdown, to only defined users or groups within the Item-

Level Target definition of that GPO. When a user logs on to a workstation and has that

preference applied, this will be the initial setting, but users would be able to change that

setting if they desire. One important distinction that all GPO administrators must make is

that policies set and enforce settings, whereas preferences configure initial settings but do

not block the settings from changes. More information on GPO preferences is detailed in

Chapter 27.

596

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

Group Policy Object Links

GPO links are the key to deploying GPOs to a predetermined set of Active Directory

computers and/or users. GPO links define where the particular policy or policies will be

applied in terms of the Active Directory domain and site hierarchy design.

GPOs can be linked to Active Directory sites, domains, and organizational units (OUs).

Also, a single GPO can be linked to multiple sites, domains, and OUs in a single forest.

This gives administrators the flexibility to create a single policy and apply it to several

different sets of computers and users within an Active Directory forest.

The design of the Active Directory infrastructure, including site design, domain and tree

design, and OU hierarchy, is critical to streamlining targeted GPO application. Careful

planning and consideration should be taken into account during the Active Directory

design phase with regard to how GPOs will be used and how user, group, and computer

objects will be organized.

GPO links can also be disabled as required, to assist with troubleshooting GPO application

or processing.

Group Policy Link Enforcement

Microsoft provides administrators with many ways to manage their infrastructure, includ-

ptg

ing forcing configurations down from the top. GPO link “enforcement,” historically known

as “No Override,” is an option of a GPO link that can be set to ensure that the settings in a

particular policy will be applied and maintained even if another GPO has the same setting

configured with a different value. GPO link enforcement is shown in Figure 19.5.

FIGURE 19.5

Enforcing a group policy.

Elements of Group Policy

597

This function should be used with caution because it might result in undesired functional-

ity or a different level of security than what is required to run a particular service or appli-

cation or manage a system. Before enabling GPO enforcement on any policy, carefully

research and test to ensure that this will not break any functionality or violate an organi-

zation’s IT or regulatory policy.

Group Policy Inheritance

GPOs can be linked at the site, domain, and multiple OU levels. When an Active

Directory infrastructure contains GPOs linked at the domain level, as an example, every

container and OU beneath the domain root container inherits any linked policies. As a

default example, the “Domain Controllers” OU inherits the default domain policy from

the domain.

GPO inheritance allows administrators to set a common base policy across an Active

Directory infrastructure while allowing other administrators to apply more granular poli-

cies at a lower level that apply to subsets of users or computers. As an example of this, a

GPO can be created and linked at the domain level that restricts all users from running