Understanding Group Policy
The change-control tool on Windows Server 2003 is the Group Policy Object Editor (GPOE or just GPE). Shown in Figure 14-2, this application is an MMC snap-in from which policy can be applied to the security principals — computer, users, and groups — of a Windows 2000 and Windows Server 2003 network.
A Group Policy Object Cditor
File Action tfiew Help
2$ Login Scripts [jacsOI .HQ.LATirW S Computer Configuration ffl" ~l Software Settings É Windows Settings B AdWiinistrative Templates B LJ Windows Componer □ NetMeeting T \l Internet Explorer I l Application Com •n Task Scheduler 0 Terminal Service L3 Windows Irtstallt ■fi Windows Messe n Windows Updat B Q System B Q Network Q Printers B {¿Q User Configuration B O Software Settings ffi-LJ Windows Settngs il_I
Sating
State
Securii|JZoiies Usean^rr^chinesetting N ot contoured
Security Zones" D o riot ¿low tcers to cfienge policies N ot contoured
'¡^t SecnilyZones; Do not aloA1 Ltser; lo add/delete silos Not configured
-^i M=ia p re:: v settings per-machine (rathei than per-user) Not configured
* Dibble Automatic Irvstal of InterriBt Explorer compcciBnts Not configured
¿^t Disable Periodic Chcct for Internet Enplcrcr software updates Not configured
Disable software update shel ndifrDetions on program launch Not configured
^¡1 Disable showig Ihe splash seteen Not configured
\ Extended }\ Standard
Figure 14-2: The Group Policy Object Editor snap-in
Group Policy, which gets its name from the idea of grouping policy, can be applied to items such as security management and hardware configuration.
Group Policy is applied by creating an object that contains the properties that extend control of the computer and the user's access to network and machine resources. This object is known as the Group Policy Object, or GPO. The policy is created from various templates stored on the workstation or server.
If an object is a member of a container that is associated (linked) to the GPO, that object falls under the influence of that GPO. If a container is linked to multiple GPOs, the effects of all GPOs on the linked container are merged, as illustrated in Figure 14-3.
- Figure 14-3: Multiple Group Policy Object policies merge to affect the container.
Note Sophisticated object-oriented engineering is at work in the GPO application process. The
Group Policy architecture is complex, spans hundreds of pages, and is beyond the scope of this book. It is, however, well worth studying if you are an engineer at heart, because such advanced knowledge can only make you a better server or network administrator. You can search for the GPO architecture papers on the Microsoft Web site by searching Microsoft's white papers.
Group Policy is not applied directly to an individual security principal (although you can attain such granular control by creating specific OUs). Instead, it is applied to collections of security principals. Security principals gather under one roof on a Windows Server 2003 network in three places: the site, the domain, and the organization unit. As GP applies to all three types of containers, you can refer to this as a GP hierarchy.
Group Policy is vast and extremely powerful. It takes some getting used to and you need to spend a lot of time trying different things. In large companies, the role of managing GP should be assigned to individuals, possibly members of the change-management board. Managing GP can easily become a full-time occupation for an administrator. GP becomes your main technology with which to manage change, user configuration and desktop settings, workstation lockdown security, software installation, and so on.
GPOs have more than 100 security-related settings and more than 700 registry-based settings, and the GP technology can also be extended or enhanced with certain APIs and custom templates. Specifically, GP technology provides you with the following functionality:
♦ The GPO is configured and stored in Active Directory. GP can also be defined at the local level — that is, at the workstation. Standalone computers are secured or locked down with local policy, and we provide more information about that in the section "How Group Policy Works," later in this chapter. GP, however, depends on Active Directory.
♦ You apply GPOs to users and computers in AD containers (sites, domains, and OUs).
♦ The GPO is secure. You can lock down a GPO just as you can any other object in the operating system.
♦ The GPO can be filtered or controlled by membership in security groups. This, in fact, speeds up application of policy for the membership of the security group.
♦ The GPO is where the concentration of security power is located on Windows networks.
♦ The GPO is used to maintain Microsoft Internet Explorer.
♦ The GPO is used to apply logon, logoff, and startup scripts.
♦ The GPO is used to maintain software, restrict software, and enable software installation.
♦ The GPO is used to redirect folders (such as My Documents).
♦ The GPO does not expose the user profile to tampering if policy is changed, as was the case with Windows NT 4.0.
♦ GP settings on the computer are not permanent. Unlike older technologies for management or locking down workstations, the registry is not permanently tattooed. The settings and configuration can be lifted at any time and easily changed.
Post a comment