'True' policies are stored in the \software\policies of the Hkey_Current_User or Hkey_local_machine. This area is secured (only administrators can make changes) and is clean when a group policy is refreshed.
Group policies provide configuration management for groups of users and computers. This configuration is created by specifying settings for registry-based policies, security, software installation, scripts, folder redirection, Remote installation services and Internet Explorer. A set of settings is stored in a Group Policy Object (GPO) that can be associated with containers in Active Directory. (Sites, domains or OU's)
Group policies are set in the Computer configuration for system-related items
and in the User configuration for settings that are user related.
Computer configuration items are applied when the computer starts, user
configuration when the user logs on.
There are the following types of group-policies :
| Application deployment. The application assignment policies install
or upgrade applications for a user or provide a user with a connection to an
application. The application publication publishes applications via the
Active Directory so a user can install them via Add/Remove programs.
Application deployment is customized at the Software settings folder in
Computer Configuration and User Configuration to assign and publish software
to users and computers. |
| Folder redirection. With this policy files can be placed in special
folders like Desktop or My Documents. Folder redirection is found in the
Windows Settings folder of the User Configuration. It can be used to
redirect special folders from the user's profile to another directory. (e.g
My Documents, Application data, Desktop and Start menu) |
| Scripts. This policy will activate scripts at specific times. Script settings are customized at the Windows settings
folder in Computer Configuration or User Configuration to start scripts at
startup or shutdown or at logon or logoff. The scripts can be in Visual
Basic, Java Script, PERL and MS-dos. |
| Security settings. These settings can be used to increase the
security on the systems. Security settings can be set at in the Windows
folder at the Computer Configuration and User Configuration. |
| Remote installation services. This part of group policy is
used to control to behavior of Remote Installation Service. It is part of
the Windows Settings folder of the User Configuration. |
| Internet Explorer maintenance. You can use this part to customize
Internet Explorer at the Windows Settings folder of the User Configuration.
It is possible to import settings form *.ins or .cab files. |
| Administrative settings. Administrative Settings section contains
all policy settings for the registry. .adm files are Unicode files that
define which registry options can be changed by the group policies. Windows
2000 uses the system.adm (operating system), inetres.adm (Internet Explorer)
and conf.adm (NetMeeting) files. Other .adm files are winnt.adm for Windows
NT 4.0, common.adm for Windows NT 4.0, Windows 98 and Windows 95 and
Windows.adm for Windows 98 and Windows 95. .adm files are stored in \winnt\inf.
Other policies can be add by importing a .adm file in the administrative
template. 'True' policies are stored in the \software\policies of the Hkey_Current_User or Hkey_local_machine. This area is secured (only administrators can make changes) and is clean when a group policy is refreshed. |
Group policy configurations are stored within group policy objects (GPO's). The GPO stores the information in a group policy container (GPC) and a group policy template. (GPT)
GPC's are stored in the Active Directory and contain smaller information that not often changes like the version number and if a policy is enabled or disabled .
GPT's store data that is larger and might change frequently in the \sysvol\policies
folder of a domain. The GPT stores template-based policies, security
settings, script file and information concerning application available for
software installation.
Group policy template (GPT) informatoin :
| GPT's are stored in Sysvol on domain controllers. |
| It stores all info for software policies, script, folder redirection, application deployment and security settings information. |
| The folder name under ..\sysvol\domain\policies is the SID of the GPO. The default domain policy starts with {31B2F340...}, the default domain controller policy with {6AC1786C...} |
| The root folder of a GPT contains a gpt.ini file that includes the version number and a setting to see if the policy is enabled or not. |
| Within the root folder of a GPT the following folders can appear : \Adm. The .adm files are associated with a specific GPT and contain the registry settings that can be modified. ( system.adm, conf.adm and inetres.adm) \User. A registry.pol file with registry settings to apply to users. \User\Applications. A .aas advertisement file used by Windows installer. \Users\Doc. & Set. Any file to deploy to the users desktop. \Users\Scripts. Directories for logon and logoff scripts. \Machine. A registry.pol file to apply to computers. \Machine\Applications. A .aas advertisement file used by Windows installer. \Machine\Doc. & Set. Any file to deploy to all user who logon to the computer. \Machine\Microsoft\WindowsNT\SecEdit. The GptTmpl.ini Security Editor file. \Machine\Scripts. Script to run at startup and shutdown. |
Local group policies are stored in the \winnt\system32\GroupPolicy directory.
To make GPO's available, GPC's are replicated via Active Directory synchronization, GPT's via the File Replication System. (FRS). The GPO's are stored at domain level and have a unique identifier (GUID). Only GPO's that are fully synchronized can be applied.
Before you can create GPO's you need read and write permissions to the Sysvol
folder on the domain controller and modify permissions on the Active Directory
container for which the policies should apply.
You can create local policies by using the Local security policy snap-in (gpedit.msc).
If you want to set policies for a specific site or domain, load the group policy
console in the Management console and specify the site or domain to which the
policy should apply. You can also create a new policy.
You can direct access the account policies via Administrative tools - Domain
security policy or Local security policy.
After a group policy is created, it can be connected to a site, domain, or OU. If you want to connect a policy to a site, use the Active Directory Sites and Services snap-in. For connection a policy to a domain or OU, use the Active Directory Users and Computers snap-in. Right-click the site, domain or OU and select Properties. After this select the Group Policy tab.
At the Group Policy tab you can do the following tasks :
| New. Create a new policy for the site, domain or OU. |
| Remove. Remove a group policy. You can only remove the link for this policy to the site, domain or OU or delete the whole group policy from the servers. |
| Edit. Change the selected policy. |
| Options. Set the no override option of a policy and disable or enable the group policy. |
| Properties. On the General tab you can see creation date, modification date, revisions, domain name and the unique name of the policy. You can also disable computer or user configuration for this policy to improve performance. The links tab gives you the ability to find out where the group policy is used. On the security tab you can change the permissions on the group policy. |
| Up/Down. Change the order in which the group policies are applied. |
| Block policy inheritance. Set if group policies from a higher level site, domain or OU should be blocked. (Policies with a no override option cannot be blocked) |
By default changes to group policies are always made on the PDC emulator. This to prevent to administrators making changes on different domain controllers for the same policy. This setting can be changed in the MMC via View - DC options. You can choose to use the PDC emulator (default), the one used by the Active Directory snap-in or any available domain controller.
By default policies are cumulative and applied in the following order :
Local group policies - Site policies - Domain polices (only the domain the user
or computer is member of, not the parent domains) - OU polices (All OU's, OU
with user or computer is applied at last).
This means that a OU setting overwrites a site- or domain setting. If the user
is in a sub-OU, the policies of the parent OU are applied first. If a computer-
and user policy conflicts, the computer policy is applied.
There are two
ways to overrule the order in which policies are applied :
| No override. Child containers cannot overwrite a setting that is made in a higher GPO. This setting is set on a per-GPO-basis. This option cannot be set for local group policies. If multiple policies at different levels (site, domain, ou) use the no override option, the policy on the highest level will be active. |
| Block inheritance. A child container can use this option to block a policy that is inherited from parent containers. If the no override option is set on the parent container, this setting wins. This option cannot be set for local group policies. |
Policies do inherit from a domain through OU's but do not apply to child domains.
Policies in a GPO only apply to users who have read access and have the
option Apply group policy set. By default this is the case for all authenticated
users.
Enterprise administrators, domain administrators and the local system do have
full control rights on group policies without the Apply group policy entry. This
means that these groups will not get the policies by default. Administrators who
are part of the Authenticated users will receive group policies.
If you want to set a group policy for a group of users, remove the Authenticated
users group and add the group that needs the policy. Give this group read
permissions and the Apply group policy right.
If you want to deny a group policy for a group of users, deny them the read
permissions and the Apply group policy right on the group policy.
On the clients the policy are applied by the following DLL's :
| userenv.dll. Registry settings |
| dskquota.dll. Disk quota |
| fdeploy.dll. Folder redirection |
| gptext.dll. Scripts |
| gptext.dll. ip security |
| appmgmts.dll. Software installation |
| scecli.dll. Security en EFS |
| scecli.dll. EFS recovery |
| ledkcs32.dll. Internet Explorer maintenance |
For each of these items you can set if you want to deploy the policies via a
slow network connection, if it should not be applied during a background
refresh and if it should be applied on a refresh when there were no changes.
For the registry and the security settings the option to disable deployment of
the policies via a slow connection is not available. Folder redirection and
software installation can never be refreshed in the background.
Local group policies are applied to every user with read access on the \winnt\system32\GroupPolicy directory. If you do not want to apply a policy for a group of users, deny them read access to this directory.
You can use the Delegation of control wizard to delegate to permission to change group policies for a site, domain or OU. Start the wizard, add the user(s) or group(s) and select Manage group policy links. This action will allow the user(s) or group(s) to add or remove policies for a site, domain or OU. They cannot change the permissions on the activated group policies.
If you want a non-administrator to have the ability to create o GPO's, the user must be add to the Group Policy Creator Owners group. Members of this group can create new GPO's and modify the ones they created. Give the user of group with this permission also the right the change the group policies for a OU or create a customized MMC because otherwise the user of group is still not able to create a policy.
Within Windows 2000 group policy related registry keys are stored in
Software\Policies or \Software\Microsoft\Windows\CurrentVersion\Policies of the
Hkey_Local_Machine or Hkey_Current_Users. Policies stored in these areas are
called 'true policies'. The benefit of true policies are that the registry area
in which they are stored is secures (only access for administrators) and that
the registry trees are cleared before a new policy is written.
Policy settings in the registry outside this area are called 'preferences'. By
default these preferences are not display in the MMC but this can be changed by
de-activating the Show policies only in the View menu. (This options can be
unavailable due to group policy settings)
Group policies are split in Computer Configuration and User configuration. An overview of the various options can be found in the gp.chm file of the resource kit.
The computer configuration can be used to lock-down clients. It is applied
for every computer for which the policy is set. It does not depend on the user
who logs on. The settings are applied when the computer starts up. By default
computer configuration policies are applied synchronous which means that the
policies have been applied when the logon-screen occurs. The time-out value for
the deployment of the policies is 60 minutes, but if a policy runs into an
error, the deployment continuous in asynchronous mode.
The computer configuration container contains the following sub-containers :
No entries available.
Set a script to run at startup or shutdown.
Set security settings for :
Account policies
Set password policies for :
- history (default 0 password remembered)
- min. password age (default 0 days)
- max. password age (default 42 days)
- min. password lenght (default 0 charachters)
- complexity requirements (default disabled)
- store password using reversible encryption (default disabled)
Set account lockout policies for :
- Account locked duration (default not defined)
- Account locked threshold (default 0 logon attempts)
- Reset locked after... (default not defined)Local policies
Set audit policies for :
- Audit account logon events
- Audit account management
- Audit directory services access
- Audit logon events
- Audit object access
- Audit policy change
- Audit privilege use
- Audit Process tracking
- Audit system events
By default all audit settings are turn off. The settings can be changed to Success and/or Failure auditing.
Set user rights assignments for things like :- Access computer from the network. (def. everyone)
- Act as part of operating system. (def. not defined)
- Add workstations to domain. (def. not defined)
- Backup files and directories. (def. backup operators and administrators)
- Bypass traverse checking. (def. everyone)
- Change the system time (def. power users and admin.)
- Create a pagefile. (def. admin only)
- Create a token object. (def. not defined)
- Create permanent shared objects. (def. not defined)
- Debug programs. (def. admin only)
- Deny access to this computer from the network.(def. not defined)
- Deny log on as a batch job. (def. not defined)
- Deny log on as a service. (def. not defined)
- Enable computer and user accounts to be trusted for delegation. (def. not defined)
- Force shutdown from a remote system. (def. admin only)
- Generate security audits. (def. not defined)
- Increase quotas. (def. admin only)
- Increase scheduling priority. (def. admin only)
- Load and unload device drivers. (def. admin only)
- Lock pages in memory. (def. not defined)
- Log on as a batch job. (def. admin and IIS accounts)
- Log on as a service. (def. not defined)
- Log on locally. (def. everyone)
- Manage auditing and security log. (def. admin only)
- Modify firmware environment variables. (def. admin only)
- Profile single process. (def. admin and power users)
- Profile system performance. (def. admin only)
- Remove computer from docking station (def. users, power users and administrators)
- Replace a process level token. (def. not defined)
- Shut down the system (def. users)
- Synchronize directory service data. (def. not defined)
- Take ownership of files or other objects (def. admin only)
Set security options for :To be add later...
Public key policies
Set policies for Encrypted Data Recovery Agents, Automatic Certificate Request Settings, Trusted Root Certification Authorities and Enterprise Trust
IP Security policiesSet the ip security policies in these containers.
Logon
Set logon policies for scripts (synchronously or not, visible) and roaming profile settings. By default the settings are not configured.
Disk Quotas
Set policies for disk quotas. (enable quotas, enforce limit, default limit, etc.). By default the settings are not configured.
DNS clientSet the primary DNS suffix. (By default not configured)
Group policy
Set various policies for the group policy (e.g refresh intervals, slow link detection, which policies to process) By default the settings are not configured.
Windows File ProtectionSet policies for Windows file protection to enable it, hide the progress window, limit the size of the cache directory and set the location of the directory. By default the settings are not configured.
Offline files
Set various policies for offline files. By default are the settings not enabled.
Network and dial-up connections
Set if it is allowed to configure connection sharing. By default this setting is not configured.
Set various policies about printers. E.g. publishing, browsing pruning, etc. By default the policies are not configured.
The user configuration settings are used to customize (lock-down) the user's environment. The settings are activated when the user logs on. It contains e.g. desktop appearance, application settings, logon- and logoff scripts and assigned and published applications. By default user configuration policies are applied synchronous which means that the policies have been applied when the shell occurs. The time-out value for the deployment of the policies is 60 minutes, but if a policy runs into an error, the deployment continuous in asynchronous mode.
Nothing to configure
Internet explorer maintenance
Customize internet explorer via policies.
Scripts
Set a logon and logoff script.
Security settings
Nothing to configure.
Windows components
Set policies for Netmeeting, Internet explorer, MMC, Task scheduler and Windows installer. By default the policies are not configured.
Start menu and taskbar
Set policies for the start menu and task bar. By default the policies are not configured.
Desktop
Set polies for the desktop. E.g. icons and active desktop and active directory policies. By default the policies are not configured.
Control panel
Set policies for the Add/Remove-, display-, printers- and regional options applet. By default the policies are not configured.
Network
Set policies for offline files and network and dial up connections. By default the policies are not configured.
System
Set policies for logon and logoff and group policies. By default the policies are not configured.
With the Security Configuration Editor security settings can be applied for computers :
| Account policies. Password, lock-out and Kerberos policies for the domain. |
| Local policies. Used for auditing, user rights definitions and security options. |
| Event log. Settings for the event logs. |
| Restricted groups. To configure groups that are security sensitive like admins. |
| System services. To configure security and startup for services. |
| Registry. Used to configure security on registry keys. |
| File system. Used to configure file system info. |
| Public Key policies. Configure EFS recovery agents, trusted CA's, domain roots, etc. |
| IP Security Policies. Configure IP security. |
Policies are refreshed in the background but only when a change is detected.
When refreshing policies, the Software Installation and Folder Redirection
settings are not refreshed to prevent problems.
By default refreshment is done every 90 minutes with a randomized start of
up to 30 minutes. (on domain controllers every 5 minutes) You can manually
enforce policy refreshment by using the commands:
secedit /refreshpolicy MACHINE_POLICY [/enforce]
secedit /refreshpolicy USER_POLICY [/enforce]
The /enforce option will enforce the Security and EFS settings to be refreshed even if there were no changes.
The secedit program cannot be used for policy refreshment in .NET server. Gpudate.exe will provide this functionality.
Windows 95/98/ME/NT 4.0 clients do not use Windows 2000 group policies. Use the system policy editor (poledit.exe) to a create ntconfig.pol file for NT 4.0 clients. For Windows 95/98 clients you can use poledit.exe on the local computer to create config.pol files. These pol-files should be placed into the Sysvol folders on the domain controllers. (netlogon-share)
Keep in mind that when a Windows 2000 client is validated by a NT 4.0 domain controller, system policies are applied. If the same client connects to a Windows 2000 domain controller, group policies are applied.
The resource-kit utility gpolmig.exe can be used to import NT 4.0 system policies into a Windows 2000 group policy. You can also use the Windows 2000 version of the system policy editor (poledit.exe) to transfer system policies (.adm-files) into Windows 2000 group policies.
You can use this tool to configure the security settings of a machine. It should be load as a plug-in for the MMC. After this is done, take the following steps :
| Open a database in which you can store the results of the security analysis. (*.sdb file) | ||||||||||||||||||||||||||
| Import the security template you want to use. You can choose one of the
following templates :
| ||||||||||||||||||||||||||
| After the import, you can Analyze the computer or Configure the computer with the imported template. | ||||||||||||||||||||||||||
| If you analyze, it will create a logfile and the policies on the computer can be compared with the ones in the imported template. |
You can change templates by modifying the templates in the \winnt\security\templates folder. By default the templates are used to set the following items :
| Account policies |
| Local policies |
| Event log policies |
| File system |
| Registry |
| Restricted groups |
| System services |
This resource kit tool can be used to view what policies where implemented on a computer. The tool can be download at Microsoft.
This tool can be used to monitor the health of GPO's on the servers, to see the resultant set of policies and to backup and restore policies. It can be download at Microsoft.
This resource kit tool can be used to migrate Windows NT 4.0 system policies to Windows 2000 group policies.
This resource kit tool can be used to monitor the health of group policies on domain controllers. It can be download at Microsoft.
To enable the logging of group policy employment, add the following registry key :
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtension\{827...} \ExtensionDebugLevel (DWORD) and set it to 2. This turns on logging in to file \winnt\security\logs\winlogon.log. After this use secedit /refreshpolicy to re-apply the policies. (Q245422)
| A group policy modeling tool, fazam2000 (Windows 2000 magazine mar 2001) |
Last update : 7 March 2003
