Group Policy

By default, two group policies are created in the Active Directory hierarchy: the Default Domain Policy (default domain policy) and the Default Domain Controller's Policy (default domain controller policy). The first one is assigned to the domain, and the second is assigned to the container, which includes the domain controller . If you want to create your own GPO object, you must have the necessary permissions. By default, Enterprise Administrators and Domain Administrators groups have the right to create new GPOs.

When working with group policies, you should consider that:

• GPOs apply to containers, not closing objects;
• one container can be associated with several GPOs;
• GPOs associated with the same container are applied to that container in the order in which they were assigned;
• GPO includes two components: computer-related parameters and user-related parameters;
• processing of any of these components can be disabled;
• inheritance of GPO objects can be blocked;
• inheritance of GPO objects can be forced;
• the use of GPOs can be filtered using ACLs .

Imagine that a certain parameter (for example, a logon banner - a graphical splash screen when connected) is defined both in the P3 policy and in the P1 policy. In this case, the value of the parameter specified in policy P3 differs from the value specified in policy P1. What value will be assigned to a parameter as a result of applying both of these policies? In such a situation, the object's parameter is assigned the value extracted from the GPO, which is closest to the object. Thus, in this situation, the value extracted from the P1 policy will be assigned to the parameter logon banner.

Imagine that the P3 policy contains the value of the logon banner parameter, while the P1 policy does not define this parameter. In this case, if both these policies are applied to the object, the object parameter will be assigned the value from the P3 policy. However, no policy has been defined for the SA container. Nevertheless, the value of the P3 policy will be assigned to the logon banner parameter of this container. Moreover, policies P3 and P1 will be fully applied to this container, since the container SA will inherit these policies from its parents.

Imagine that policies P4 and P5, which define the values ​​of a wide variety of parameters, are applied to the Acct container. In the configuration section of the P4 policy computer, members of the global Accounting group are allowed to connect locally to any computer in the Acct container, as well as in all sub-containers of this container. And in the configuration section of the computer, the P5 policies do not assign rights to the Accounting group. In the list of policies displayed on the Group Policy page in the properties window of the domain controller, policy P5 is located at the very top of the list — above policy P4. The policies listed in this list are applied to the object in the bottom-up order. In other words, the policies located at the bottom of the list are applied first, and then the policies located above the list are applied. Thus, when processing the set of policies in question for the Acct container, policy P4 will be applied first and then policy P5. Consequently, after processing a set of policies, the rights parameter for local connection to the system will contain the value from policy P5. Thus, members of the global Accounting group will not have the right to connect locally to the computers of the Acct container and its subcontainers. To change the order in which policies are processed, use the Up and Down buttons in the lower right corner of the Group Policy tab.

Windows 2000 allows you to block the use of certain sections of the object GPO. If the policy is applied to the container is not completely, but only partially, the total time the user connects to the system decreases. The fewer the number of GPO parameters that should be applied to an object, the faster the processing of the corresponding policy is performed. Disabling the processing of certain sections of the policy can be performed separately for each of the GPO objects. To do this, follow these steps:

1. Open the Active Directory Users and Computers snap-in. Hover over the container of interest to you, open the properties window of this container and go to the Group Policy tab.
2. Select the GPO that you intend to modify.
3. Click the Properties button.
4. Here you can block the application of the policy settings related to the computer configuration or the user configuration to the container.
5. After you have specified which of the sections of the GPO should be blocked, a message appears on the screen stating that the values ​​of the parameters modified by this policy will be restored to their original state. For example, if you block the use of GPO parameters related to the user configuration, then the configuration of all users for whom this policy applies will be restored to the state it was in before this policy was applied. Unlike Windows 2000, NT 4.0 cleaned policies incorrectly. In this regard, in NT 4.0, even after the policy was canceled, the object parameters retained the values ​​assigned to them in the process of applying the canceled policy.

Blocking the application of one of the policy sections is configured for a specific GPO and applies to all containers for which this GPO is assigned.

Windows 2000 allows you to block the inheritance policy from the parent object. For example, if you want only the policies defined at the IT level to act on the IT container and all its subcontainers, on the Group Policy page of the properties of the IT object, select the Block Policy Inheritance check box. At the same time, policies P1 and P3 will not be applied to containers IT Workstations and IT Servers. Blocking policy inheritance cannot be disabled for any one policy. If the blocking of inheritance policies is enabled for any container, absolutely all policies assigned to higher levels of the Active Directory directory hierarchy will no longer be applied to this container and all its subcontainers. This parameter can be configured separately for a specific GPO and applies to all containers for which this GPO is assigned. If the No Override checkbox is selected for the GPO object, the parameter values ​​from the corresponding policy will always have a higher priority when policy conflicts occur, regardless of what level of hierarchy the containers to which this GPO applies to. For example, if you open the shinyapple.msft domain properties window and select the No Override checkbox for the P1 policy, the objects located down the Active Directory hierarchy will always be configured according to the values ​​specified in the P1 policy. In the event of a conflict, the policy values ​​from P1 will be given preference. A good example of a situation in which you may need to use this feature is the use of security settings. If the blocking of inheritance policies is enabled for any container, a policy that has the No Override property (do not cancel) will still be applied, since the No Override parameter does not have a higher priority.

Filtering applied policies based on the membership of objects in security groups is another way to change the normal order in which policies apply to Active Directory objects. Filtering is done using ACLs (Access Control List). Each GPO is assigned an ACL list. Information from the ACL of a GPO is analyzed by the security system, regardless of which container the GPO applies to. The policy is applied to the object only if the object has Read (Read) and Apply Group Policy permissions (applying Group Policy) to the corresponding GPO. If an object (user or group) does not have Apply Group Policy permission (group policy application), the group policy does not apply to it.

To document in the log the sequence in which policies and profiles are applied, you should use the Registry Editor to add the value User_vvDebugLevel of type REG_DWORD, which must be equal to 0x10002, using the registry editor HKEY_LOCAL_MACHINE \ Software \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon. Then restart the computer. The log of application of policies and profiles will be written to the% SystemRoot% \ Debug \ Usermode \ Userenv.log file. In addition to GPOs that exist in the Active Directory , there is also a local policy on each Windows 2000 system. The local policy determines the parameters by which the workstation is configured. The system applies policies in a specific order. First, the local policy is applied, then the Site policy, then the Domain policy, and finally, the Organizational Unit policy of the OU container. Policies are often denoted by a sequence of characters (L, S, D, OU). If a local policy conflicts with a host, domain, or OU container policy, it always loses. In other words, in the process of applying policies, local policy has the lowest priority. All parameters, with the exception of system connection / start-up and system shutdown / shutdown scenarios, as well as software installation (either assigned or published), are updated every 90 minutes with a variable offset plus or minus 30 minutes. The update is initiated by the update mechanism of the group policies on the client side, which keeps track of when the client last performed the update. At the beginning of the update process, the version numbers of all existing policies are compared with the local version numbers. If the local and remote version numbers do not match, the entire policy is reapplied. Otherwise, no update occurs. Updating policies that apply to domain controllers is done every five minutes.

During the transition to using Windows 2000 , computers with earlier versions of Windows will most likely be present on your network . To effectively manage such a network, it is important to understand which computers will be subject to Group Policy. The following lists the operating systems for which the group policy applies.

• Windows 2000 & 2003 Server . Computers equipped with the Windows 2000 Server operating system can be either regular members of an Active Directory domain or domain controllers. Group Policy is fully applied to both types of servers .
• Windows 2000 & XP Professional . Group Policy is fully applied to client computers equipped with Windows 2000 Professional .
• Windows NT 4.0 Workstation and Server. With respect to such computers, you can apply only system policies in the style of NT 4.0. To create such policies, use the editor poledit.exe. With the help of poledit.exe, the administrator can create .adm files . Windows NT 4.0 does not support Active Directory and does not use local policy objects; therefore, for computers equipped with this operating system, Group Policy is not applied.
• Windows 95 and Windows 98 . To create a system policy in Windows 98 and Windows 95 operating systems, a special system policy editor is used. The resulting file with the .pol extension should be copied to the SysVol directory. The system policy editors that come with Windows 2000 and Windows NT are not compatible with Windows 98 and Windows 95 . Windows 2000 Group Policy does not apply to such computers .
• Windows NT 3.51, Windows 3.1 and DOS . Group Policy does not apply.

The Windows NT operating system allows you to assign each user a script that contains commands that must be executed when the user connects to the system . Typically, connection scripts are used to initialize the user work environment. In addition to connection scripts, Windows 2000 also supports shutdown scripts. Moreover, in the new operating system for each computer, you can assign scripts for starting and shutting down the system. The Windows Scripting Host (WSH) scripting system supports the execution of scripts written in languages such as Visual Basic or Jscript that allow you to directly access the Windows API functions. Consider some of the features associated with the use of scripts in Windows 2000 .

Scenarios defined within a user object

Such scenarios are supported exactly as they were in Windows NT 4.0, and exist mainly for compatibility with earlier versions of Windows . Windows 2000 and Windows NT 4.0 clients attempt to detect such scripts in the shared folder of the Netlogon server . If the script could not be detected, the search is performed in the% SystemRoot% \ system32 \ Repl \ lmport \ Scripts directory (the location of the scripts used in NT 4.0). The shared folder Netlogon is located in the SysVol directory (sysvol \ domain.name \ scripts) and is automatically replicated by FRS. Replication of the NT 4.0 scripts directory must be configured manually.

Group Policy Scenarios

These scripts apply to OU containers. In other words, to assign a connection or disconnect scenario to a user, make the user a member of the OU container for which the policy is defined, within which the connection or disconnect scenario is assigned. This method is more flexible. If you are switching your network to use Windows 2000, you should also consider some other script-related features. In addition to Windows 2000 machines, many networks use computers equipped with earlier versions of Windows, for this reason it is recommended to update the server containing the shared folder NETLOGON last. This is due to the fact that the replication service used in Windows 2000 (FRS) is not compatible with the NT replication services. Thus, updating the network, you must be sure that absolutely all clients have the ability to access the Netlogon folder and connection scripts regardless of which operating system they use. It should also be borne in mind that in Windows NT connection scripts work in the user's security context. In Windows 2000, this is only partly true. In Windows 2000, user-related scripts (connecting to the system and disconnecting from the system) are also executed in the user's security context, while computer-related scripts (starting the system and shutting down the system) are executed in the security context. LocalSystem.

The ability to manage GPO objects can be delegated to other responsible parties. Delegation is done using ACLs. GPO object ACLs allow you to assign permissions for this object to modify this GPO or to assign a GPO for a particular container. Thus, it is possible to prohibit the creation of unauthorized GPO objects. For example, the creation and modification of a GPO can be entrusted to a group of domain administrators, while the assignment of these GPOs can be done by administrators of individual OU containers. The OU container administrator can select the most suitable GPO object and apply this GPO to any of the OUs under its control. However, he will not be able to change the contents of this GPO or create a new GPO.

Group Policy allows you to redirect some user directories so that when you access them, the user actually accesses network directories or certain places in the local file system. A set of folders that can be redirected in this way includes:

• Application data
• Desktop (Desktop)
• My Documents
• My Pictures
• Start Menu.

The user folder redirection mechanism is part of the IntelliMirror technology, the purpose of which is to provide access to working files and configuration information regardless of which workstation the user uses to work. As a result, Intellimirror technology ensures the safety of user files and configuration data in case the user's workstation fails. Directory redirection is configured in the User Configuration section of the Windows Settings (Windows settings) Folder Redirection Group Policy object. This section displays all previously listed folders. To redirect one of these folders to a new location, right-click on its name and select Properties from the menu that appears.

On the Target tab, you can select one of three options for redirecting a custom folder.

• No administrative policy specified (no administrative policy has been assigned).
• Basic (basic). Redirects the folder to a new location, regardless of which group the user belongs to. The new location must be specified using the UNC format. When specifying a new place, you can use variables such as% username%. Thus, for different users, the folder can be redirected to different directories, but all these directories should be located in the same network shared folder.
• Advanced (complicated). For different user groups, you can specify different folder locations. You can specify different UNC names for different groups. Corresponding folders can be located on different servers.

• Group Policy section on Microsoft TechNet
• Group Policy Management Console is a free program from Microsoft for managing group policy.