What Is Group Policy

Administrators of large Windows installations don't configure each workstation and server in the enterprise individually. Rather, they use a mechanism known as group policy to specify security policy and other settings that should be used throughout the domain. As a designer or developer you should know at least a little bit about this mechanism, because it's often used to lock down security throughout an enterprise. It's also used to distribute software applications and patches.

You can do some exploring of group policy even if you're at home working on a Windows XP box and not a member of a domain. From an administrative command prompt, just run gpedit.msc to look at a few of the settings on your computer that can be affected by group policy. First of all, note that at the very highest level group policy is split into two categories: Computer Configuration and User Configuration. Each time a computer in a domain boots up, it downloads the Computer Configuration section of any group policies in Active Directory that pertain to that computer. Similarly, each time a user logs in to a machine interactively, an automatic download of the User Configuration section of any pertinent group policy occurs. In a domain environment, security settings on your workstation may change when you boot up or log in because a domain administrator made changes in policy somewhere upstream.

If you drill down in both the Computer and User Configurations, into Windows Settings, and then into Security Settings, you'll see that the vast majority of security policy is controlled in the Computer Configuration section (see Figure 74.1). Here's where privileges are granted, auditing is enabled, and IPSEC is configured, for example. If you look at a group policy object in a domain setting, you'll see even more security settings. For example, you can specify ACLs on files, directories, registry keys, and even services.

Figure 74.1 Exploring group policy

If you have administrative access to a domain, you can see where group policy is configured. Just run the Active Directory Users and Computers console and drill down into a domain. The most common place where group policy is used is on individual domains. If you right-click a domain and ask for its properties, then click the Group Policy tab, you'll see a list of links to group policy objects in Active Directory that apply to that domain. By default there's only one, the Default Domain Policy, and for a lot of systems that one policy will suffice. Often more than one policy applies to any given user or machine. Suffice it to say that in most nontrivial Windows deployments, security settings are usually synchronized throughout a domain using group policy.

Figure 74.2 Adding a new group policy object

I've added a new group policy object in Figure 74.2. What's interesting about these policies is that they look really complex to begin with, but they don't say anything at all until you drill into them and start setting policy. For example, note how in figure 74.2, in the section of my policy that deals with privileges , none of the privileges are defined except for the SeBackupPrivilege, which I said should be granted to a domain group called ACME\Backup. By leaving those other settings as Not Defined, I'm indicating that my policy will have no effect at all on those settings. If no group policy in Active Directory defines a particular setting, the local administrator is free to choose the value of that setting herself. After rebooting a computer in the domain, I took a snapshot of what its local security policy looked like (Figure 74.3). It's a little subtle, but note how the icon for SeBackupPrivilege is different in the local policy. This is telling you that it's been set by group policy and can no longer be configured locally. In fact, if you double-click the privilege in the local security policy, you'll see that you're prevented from changing it.¹

Figure 74.3 Local security policy after a group policy download

There are a number of places that group policy can come from. My demonstration was of a group policy object attached to a domain, but technically these objects can also be associated with an organizational unit (OU) or a site in Active Directory. The policies higher in the tree generally take precedence over those lower in the tree, but there are switches that you can throw (such as No Override or Block Policy Inheritance) that help manage conflicts. You can read more about these details in the Windows 2000 Server Resource Kit.²

Most security settings in group policy are specified in the Computer Configuration section, which is applied each time the computer boots. But what if you want to get these computer settings refreshed without having to reboot your machine? There are a couple of ways this can happen. The first is to force a manual refresh by running gpupdate from a command line (if you're on a Windows 2000 box, the command is a bit different but achieves the same thing: secedit /refreshpolicy machine_policy). The second way is to force a periodic refresh of policy, which you can specify by drilling down into the Computer Configuration of a group policy object. Drill into Administrative Templates/System/Group Policy. Here you'll find settings that control auto-refresh. Oh, and if you happen to force an update of policy while you're looking at, say, the local security policy editor, the GUI won't immediately refresh and show the new policy in force. To force the GUI to display the new settings, right-click on the Security Settings node and choose Reload.

¹ The GUI prevents you from changing it, but an administrator of a machine owns that machine and can ultimately change these settings locally. One way would be programmatically. Just keep in mind that if you want these domain-wide settings and restrictions to have any teeth, you better not allow individual users to administer their own machines in the domain!

² This is part of the MSDN Library (you do subscribe, don't you?). The section on group policy is in the Distributed Systems Guide, in a part called Desktop Configuration Management

source: pluralsight