Group Policy Management Overview


gpmc iconWe use Group Policy to tweak the default settings on Microsoft Servers and PCs. You edit the policies using the Group Policy Editor console (gpedit.msc) but to manage the policies you use the Group Policy Management Console (gpmc.msc). The more policies you start to create, the more confusing managing them can become and with each new version of Microsoft software (Office included) new Group Policy templates are added. This article is to give you an insight into exactly what the Group Policy Management Console (GPMC) is about and how everything links together.

It’s always best to edit policies from the latest OS. This is one of the reasons to always have a VM somewhere with the latest OS purely for Group Policy. Alternatively, if you are using the latest OS then you can install the GPMC from the Remote Server Administration Tools (RSAT) and then edit the policies from there. If you don’t, it’s not a big issue but some policies won’t be available. All of the templates can be stored in a central location in Active Directory so they can be accessed by all domain machines. There is some debate whether it is best to have the policies held locally rather than in the central store but I think it works well. By default this is \\DCName\sysvol\domain.name\Policies\PolicyDefinitions. If you ever download a new template you will need to put it in there. For more details on activating the central store se the following Microsoft Support article

Inheritance & Precedence

Group Policies Objects (GPOs) are created in the Group Policy Objects folder in GPMC. Policies are then linked to Active Directory Organizational Units (OUs). You can link as many Policies as you like to an OU and you can also link the same policy to as many OUs as you like. You can also block inheritance by right-clicking an OU and disabling it. The precedence of any GPOs, i.e. what GPO policy wins out of any competing policies, can be changed in the Linked GPO tab of an OU. Normally the deepest policy wins.

All of these different options can make it quite difficult to see what policies are applying to a user/computer/both but there are various tools to help with this. The simplest way is to click an OU in the GPMC and then select the Inheritance tab (see picture below). This will tell you what policies are applied to the objects in that OU.

You can also link a policy to an OU but disable it until it is needed. This results in the icon being greyed out under the OU (See Verbose Logon in picture below for an example)

GPMC Inheritance screenshots
Group Policy Inheritance for the "Laptops" OU

Of course a user object is normally in a different OU to a computer object so to see the policies that will apply to a particular user when they use a particular PC you need to use the Group Policy Results wizard. This is started by right-clicking the Group Policy Results folder, at the bottom of the GPMC tree, and selecting New wizard. The process is fairly straightforward and I don’t think needs describing here.

GPO Status

GPO Status in the GPMC

Group Policy Objects potentially have 4 modes

  1. Enabled (Default)
  2. Computer configuration settings disabled
  3. User configuration settings disabled
  4. All settings disabled

This setting is changed on the GPO via the Details tab in GPMC (see picture). The reason for changing the staus is to speed up processing time. For example, our “All client computers GPO” is linked only to the “_Devices OU”, so it is pointless having the user config enabled. Even if User settings are specified in the policy they will be completely ignored if the GPO status is set to disabled.

The 4th setting, All settings disabled, will mean the policy settings won’t apply to any OU no matter where it may be linked. This is useful if you seem to have a problem with a policy. Instead of disabling the all links, or deleting it completely, you can just disable it while you tweak the settings.

Security Filtering

Security Filtering Screenshot from GPMCSecurity Filtering lets you control which groups, users or computers in AD gets a GPO applied. It is managed using GPMC when you select a GPO. On the scope tab there is a Security Filtering pane where you can apply the filters. This works in a similar fashion to assigning NTFS file permissions. Just click “Add…” then choose the group you would like it to apply to. By default, all policies are applied to the Authenticated Users group (i.e. everyone authenticated by the domain). You will need to remove this group for the filters to work.

For example, we have a policy called WSUS – VPN Users. This policy makes sure that people who work primarily from home (e.g. SteveB  & MaryJ) don’t try to download updates from WSUS but rather connect direct to Windows Update. So, I created a VPN Users group in Active Directory and added SteveB & MaryJ’s user accounts as well as their laptop accounts. I then added this group to the Security Filtering section in GPMC on the relevant policy. So now, this policy will only apply to SteveB & MaryJ when they log on to those specific laptops. If we get another user who wants to use a laptop primarily outside the LAN we can simply add that to the VPN Users security group in AD.

WMI Filters

The group policy settings can also be filtered to apply to certain criteria e.g. users in an AD security group, Laptops, Operating System and even as specific as computers with >2GB RAM. We don’t use this much, in fact we only use it for stopping the printer policy apply to servers. I have set up several other WMI filters that may come in handy in the future, as you can see in the GPMC tree. They are basically just queries that run on the clients before policies get applied. For example, to discover if a client was a Windows 2008 server I could create this filter

"select * from Win32_OperatingSystem WHERE Version LIKE "6.0%" AND ( ProductType = "2" or ProductType = "3" )"

Once a filter is created you apply it to the policy. Just select the policy in GPMC and use the WMI Filtering dropdown box to apply the filter. This means it will run on every OU the policy is linked to. You can also only apply 1 filter per policy.

You shouldn’t really need to touch these at all but if you need help finding the correct query then Google is your friend!

Troubleshooting

If you are at a user’s computer you can use the Event Viewer to discover any issues to do with Group Policy. You can also use the command line tool GPResult.exe. At a command prompt type gpresult /r to get a quick list of the policies that have been applied or denied. To see the actual settings that are meant to be getting applied type gpresult /V /H “C:\temp\GPReport.html”. This will create a settings report similar to what is seen in GPMC but relating to exactly what all the winning preferences are.

Occasionally, new policies might not apply straight away (they should get refreshed every ~90 mins), especially if the user is on a VPN. To force any policy changes immediately you can type gpudate /force at a command prompt. This usually requires the user to then log off and on again, or maybe reboot the computer (if its related to computer settings.

If a computer seems to be taking a long time to log on, you can enable the “Verbose Logon” policy. This will make the “logging on…” window on the end-users computer display extra information e.g. what policy is currently getting applied. This itself increases log on time slightly, which is why it’s disabled when not needed.

More Info

If there is any thing more advanced you’d like me to detail here give me a shout in the comments!
Advertisements

2 thoughts on “Group Policy Management Overview

  1. Hi, I facing a problem when ignoring gpo policies only for certain groups. The approach that I had taken looks like not working. Do you know how to ignore certain groups from policy being applied?

    1. You can use security filtering to say what group you want the policy to apply to. Ignoring a group is a bit more difficult. IIRC you can go to the policy’s advanced security page, add the group and select Deny permissions.

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s