Designing
a Group Policy infrastructure requires a detailed understanding of the
available configuration settings available in Group Policy Objects.
Active Directory Design and Group Policy
A key to determining
how to best design the Group Policy infrastructure is to first
understand how the Active Directory infrastructure is configured. The
site, domain, and OU design of an Active Directory infrastructure
usually follows a few key elements, including physical office locations,
network connectivity, and delegation of administration, including
branch office management, separation of Active Directory management
tasks, desktop and server administration, and, of course, security and
reliability.
Site Group Policy Links
Group policies can be linked
to Active Directory site objects. There is no default site policy
created when Active Directory is first deployed. In the past, common
uses of site-linked group policies included settings related to
networking and security configurations. Some considerations for
determining whether a GPO should be linked at a site should include the
following:
Every object in a
site, determined by the associated site subnet, will process the
policy, regardless of the domain the user or computer account is located
in. Is this the desired configuration?
Does the site contain a domain controller in the domain in which the group policy is created?
Do
any of the associated site subnets include networks across slow links
or virtual private networks? If so, changing the default values or
disabling slow link detection on the site policy might be required for
proper processing.
Is
there a particular security requirement for the site that required a
higher level of enforced security or a required configuration or
application?
Before a GPO can be linked to
a site, the site will need to be added into the GPMC. To add an Active
Directory site to the GPMC and add a GPO link, perform the following
steps:
1. | Log on to a designated Windows Server 2008 R2 administrative server.
|
2. | Open the Group Policy Management Console.
|
3. | Right-click the Sites container and select Show Sites.
|
4. | In
the Show Sites window, click the Select All button or check the box
next to the site you want to add to the GPMC. Click OK to add the
site(s) to the console.
|
5. | In the tree pane, expand the Sites container, and right-click the desired site.
|
6. | Select the Link an Existing GPO option.
|
7. | In the Select GPO window, select the source domain from which you want to link the GPO.
|
8. | In the Group Policy Objects section of the window, select the desired GPO or GPOs, and then click OK to create the link.
|
9. | If necessary, configure the link settings for each new site link and then close the GPMC.
|
Domain GPO Links
When Active Directory is
deployed, two preconfigured, default group policies are created. One is
linked to the domain named the Default Domain Policy and the other is
linked to the Domain Controllers OU named the Default Domain Controllers
Policy.
The Default Domain Policy
contains the default security settings for the entire domain, including
account policies. As a best practice, use this policy only for managing
the default account policies for the entire domain. Any additional GPO
settings that an organization would desire to apply to all users and/or
computers, including domain controllers, member servers, and client
workstations, should be added to new Group Policy Objects and linked at
the domain level. The number of policies linked at the domain level
should be kept to a minimum to ensure quality Group Policy processing
performance for the organization.
Organizational Unit Links
Linking GPOs to
organizational units is the most common use of GPO links. OU GPO links
provide the most targeted GPO application and granular administrative
control of the OU GPO–related tasks as well as the configuration and
management of the objects contained in the OU. The only way to get more
granular on an OU GPO link is to apply a security filter or a WMI filter
on that particular GPO, but that would affect each GPO link related to
that particular policy.
Separation of GPO Functions
Determining which features
and settings of a GPO will be utilized is one consideration; another is
determining how to deploy those settings. There is one major
consideration with GPO management that should be considered: Should a
single GPO be created to contain all the necessary settings, or should
separate GPOs be created for a particular set of features or functions?
As a best practice,
separating GPO functions across multiple GPOs provides more flexibility
but also adds time to GPO processing and increases the amount of GPO
administration that needs to be performed. Separating GPOs for specific
functions provides additional troubleshooting options and greater
flexibility for how GPOs can be linked and filtered. As an example of
how to separate GPO functions, the following list of GPOs can be applied
to a Branch Office OU that contains user objects, group objects, and
computer objects:
Branch Office Help Desk GPO— This GPO would configure settings to allow help desk administrators to manually run Windows Update, access all Control Panel applets,
and run all software with unrestricted access. This would be the last
GPO applied and would override any conflicting settings. This GPO status
would be set to Computer Configuration Settings Disabled and the
security filtering would be configured to use a security group called
Branch Office Help Desk, which would include the help desk support
staff.
Branch Office Server GPO—
This GPO can contain the default security settings and software
packages specific for branch office servers. Also this policy would
configure specific audit settings, account management settings, and user
rights assignments for servers. The GPO status would be configured for
User Configuration Settings Disabled and would have a WMI filter linked
that includes computers with an operating system name that includes the
word server.
Branch Office User GPO—
This GPO can contain the default security and configuration settings to
configure the end-user desktop environment, including managing
Microsoft Internet Explorer settings, redirecting folders to the branch
office DFSR shares, enabling offline files, mapping network drives,
installing network printers, and configuring settings to hide or
restrict access to specific Control Panel applets. The GPO status of
this GPO would be configured to Computer Configuration Settings
Disabled.
Branch Office Workstation GPO—
This GPO can contain the default security settings used to manage the
services, install corporate software packages and VPN clients, configure
workstation security, and enable remote access. This GPO would be
filtered using a WMI filter that includes only computer objects whose
operating system name value contained Windows 7. The GPO status would be
set to User Configuration Settings Disabled. This GPO would be applied
first to the workstations after local and inherited GPOs.
Separation of GPO by Targeted Operating System
With each release of a
Microsoft client or server operating system, Microsoft provides new
Group Policy settings and functionality. The release of Windows 7 and
Windows Server 2008 R2 is no different as there are several new Group
Policy settings that will not apply to any other operating systems.
These include both policy and preference settings to manage. Some of the
preferences include managing power settings on Windows Vista and newer
operating systems as well as adding scheduled tasks and immediately
scheduled tasks that will run at the next Group Policy refresh cycle.
When operating
system–specific Group Policy settings will be used, a best practice is
to filter out all other operating systems the GPO applies to. The best
way to do this is with the use of a WMI filter for computers. Security
filtering can also be used but if a security group is used, a computer
will only pick up group changes during startup, so getting application
of a new policy adopted is less successful. A WMI filter will be
processed by all Windows
XP, Windows Vista, Windows 7, Windows Server 2003, or Windows Server
2008 systems.