Creating and Utilizing Starter GPOs
The Windows 7 and Windows
Server 2008 R2 GPMC includes a feature and GPO function named starter
GPOs. This function allows administrators to create or load base GPOs
with preconfigured administrative template settings and values, which
can be used to prepopulate new GPOs. If any starter GPOs exist, an
administrator creating a new GPO from a Windows 7 or a Windows Server
2008 R2 GPMC console will have the option of using any existing starter
GPO to prepopulate newly created GPOs with a number of setting values.
Once the starter GPO functionality is enabled, Group Policy
administrators can create new starter GPOs customized for their
organization’s needs.
Starter GPOs can be
viewed within the GPMC and can be edited using the Group Policy Starter
GPO Editor, but the files are stored within the domain controller sysvol
folders. As an example, starter GPOs for the companyabc.com domain
would be located at the
\\companyabc.com\SYSVOL\companyabc.com\StarterGPOs folder. Microsoft
provides some starter GPOs that will be automatically installed when
starter GPO functionality is enabled. These currently include templates
for two environments as described in the Windows client security guides.
These are the Enterprise Client (EC) environment scenario and the
Specialized Security Limited Functionality (SSLF) client environment
scenario.
The
Enterprise Client (EC) environment, as described in the Windows client
security guide, is an Active Directory domain infrastructure that runs
Windows Server 2003 and Windows Server 2008 servers and Windows Vista
and Windows XP client workstations where functionality is as important
as security. The preconfigured settings in the EC starter GPOs have been
designed to enable the necessary functionality to allow businesses to
function with centrally managed user and computer configuration
management as well as security management and audit settings.
The Specialized Security
Limited Functionality (SSLF) environment, as described in the Windows
client security guide, is designed to provide security configurations
and guidelines for environments that require higher security, which
outweighs the importance of smoother user experiences and manageability.
As an example of this, the Windows Vista SSLF Computer starter GPO
would deny logon through Terminal Services functionality, whereas the
Windows Vista EC Computer policy leaves this setting undefined. This
policy setting allows Administrators and/or members of the Remote
Desktop Users groups to connect using Remote Desktop Connection or
Terminal Services clients.
Caution
Any Group Policy
administrator must take the highest precautions to ensure that no group
policies deployed on a network are released without thorough testing in
an isolated lab environment. This is especially true when considering
deploying policies built on the EC or SSLF starter GPO policies.
The starter GPOs included with Windows Server 2008 R2 GPCM include the following policies:
For more information about the EC and SSLF starter GPOs, refer to the Windows client security guides online.
Enabling Starter GPOs
Before starter GPOs can
be put to use, the functionality must first be enabled in the domain.
Enabling this function is about as simple as pushing a button. To enable
the starter GPO feature, perform the following steps:
1. | Log on to a designated Windows 7 or Windows Server 2008 R2 administrative system.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Starter GPOs container and select it.
|
4. | In the right pane, click the Create Starter GPOs Folder button.
|
Once the task is
completed, the eight out-of-the-box starter GPOs will be available for
review in the GPMC. Also, the Group Policy administrator can now create
new starter GPOs from scratch and can also create new GPOs by using
starter GPOs as templates.
Note
The starter GPOs included
with Windows 7 and Windows Server 2008 R2 are read-only and cannot be
edited directly. Copies of the built-in starter GPOs can be edited.
Creating a Starter GPO
Starter GPOs can be created
or added to a domain in a few ways. A starter GPO can be created from
scratch using a blank template, it can be created by restoring from a
starter GPO backup folder, or it can be imported from a provided starter
GPO cabinet file. Before the release of the Windows 7 and Windows
Server 2008 R2 Group Policy Management tools, the Microsoft EC and SSLF
starter GPO policies were provided as separate downloads, stored in
cabinet backup files. If an organization has not yet adopted Windows
Server 2008 R2 domain controllers, this is the only way to import these
starter GPO policies. To create a starter GPO from a backup, please
refer to the “Backing Up and Restoring Starter GPOs” section. To create a new starter GPO, perform the following steps:
1. | Log on to a designated Windows Server 2008 R2 administrative system.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Starter GPOs container and select it.
|
4. | Verify that the starter GPO functionality is enabled by viewing the right pane.
|
5. | Right-click the Starter GPOs container in the tree pane, and select New.
|
6. | In
the New Starter GPO dialog box, type in a name for the new starter GPO,
and enter a comment to describe what will be included in this starter
GPO and when and where it should be applied as a template.
|
7. | Click OK to create the new starter GPO.
|
8. | To
configure settings in the new starter GPO, right-click the GPO and
select Edit to open the GPO in the Group Policy Starter GPO Editor.
|
9. | When the GPO is configured as desired, close the Group Policy Starter GPO Editor.
|
10. | In the GPMC, right-click the newly configured starter GPO, and select Backup to back up this individual starter GPO.
|
11. | Specify
a destination folder to back up the GPO, enter a description for this
backup, and click Back Up to back up the starter GPO.
|
12. | When the backup completes, review the backup results and click OK to close the window.
|
13. | Close the GPMC tool.
|
Creating Starter GPOs from Cabinet Files
To create a new starter GPO from a cabinet file (*.cab), perform the following steps:
1. | Log on to a designated Windows Server 2008 R2 administrative system.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Starter GPOs container and select it.
|
4. | Verify that the starter GPO functionality is enabled by viewing the right pane.
|
5. | In the right pane, near the bottom, select the Load Cabinet button.
|
6. | In
the Load Starter GPO dialog box, click the Browse for CAB button to
specify the folder location of the starter GPO cabinet file.
|
7. | Locate the cab file, select it, and click Open to return to the Load Starter GPO dialog box.
|
8. | Back
in the Load Starter GPO dialog box, the dialog box will display the
version information of the cab file in comparison with any existing
starter GPOs. Also, the comment will be displayed and the administrator
can view the settings. Click OK to load or import the cab file to the
domain starter GPO repository.
|
9. | If
an existing starter GPO has the same name, it will be overwritten and a
confirmation dialog box will require the administrator to click OK to
accept this change.
|
10. | Once the cab file is imported, close the GPMC. |
