The Group Policy Feature set is the collection of all
the available settings within a group policy. The available policy
settings are created from the basic policy template, which includes the
general hierarchy, the local security policy, and the default
administrative templates stored in the local file system. The
administrative templates that present their settings within a policy are
referenced from the files stored in the c:\windows\policydefinitions
folder or in the Active Directory domain central store.
The policy settings
available within a particular policy or all policies can be extended by
importing additional administrative templates. This can be accomplished
by simply adding the correct ADMX and ADML files to the
PolicyDefinitions folder on the local system or in the central store or
by importing a legacy administrative template file with the ADM
extension into a particular policy.
By default, the Windows Server
2008 R2 group policies administrative templates contain approximately
1,650 settings in the Computer Configuration node and another 1,450 in
the User Configuration node. There are many more settings in the Windows
Settings nodes and the Preferences node that extend this number
dramatically. This, of course, makes detailing each of the settings a
very inconvenient and lengthy process.
Many of the policy
settings contained in both the Computer and User Configuration policy
nodes apply only to specific Windows Server 2008 R2 role services such
as the Encrypting File System, Remote Desktop Services, Network Access
Protection, or the Distributed File System role services. For these
particular services, as with any Group Policy
settings, it is very important that the administrator understands the
potential impact of configuring these settings. Before any production
group policies are created, modified, or linked, the policy should be
tested in an isolated environment and a rollback plan should be created
and also tested.
Computer Configuration Policy Node
The Computer
Configuration node of a group policy contains settings that are designed
to configure and manage a Windows system. Many of the settings found in
this node also exist in the User Configuration node, and when both
settings are configured, different outcomes will result. In some cases,
computer policy settings will always be used even if the user
configuration policy setting is configured as well. In other cases, the
last policy setting applied will be used. For example, in a local group
policy, within each node under Administrative Templates\System\Scripts,
there is a setting named Run Logon Scripts Synchronously and if this
setting is configured in the Computer Configuration section, it will be
enforced regardless of how the setting is configured in the User
Configuration policy node.
At the root of the
Computer Configuration node, there are three policy nodes named the
Software Settings node, the Windows Settings node, and the
Administrative Templates node. In domain group policies, these three
nodes are located beneath the Computer Configuration\Policies node.
Computer Configuration Software Settings Node
The Software Settings node is
used to add software application packages to the computers that process
the particular policy. Prepackaged or custom Windows Installer MSI
software packages can be added to this Software Settings node and used
to automatically install software on the computer during the next reboot
cycle. This is known as an assigned software package.
Computer Configuration Windows Settings Node
The Windows
Settings node provides administrators with the ability to manage the
overall security and configuration of the Windows system. The settings
contained beneath the Windows Settings node can be used to define how
local and domain users can interact with and manage the system and how
the system will communicate across the network. The five nodes contained
within the Windows Settings node are as follows:
Name Resolution Policy—
This node allows Group Policy administrators to create rules to build
the content of the Name Resolution Policy Table to support DNSSEC
implementations and to configure Windows Server 2008 R2 DirectAccess DNS
settings centrally.
Scripts (Startup/Shutdown)— The Scripts node allows administrators to add startup or shutdown scripts to computer objects.
Deployed Printers—
This node allows administrators to automatically install and remove
printers on the Windows systems. Using the Group Policy Object Editor on
Windows Server 2008 or Windows Server 2008 R2 systems, this node might
not appear unless the Print Management console is also installed.
Security Settings—
This node is a replica of the local security policy, although it does
not sync or pull information from the local security policy. The
settings in this node can be used to define password policies, audit
policies, software restrictions, Services configuration, Registry and
file permissions, and much more.
Policy-base QoS—
The Policy-base QoS node can be configured to manage, restrict, and
prioritize outbound network traffic between a source Windows system and a
destination host based on an application, source, or destination IP
address and/or source and destination protocols and ports.
Security Settings
The Security Settings node
allows a security administrator to configure security levels assigned
to a domain or Local Group Policy Object. This can be performed manually
or by importing an existing security template.
The Security Settings node
of the Group Policy Object can be used to configure several
security-related settings, including file system NTFS permissions and
many more settings contained in the nodes beneath Security Settings as
follows:
Account Policies—
These computer security settings control password policy, lockout
policy, and Kerberos policy in Windows Server 2008 R2, Windows Server
2008, Windows Server 2003, and Windows 2000 Server domains and local
systems.
Local Policies—
These security settings control audit policy, user rights assignment,
and security options, including setting the default User Account Control
settings for systems the policy applies to.
Event Log— This setting controls security settings and the size of the event logs for the application, security, and system event logs.
Restricted Groups—
These settings allow the administrator to manage local or domain group
membership from within this policy node. Restricted group settings can
be used to add members to an existing group without removing any
existing members or it can enforce and overwrite membership based on the
policy configuration.
System Services—
These settings can be used to control the startup mode of a service and
to define the permissions to manage the service configuration or state.
Configuring these settings does not start or stop any services.
Registry—
This setting is used to configure the security permissions of defined
Registry keys and, if desired, all subkeys and values. This setting is
useful in supporting legacy applications that require specific Registry
key access that is not normally allowed for standard user accounts.
File System—
This setting is used to configure NTFS permissions on specified folders
on NTFS formatted drives. Also, enabling auditing and configuring
folder ownership and propagating these settings to subfolders and files
is an option.
Wired Network (IEEE 802.3) Policies—
This policy node can be used to configure additional security on wired
network adapters to allow for or require smart card or computer-based
certificate authentication and encryption.
Windows Firewall with Advanced Security—
This policy node allows administrators to configure the Windows
Firewall on Windows client and Windows server systems. The configured
settings can configure specific inbound or outbound rules and can define
how the firewall is configured based on the firewall profile or network
the system is connected to. The configuration can overwrite the local
firewall rules or the group policy and local rules can be merged.
Network List Manager Policies—
Windows Firewall on Windows 7, Windows Vista, Windows Server 2008, and
Windows Server 2008 R2 uses firewall profiles based on the network. This
setting node can be used to define the permissions end users have
regarding the identification and classification of a new network as
public or private to allow for the proper firewall profile to be
applied.
Wireless Network (IEEE 802.11) Policies—
These policies help in the configuration settings for a wide range of
devices that access the network over wireless technologies, including
predefining the preferred wireless network, including the service set
identifier (SSID) and the security type for the network. This node
includes Windows Vista and later releases and Windows XP compatible
policies.
Public Key Policies—
These settings are used to specify that computers automatically submit a
certificate request to an enterprise certification authority and
install the issued certificate. Public Key Policies are also created and
are used in the distribution of the certificate trust list. Public Key
Policies can establish common trusted root certification authorities.
Encrypting File System settings use this policy node as well.
Software Restriction Policies—
These policies enable an administrator to control the applications that
are allowed to run on the Windows system based on the file properties,
including the filename. Additionally, software restrictions can be
created based on certificates or the particular network zone from which
the application is being accessed or executed. For example, a rule can
be created to block application installations from the Internet zone as
defined by Microsoft Internet Explorer.
Network Access Protection—
This setting can be used to deploy the configuration of the Network
Access Protection client. These policy settings allow an administrator
to require a client health check before granting access to the network.
Application control policies— This
node enables Group Policy administrators to create rules that define
which security groups or specific users can run executables, scripts, or
Windows Installer files and can also be used to granularly define which
file paths, filenames, and digitally signed publishers of files will be
allowed or denied on the computers these policy settings apply to.
IP Security Policies on Active Directory—
IP Security (IPSec) policies can be applied to the GPO of an Active
Directory object to define when and where IPSec communication is allowed
or required.
Advanced Audit Policy Configuration—
This node can be used to define more detailed and granular audit
settings for use on Windows Server 2008 R2 and Windows 7 systems.
Computer Configuration Administrative Templates Node
The Computer
Configuration Administrative Templates node contains all of the
Registry-based policy settings that apply to the Windows system. These
settings are primarily used to control, configure, and secure how the
Windows system is set up and how it can be used. This is not the same as
the security settings configuration where specific users or groups are
granted rights because the configuration settings available within the
administrative templates apply to the system and all users who access
the system. Many settings, however, are not applied to users who are
members of the local administrators group of a system.
User Configuration Policy Node
The User
Configuration node contains settings used to configure and manage the
user desktop environment on a Windows system. Unlike the computer
configuration settings that define system settings and restrict what
users can do on a particular system, the user configuration settings can
customize the desktop experience for a user, including setting Start
menu options, hiding or disabling Control Panel applets, redirecting
folders to network shares, restricting write access to removable media,
and much more. At the root of the User Configuration node are three
policy nodes named the Software Settings node, the Windows Settings
node, and the Administrative Templates node, but the settings contained
within these nodes are different from the settings included in the
Computer Configuration node, and in a domain group policy, these nodes
are located beneath the User Configuration\Policies\ node.
User Configuration Software Settings Node
The Software
Settings node in the User Configuration section of a policy allows
administrators to publish or assign software applications to individual
users to which the policy applies. When a packaged software application
is assigned to a user, it can be configured to be installed
automatically at user logon or it can just be available in the Control
Panel Programs applet for installation by the user the same as when it
is published. When a packaged
application is published to a user, it can be installed by that user by
accessing the application in the following section of Control Panel:
Windows Server 2008 and Windows Server 2008 R2— Control Panel, Get Programs
Windows Vista— Control Panel, Programs, Get Programs and Features
Windows 7— Control Panel, Programs, Get Programs
Windows XP— Control Panel, Add or Remove Programs, Add New Programs
User Configuration Windows Settings Node
The Windows Settings node in the
User Configuration section of a policy allows administrators to
configure logon scripts for users, configure folder redirection of user
profile folders, define software restriction policies, automatically
install and, if necessary, remove printers, and configure many Internet
Explorer settings and defaults.
User Configuration Administrative Templates Node
User Configuration
Administrative Templates are the most commonly configured policy
settings in domain group policy deployments. Settings contained within
the User Configuration Administrative Templates node can be used to
assist administrators with the automated configuration of a user’s
desktop environment. Of course now with domain group policy preferences,
many of these newly available settings will also be highly used once
Group Policy administrators begin to explore and find the best ways to
use preference settings.
