Windows Server 2008 R2 : Group Policy Management for Network Clients - Windows Group Policies

The Need for Group Policies

Many businesses today are challenged and short-staffed when it comes to managing and properly configuring their information technology (IT) systems. For IT staff, managing the infrastructure involves standardizing and configuring application and security settings, keeping network resources readily available, and having the ability to effectively support end users. Providing a reliable computer and network infrastructure is also a key task for these administrators and part of that requirement includes deploying reliable servers and end-user workstations.

Providing reliable servers and workstations often includes tuning the system settings, installing the latest security updates and bug fixes, and managing the end-user desktop. For small environments, performing these tasks manually can be effective and the right approach, but, in most cases, this can result in inconsistent configurations and an inefficient use of the technical staff member’s time.

Using group policies to control the configuration of computer and user settings and centrally managing these settings can help stabilize the overall computer network and greatly reduce the total number of hours required to manage the infrastructure. For example, if a network printer is replaced, the new printer can be deployed using Group Policy; the next time a user logs on, the printer can be automatically installed and the original can be automatically removed. Without Group Policy, each user desktop would need a visit to manually install and replace the printers.

Only 10 years ago, the bulk of computer and user configuration and management tasks were performed on a per-user and per-computer basis. Organizations that required higher efficiency had to hire specialized staff to develop and support standard desktop building and cloning procedures and had to create their own applications and scripts to perform many of the management functions that are now included with Windows Server 2008 R2 and Windows 7 group policies. With more specialized technical staff members, the ratio of technical staff to end users commonly ranged from 5 to 8 technical resources for every 200 employees. Even at this ratio, however, when corporatewide changes were necessary, outside consultants and contractors were commonly brought on board to provide expertise and extra manpower to develop custom applications or processes and to implement the necessary changes.

In many of today’s organizations, with the advancements in systems and end-user management, it is not uncommon to find organizations now able to support an average of 100 to 250 users with 1 to 2 technical resources. This is only possible when desktop and end-user management policy and procedural standards are developed and group policies are leveraged to support these standards.

Windows Group Policies

Windows Server 2008 R2 and Windows 7 provide several different types of policies that can be used to manage computer systems and user accounts. Depending on the security groups a user account is a member of, and whether or not the computer system is a member of an Active Directory domain or a Windows workgroup, the number of policy settings applicable will vary.

Local Computer Policy

Every Windows system will contain a default local computer policy. The local computer policy is a Local Group Policy Object (LGPO). The local computer policy contains separate Computer and User Configuration nodes. The local computer policy, as its name states, only applies configured settings to the individual local computer system and the users who log on. The local computer policy on a new system is blank, except for the default settings defined within the Computer Configuration\Windows Settings\Security Settings policy node. The Security Settings policy node is also the local security policy.

Local Security Policy

The local security policy of a system contains the only configured policy settings on newly deployed Windows systems. Settings such as user rights assignments, password policies, Windows Firewall with advanced security settings, and system security settings are managed and configurable within the local security policy. Furthermore, the local security policy can be exported from one system as a single text file and imported to other systems to simplify security configuration in workgroup environments and to customize security for new system deployments.

Local Administrators and Non-Administrators User Policies

Windows Server 2008 R2 and Windows 7 support multiple local group policies for user accounts. If any settings are configured in the User Configuration node of the local computer policy, the settings are applied to all users who log on to the system, including the local Administrators group. In previous versions of Windows, if the local computer policy restricted an administrator from performing a specific function, the policy would need to be changed and reapplied before the administrator could perform the function. Starting with Windows Vista and Windows Server 2008 including continued support in Windows 7 and Windows Server 2008 R2, additional user-only policies can be created to provide override settings to either further restrict or reduce security to allow the particular user to perform their tasks. As an example, if the local computer policy setting was enabled to remove the Display applet from Control Panel, no users would be able to access and modify the display settings of the system. If an Administrators local group policy was created, this same setting could be set to disabled and any users who are members of the local Administrators group would then have access to the Display Control Panel settings.

For local administrators, the Administrators local group policy can be configured as stated previously. Additionally, separate local user policies can be created for the Non-Administrators users. If the system has local user accounts, specific local user policies can be created for each user. This allows for very granular assignment of rights and functionality for systems that use local accounts but require specific configurations and security settings on a per-user basis.

By default, users logging on to Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 will apply the local computer policy, followed by either the Administrators or Non-Administrators policy and any local user-specific policy. An example of how to use multiple policies can be a local computer policy that denies all users from writing to removable storage and the Administrators local user policy that allows read and write access to removable storage. Because the Administrators local user policy is applied after the local computer policy, only administrators will be able to write to removable storage media.

Domain Group Policies

Domain group policies are very similar to local group policies, but many additional settings are included and these policies are managed and applied within an Active Directory environment. For clarification, documentation might refer to local policies as Local Group Policy Objects and group policies as domain-based policies.

Local policies are very close to domain policies, but there are several key differences. Domain policies are managed using the Group Policy Management Editor, which allows administrators to view all available settings or to filter out only configured settings when managing a policy. Also, domain policies can be used to install software applications for computers and users. Many settings that only apply to a domain environment are still available in a local policy but when configured will not function if the computer is not a member of an Active Directory domain.

Security Configuration Wizard

Windows Server 2008 R2 contains a tool called the Security Configuration Wizard (SCW). The SCW contains different templates that can be applied to systems that meet specific criteria.

For example, on a system running only the Windows Server 2008 R2 File Services role, when examined and secured by the SCW, a File Server role template will be applied that will configure the firewall, disable unnecessary services, and tune the system to provide access to the necessary functions of the File Services role but not much else. The SCW should be used only when properly tested because the security changes can impact functionality if incorrect settings are applied to a system. Also, it is highly recommended to configure the server 100% ready for production then run the Security Configuration Wizard to perform the final lockdown. Alternatively, the SCW can be used to create the necessary security template, which can then be exported and later imported into a domain policy and applied to the necessary servers that match the appropriate configuration.

Policy Processing Overview

When a Windows system contains multiple local policies or is a member of an Active Directory domain, more than one policy will be processed when the computer boots or when a user logs on. Each policy that applies to the particular computer or user is processed sequentially and it is important to understand the policy processing order. In cases where multiple policies have the same settings configured, but with different values, the resulting setting value will match the last policy processed.

Policy Processing for Computers

Policy settings are applied to computers during computer startup, shutdown, and background refresh intervals. Policy processing for computer objects is performed in the following order:

Policy Processing for Users

Policy settings are applied to users during user logon, logoff, and background refresh intervals. Policy processing for domain and local users is performed in the following order:

Group Policy Order of Processing

When multiple policies are linked to a single Active Directory site, domain, or organizational unit, each policy will be applied sequentially. The order of policy application or processing is based on the policy link order. The policy link with the number 1 associated to the policy name is the last policy applied at the container and, therefore, takes precedence for policy link order of processing.

Loopback Processing

When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects. To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.