1. Active Directory Design and Group Policy
A key to determining how to best design the
Group Policy infrastructure is to first understand how the Active
Directory infrastructure is configured. The site, domain, and OU design
of an Active Directory infrastructure usually follows a few key
elements, including physical office locations, network connectivity,
and delegation of administration, including branch office management,
separation of Active Directory management tasks, desktop and server
administration, and, of course, security and reliability.
Site Group Policy Links
Group policies can be linked to Active
Directory site objects. There is no default site policy created when
Active Directory is first deployed. Common uses of site-linked group
policies include settings related to networking, including wireless
networking profiles, security configurations, and possibly site printer
deployments. Considerations for determining whether a GPO should be
linked at a site should include the following:
• Every object in a site, determined by
the associated site subnet, will process the policy, regardless of the
domain the user or computer account is located in. Is this the desired
configuration?
• Does the site contain a domain controller in the domain in which the group policy is created?
• Do any of the associated site subnets
include networks across slow links or VPNs? If so, changing the default
values or disabling slow link detection on the site policy might be
required for proper processing.
• Is there a particular security
requirement for the site that required a higher level of enforced
security or a required configuration or application?
Before a GPO can be linked to a site, the
site must be added into the GPMC. To add an Active Directory site to
the GPMC and add a GPO link, follow these steps:
1. Log on to a designated Windows Server 2012 administrative server.
2. Open the Group Policy Management Console.
3. Right-click the Sites container and select Show Sites.
4. In the Show Sites
window, click the Select All button or check the box next to the site
you want to add to the GPMC. Click OK to add the sites to the console.
5. In the tree pane, expand the Sites container, and right-click the desired site.
6. Select the Link an Existing GPO option.
7. In the Select GPO window, select the source domain from which you want to link the GPO.
8. In the Group Policy Objects section of the window, select the desired GPO or GPOs, and then click OK to create the link.
9. If necessary, configure the link settings for each new site link, and then close the GPMC.
Domain GPO Links
When Active Directory is deployed, two
preconfigured default group policies are created. One is linked to the
domain named the Default Domain Policy, and the other is linked to the
Domain Controllers OU named the Default Domain Controllers Policy.
The Default Domain Policy contains the
default security settings for the entire domain, including account and
password policies. As a best practice, use this policy only for
managing the default account policies for the entire domain. Any
additional GPO settings that an organization would desire to apply to
all users/computers, including domain controllers, member servers, and
client workstations, should be added to new GPOs and linked at the
domain level. The number of policies linked at the domain level should
be kept to a minimum to ensure quality Group Policy processing
performance for the organization. Changes to the default domain
controller policy will be applied to all domain controllers and should
also be made with caution, or implemented with different GPOs linked at
the domain controller organizational unit.
Organizational Unit Links
Linking GPOs to organizational units is the
most common use of GPO links. OU GPO links provide the most targeted
GPO application and granular administrative control of the OU
GPO-related tasks as well as the configuration and management of the
objects contained in the OU. The only way to get more granular on an OU
GPO link is to apply a security filter or a WMI filter on that
particular GPO, but that would affect each GPO link related to that
particular policy. One thing to keep in mind is that with the new GPMC
functionality, administrators can force an update on computers stored
within an OU, and although that doesn’t necessarily impact GPO link or
placement, it does add some consideration to OU design.
2. Separation of GPO Functions
Determining which features and settings of a
GPO will be utilized is one consideration; another is determining how
to deploy those settings. There is one major consideration with GPO
management that should be considered: Should a single GPO be created to
contain all the necessary settings, or should separate GPOs be created
for a particular set of features or functions?
As a best practice, separating GPO functions
across multiple GPOs provides more flexibility, but that also adds time
to GPO processing and increases the amount of GPO administration that
needs to be performed. Separating GPOs for specific functions provides
additional troubleshooting options and greater flexibility for how GPOs
can be linked and filtered. As an example of how to separate GPO
functions, the following list of GPOs can be applied to a Branch Office
OU that contains user objects, group objects, and computer objects:
• Branch Office Help Desk GPO—This
GPO would configure settings to allow help desk administrators to
manually run Windows Update, access all Control Panel applets, and run
all software with unrestricted access. This would be the last GPO
applied and would override any conflicting settings. This GPO status
would be set to Computer Configuration Settings Disabled and the
security filtering would be configured to use a security group called
Branch Office Help Desk, which would include the help desk support
staff.
• Branch Office Server GPO—This
GPO can contain the default security settings and soft-ware packages
specific for branch office servers. Also this policy would configure
specific audit settings, account management settings, and user rights
assignments for servers. The GPO status would be configured for User
Configuration Settings Disabled and would have a WMI filter linked that
includes computers with an OS name that includes the word server.
• Branch Office User GPO—This
GPO can contain the default security and configuration settings to
configure the end-user desktop environment, including managing
Microsoft Internet Explorer settings, redirecting folders to the branch
office DFSR shares, enabling offline files, mapping network drives,
installing network printers, and configuring settings to hide or
restrict access to specific Control Panel applets. The GPO status of
this GPO would be configured to Computer Configuration Settings
Disabled.
• Branch Office Workstation GPO—This
GPO can contain the default security settings used to manage the
services, install corporate software packages and VPN clients,
configure workstation security, and enable remote access. This GPO
would be filtered using a WMI filter that includes only computer
objects whose OS name value contained Windows 8. The GPO status would
be set to User Configuration Settings Disabled. This GPO would be
applied first to the workstations after local and inherited GPOs.
3. Separation of GPO by Targeting Operating System
With each release of a Microsoft client or
server OS, Microsoft provides new Group Policy settings and
functionality. The release of Windows 8 and Windows Server 2012 is no
different; only a few new Group Policy settings will not apply to any
other OSs, but most are still compatible Windows 7. These include both
policy and preference settings to manage. Some of the preferences
include managing power settings on Windows Vista and newer OSs as well
as adding scheduled tasks and immediately scheduled tasks that will run
at the next Group Policy refresh cycle.
When OS-specific Group Policy
settings will be used, a best practice is to filter out all other OSs
the GPO applies to. The best way to do this is with the use of a WMI
filter for computers. Security filtering can also be used, but if a
security group is used, a computer will only pick up group membership
changes during startup, so getting application of a new policy adopted
is less successful. A WMI filter will be processed by all Windows XP, Windows Server 2003, and later OSs.
