Implementing Group Policy Now that you know how to evaluate the effects of group policy on the directory, it is time to start creating policy objects and applying policy to the environment. In this section, you will learn about the different places where you can create GPOs, and the tools to modify and manage them. The Group Policy Object Editor MMC The Group Policy Object Editor is a snap-in for the MMC. Because group policy can be applied at several locations, opening the Group Policy Object Editor can differ depending on where you want to apply group policy. From within an MMC, you can select the Group Policy Object Editor snap-in from the Add/Remove Snap-in window. When selecting the Group Policy Object Editor from the list of stand-alone snap-ins, the Group Policy Wizard will open, allowing you to select the scope of the group policy to work with. Clicking the Browse button in this wizard will open the Browse for a Group Policy Object window, shown in Figure 17.10.The first three tabs in the window allow you to search for GPOs of a specific type: Domain/OU, Site, and Computer.The fourth tab, selected in Figure 17.10, displays a list of all policy objects in the domain, regardless of location. Local computer policy objects will not show in this listing, because they are stored on the com- puter, not in the domain. To edit one of the existing GPOs stored in Active Directory, select the GPO from one of the tabs and click OK.This will take you back to the Group Policy Wizard. When you click Finish in the wizard, the Group Policy Object Editor will open in the MMC, and you can begin editing the GPO. Creating, Configuring, and Managing GPOs Loading the Group Policy Object Editor snap-in in an MMC will allow you to edit existing poli- cies in the network. When the domain is first created, there are three default policies created: 576 Chapter 17 • Working with Group Policy in an Active Directory Environment Figure 17.10 Viewing all Group Policy Objects in the Domain 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 576 ■ Default Site Policy ■ Default Domain Policy ■ Default Domain Controllers Policy You will probably want to create new policies and associate them with specific areas of the directory. Creating and Configuring GPOs There are two ways to create new GPOs in the directory.You already know how to load the Group Policy Object Editor snap-in into the MMC, so let’s look at how to create a new GPO from the Group Policy Wizard. In Figure 17.10, you saw the Browse for a Group Policy Object window that opens when you click the Browse button in the Group Policy Wizard. Next to the Look in drop-down menu, you will find the Create New Group Policy Object button. When you click this button, a new GPO will be created in the scope you have selected in the Look in menu. Creating the GPO in this scope will automatically link the object to the container that was selected in the scope. Another way to open the GPO Editor and create a new GPO is from within the Active Directory Sites and Services or Active Directory Users and Groups tools. Right-click the object in the container list where you want the GPO to be created, and select Properties.Then, select the Group Policy tab in the Properties window to see what policies are already linked to the container or to create a new object for the container. Figure 17.11 shows the Group Policy tab for the IT Management container. In this example, there is only one object tied to this container.To create and edit a new GPO, click the New button, give the policy a name, and then click Edit to open the Group Policy Object Editor for the new GPO. Working with Group Policy in an Active Directory Environment • Chapter 17 577 Figure 17.11 Viewing the Group Policy Objects for a Container 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 577 Naming GPOs All GPOs created in the directory should have unique names. Even though each GPO is associated with a specific container and could have the same name as another object in the tree, there will be much less confusion when troubleshooting if each GPO name is unique. GPO names can contain let- ters, numbers, and special characters, but the name cannot be longer than 255 characters. Any GPO name longer than 255 characters will be automatically truncated to the 255-character maximum. There are no other specific rules as to how to name each GPO. In the same way that you should name each object in the directory to match its function or purpose, you can consider the same approach when naming GPOs. If you have a set of policies that will impact a single container in the directory, such as an OU, you could include the name of the OU in the name of the GPO. If the policies contained in a GPO are going to be linked to a number of containers in the directory, you could name the GPO after the function its policies are designed to perform. Managing GPOs From the Group Policy tab of the container Properties window, you can perform a number of func- tions on the GPOs associated with the container. We have already covered creating and editing a new GPO from the interface. Now let’s take a look at some of the other ways you can manage the GPOs from this interface. Figure 17.12 shows the Group Policy tab of the root of the domain of My Corp.There are three GPOs stored within this container in Active Directory: Default Domain Policy, Folder Redirection Policy, and Manager Tools Policy. Based on the information displayed in the figure, the Default Domain Policy and the Folder Redirection Policy objects will be processed by objects log- ging on within this domain.The Manager Tools Policy will not be processed with the other two GPOs at this level because it has been disabled at this level, as indicated by the check mark under the Disabled column next to the policy object. We can also see that none of the GPOs have been marked as No Override. 578 Chapter 17 • Working with Group Policy in an Active Directory Environment Figure 17.12 Managing the Group Policies for the Root Domain 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 578 The No Override and Disabled settings can be set in two places. Clicking the Options button will open an Options window for the selected GPO.The Options window allows you to set the No Override and Disabled settings for the object. In addition, you can set both options by right-clicking the GPO in the list and selecting either the No Override or Disabled entries in the pop-up menu. Clicking the Properties button in this interface will bring up the Properties window for the object. Within the GPO properties, you can modify a number of settings that will control who accesses the policy and how it is applied.These properties are covered in detail in the next section. You can also click the Delete button to remove a policy from this container. When clicking Delete, you will be asked if you want to remove the link to the GPO from the container or if you want to permanently remove the GPO from the directory altogether. If the policy is linked to mul- tiple containers and you only want to remove the link from the current container, select the Remove the link from the list option button. Otherwise, click the Remove the link and delete the Group Policy Object permanently button to completely eliminate the GPO from the directory. If there are multiple GPOs linked to a container, as there are in Figure 17.12, you can specify the order in which the GPOs are processed within the container. When multiple GPOs are present in the list, use the Up and Down buttons to arrange the order of the GPOs in the list. Finally, you can block policy inheritance for the container by enabling the Block Policy inheri- tance check box. If the container is a child object in the directory, turning on this option will prevent the container from inheriting any policy settings from parent containers.The only time that the Block Policy inheritance setting can’t prevent settings from inheriting is if a parent container has a policy with the No Override option set. It should also be noted that the Block Policy inheritance setting applies only to the container and not the specific GPOs associated with the container. Configuring Application of Group Policy Placing a GPO in a container enables the policy settings within the object on all objects that log on as part of that particular container.There are times when you will not want all objects associated with a container to have the policy settings applied, either for security or performance reasons.This section deals with ways of governing access to the settings within a GPO from within the GPO properties interface. General Figure 17.13 shows the General tab of the GPO Properties window.This is the view that is opened by default when the Properties window is opened.This view provides system information about the GPO and allows you to exclude certain portions of the policy from application. If the policy object only contains user configuration policies, you can check the Disable Computer Configuration settings check box, and the Computer Configuration settings will be ignored when the object is processed.This will help to cut down on processing time at bootup if there are no policies specifi- cally set in the object for computer settings. Alternately, you can check the Disable User Configuration settings check box to prevent the user configuration settings in the GPO from processing at logon. Working with Group Policy in an Active Directory Environment • Chapter 17 579 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 579 Links In the Links tab of the GPO Properties window, you can search for all the places where the specific GPO has been linked. By default, this window is empty when first opened. Select the appropriate domain from the drop-down list and click Find Now to search for all the containers where the GPO is linked. While you cannot change any of the settings for the GPO in this view, you can find all the places where the GPO is enabled when troubleshooting policy problems. Security Figure 17.14 shows the Security tab of the GPO Properties window. In this view, you can set all the security permissions necessary to govern how the policy will be applied and managed. In this example, the Authenticated Users group is not listed. When a new GPO is created, the Authenticated Users group is given Read and Apply Group Policy permissions on the GPO.Those two permissions are the minimum needed to be able to have policy settings applied to a group. 580 Chapter 17 • Working with Group Policy in an Active Directory Environment Figure 17.13 Viewing the General Properties of a GPO Figure 17.14 Viewing the Security Settings on a GPO 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 580 In this case, the IT Management security group has been given the Read and Apply Group Policy permissions to the object, so members of the IT Management security group can see and process the policy settings contained within this object. However, these permissions alone do not allow members of this security group to process the policy object. Members of this group have to log on within the context of a container that was linked to this GPO. Only members of the IT Managers security group who are located in the IT Managers container process the GPO, because in Figure 17.12, we saw that the Manager Tools Policy object was disabled in the root container of the domain. WMI Filter Figure 17.15 shows the WMI Filters tab of the GPO Properties window. In this view, you can set WMI filters to further restrict who does and does not have access to the GPO for processing.You can use WMI queries to further filter application of a GPO beyond what you can achieve with security settings. WMI filters are written in the WMI Query language (WQL) and are generally used for exception processing. Delegating Administrative Control You might be in an Active Directory environment where one group or organization only controls a small portion of the directory. Because Active Directory allows you to delegate control of parts of the directory tree, you might find yourself needing to delegate control over Group Policy as well. By default, only the following are allowed to create and manage GPOs in the directory: ■ Domain administrators ■ Enterprise administrators ■ Members of the Group Policy Creator Owners group. Working with Group Policy in an Active Directory Environment • Chapter 17 581 Figure 17.15 Viewing the WMI Filter Settings on a GPO 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 581 Granting the ability to create and manage GPOs to a non-administrator user takes two steps: 1. The user must become a member of the Group Policy Creator Owners group. Membership in this group will allow users to create GPOs in the area of the directory where they have access. When a member of this group creates a new policy object, he or she will become the owner of the object and will have full control over the object through the Group Policy Creator Owners permissions. 2. The user must be given permissions to a container in the directory where he or she will be managing group policy.This is done through delegation of control. When in Active Directory Users and Computers, right-click the designated container from the console list and select the Delegate Control item. Work your way through the Delegate Control Wizard to select the users who should be given control in the container. Add the Manage Group Policy Links item from the Permissions list, and then finish the wizard. After these two steps have been performed, the user will be able to create new GPOs in the container where control was given. If you want the user to be able to edit the policies in other objects, you can give the user explicit permissions on the GPO in the directory.The user will only be able to create GPO links in containers where he or she has been granted that permission. Verifying Group Policy After you have created and linked GPOs in the directory, you should verify the correct operation of the policy settings before allowing the policy to be processed by users.To do this, you can use the Resultant Set of Policy tool in logging mode instead of planning mode.Access the RSoP tool just as you did for planning mode, but in the first page of the wizard, select the Logging mode option button instead of the Planning mode button.The settings for generating an RSoP report in log- ging mode are different from those in planning mode.The next few paragraphs detail the wizard pages and the settings needed to generate the report. The first data page of the wizard allows you to select which computer to generate the report for.Your options are the current computer or another computer on the network.You can also select not to include computer configuration settings in the report. The next page allows you to select the user for which the report will be run.You can select the current user or identify a different user from the directory. If you do not want to include user con- figuration data in the report, you can select the option to only include computer configuration information. After completing the wizard, you can browse through the policy settings that will be in effect for the user once he or she logs on.There are fewer options needed for the logging mode of RSoP because the tool is not generating any “what if ” information in the report. Instead, this report looks at the existing user and designated computer and reviews the policy settings that will be in effect for the user when he or she logs on. Delegate Control for Group Policy to a Non-Administrator In the following procedure, we walk through the process of setting up a non-administrator user to create and manage group policy in a specific container. For this example, one of the managers in the 582 Chapter 17 • Working with Group Policy in an Active Directory Environment 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 582 Marketing department will be given permissions to create GPOs in the Marketing container of the directory. After we have her permissions configured, we will log on as the user and create a simple GPO for the container. 1. Open Active Directory Users and Computers. 2. Find the user object in the tree, and open the Properties for the user. 3. Click the Member of tab, and click Add. 4. Enter group policy in the object name field, and click Check Names. 5. The Group Policy Creator Owner group will be recognized. Click OK. 6. The group should now be listed in the groups list. 7. Click Apply, and then click OK to close the user Properties window. 8. Right-click the appropriate container in the console tree (in this case, the Marketing con- tainer) and select Delegate Control from the menu. 9. In the Delegation of Control Wizard, click Next. 10. In the Users or Groups window, click Add. 11. Select the username from the directory and click OK. Repeat the process to add more users if necessary. 12. When the user list is complete, click Next. 13. In the Tasks to Delegate page, click on the Manage Group Policy links check box as shown in Figure 17.16. If you would like the user to be able to work with RSoP, enable the Generate Resultant Set of Policy (Planning) and Generate Resultant Set of Policy (Logging) items as well. Click Next. 14. Click Finish to close the wizard. Working with Group Policy in an Active Directory Environment • Chapter 17 583 Figure 17.16 Enabling the Group Policy Settings 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 583 15. Log on as the user and run Active Directory Users and Computers, or use Run As to run the tool as the user. 16. Active Directory Users and Computers should open to the container to which the user was just added. 17. Right-click the container and select Properties. 18. Click the Group Policy tab. 19. Click New. 20. Type in the name of the policy object. 21. Click Edit. Now you can go through and set the appropriate policy items as needed. Performing Group Policy Administrative Tasks A number of tasks can be performed with group policy settings.This section of the chapter covers some of the more typical administrative tasks that you might perform in setting up group policy for your organization. Automatically Enrolling User and Computer Certificates If your organization is using Certificate Services to manage user and computer certificates, you might want to enable autoenrollment of the certificates.Your certification authorities (CAs) need to be configured to support autoenrollment, but without enabling this setting in policy, users have to go through a manual process to enroll. You will set the autoenrollment policy in both the user configuration and the computer config- uration of the GPO. Since you will probably want the settings to apply to all systems in the organi- zation, enable the settings in the Default Domain Policy object at the root of each domain in the organization. Follow these steps to enable this security setting: 1. Open Active Directory Users and Computers. 2. Right-click the domain container in the console tree and select Properties. 3. Click the Group Policy tab and select the Default Domain Policy. 4. Click Edit to open the Group Policy Object Editor. 5. Expand the Computer Configuration object, and then the Windows Settings object. 6. Expand the Security Settings object, and then select the Public Key Policies object. 7. Double-click the Autoenrollment Settings object in the right-hand pane. 8. Click the Enroll certificates automatically option button. 9. Enable the Renew expired certificates, update pending certificates, and remove revoked certificates check box. 584 Chapter 17 • Working with Group Policy in an Active Directory Environment 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 584 10. Enable the Update certificates that use certificate templates check box.Your settings should now appear as shown in Figure 17.17. 11. Click Apply, and then click OK. 12. Expand the User Configuration object in the console tree, and then the Windows Settings object. 13. Expand the Security Settings object, and then select the Public Key Policies object. 14. Double-click the Autoenrollment Settings object in the right-hand pane. 15. Click the Enroll certificates automatically option button. 16. Enable the Renew expired certificates, update pending certificates, and remove revoked certificates check box. 17. Enable the Update certificates that use certificate templates check box. 18. Click Apply, and then click OK. If your organization has multiple domains, repeat this process for each domain in the environ- ment. Remember that only systems running Windows 2000 or later will be able to participate in autoenrollment of certificates. Redirecting Folders Another feature that is becoming increasingly popular is folder redirection, especially since group policy makes this an easy task to perform.Through group policy, you can specify folder redirection for the following four system folders on the user system: ■ Application Data ■ Desktop ■ My Documents ■ Start Menu Working with Group Policy in an Active Directory Environment • Chapter 17 585 Figure 17.17 Configuring Autoenrollment Settings 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 585 . and you only want to remove the link from the current container, select the Remove the link from the list option button. Otherwise, click the Remove the link and delete the Group Policy Object permanently. Expand the Computer Configuration object, and then the Windows Settings object. 6. Expand the Security Settings object, and then select the Public Key Policies object. 7. Double-click the Autoenrollment. Configuration object in the console tree, and then the Windows Settings object. 13. Expand the Security Settings object, and then select the Public Key Policies object. 14. Double-click the Autoenrollment