Group Policies and Access Control

TOPIC 5: GROUP POLICIES AND

ACCESS CONTROL
ITP4112 Network and Virtualized Systems
Administration Project

VTC 2012
 LESSON INTENDED LEARNING OUTCOMES
On completion of the lesson, students are expected to:
Understand the group policy infrastructure of Windo

Group Policies and Access Control

ws Server 2008.
Know how to deploy group policies for central manag
ement of user and computer objects in an AD DS.

VTC 2012
 OVERVIEW
Group Policy is a mechanism used to centrally secur
e, configure, and deploy a common set of computer
and user configurations, security settings, and in so

Group Policies and Access Control

me cases, software, to Windows servers, Windows w
orkstations, and users in an Active Directory forest.
The Group Policy infrastructure enables organizatio
ns to enforce configurations, simplify desktop admi
nistration, secure access to network resources, and
in some cases, meet regulatory compliance require
ments. For example, enforce an end-user password
policy that requires complex passwords that must a
lso be changed every 30 days. 3

VTC 2012
 OVERVIEW
Group Policy settings are contained in Group Polic
y objects (GPOs), which are linked to the following
Active Directory directory service containers: sites,

Group Policies and Access Control

domains, or organizational units (OUs).
The settings within GPOs are then evaluated by the
affected targets, using the hierarchical nature of Ac
tive Directory.
Thus, Group Policy is one of the top reasons to dep
loy Active Directory because it allows you to centra
lly manage user and computer objects.

VTC 2012
 CREATING GROUP POLICIES
To create a new GP
O without linking it t
o a container, right-

Group Policies and Access Control

click the Group Polic
y Objects folder in t
he Group Policy Ma
nagement snap-in.
Select New from the
short-cut menu, and
the New GPO dialog
box opens.

VTC 2012
 CREATING GROUP POLICIES
Supply a name for t
he GPO and then cli
ck OK.

Group Policies and Access Control

The GPO appears in
the list of policies fo
und in the Group Po
licy Object folder.

VTC 2012
 EDITING GROUP POLICIES
Creating a new GPO (and linking it) is only half of the work that you
have to do to create a functional GPO. You have to edit the new GPO
and configure its settings.
To edit a GPO, right-click on the GPO in the Group Policy Manageme

Group Policies and Access Control

nt node tree. Select Edit from the shortcut menu. The Group Policy O
bject Editor opens.

VTC 2012
 EDITING GROUP POLICIES
GPOs contain two main sections or settings: Computer
Configuration and User Configuration.
Settings that you place in the Computer Configuration s

Group Policies and Access Control

ection affect all users logging on to computers to which
the GPO has been linked.
The User Configuration section affects all users, no mat

ter the computer to which they log on (i.e. all users in t

he container to which the GPO has been applied). User
configuration policies go into effect when users log on.
Each section of the GPO contains three different setting

types: Software, Windows, and Administrative Template

s. 8

VTC 2012
 EDITING GROUP POLICIES

Group Policies and Access Control

By default, the Software Installation policy is contained in So
ftware Settings (for both Computer Configuration and User C
onfiguration settings).
You can add applications to the Software Settings policy by ri
ght-clicking Software installation and adding the appropriate 9
Windows installer packages (.msi files).
VTC 2012
 EDITING GROUP POLICIES
Windows Settings contai
ns the security settings th
at you select and also hol
ds any scripts that you ch
oose to run.

Group Policies and Access Control

Many important security
settings are located in Wi
ndows Settings under the
Computer Configuration
node, including account
policies and local policies
like the audit policy and
user right assignments.
10

VTC 2012
 EDITING GROUP POLICIES
Administrative Templates:
Policy Definitions
enable you to control the s
ettings for Windows compo
nents such as Task Schedul

Group Policies and Access Control

er, Windows Update, and s
ettings related to Control P
anel; as can settings relate
d to Network Connections
and System Settings.
Editing a GPO is to locate i
ndividual policies and admi
nistrative templates that yo
u want to use, and then en
able and configure them fo
r any user/group. 11

VTC 2012
 GROUP POLICY INHERITANCE
Enabled Group Policies flow down through the Acti
ve Directory tree from top to bottom.

Group Policies and Access Control

Domain-level Group Policies are inherited by OUs
(and other Active Directory objects) that reside wit
hin the domain.
A particular computer in an OU could then inherit
GPO settings from the domain and the OU in whic
h it resides. That computer might also have local p
olicies that have been configured.
However, the sequence in which Group Policy is ac
tually processed by a computer is exactly the oppo
12
site.

VTC 2012
 GROUP POLICY INHERITANCE
By default, the local GPO is applied first, followed by site GPOs, an
d then domain GPOs, and finally OU GPOs.
To view GPOs linked to an object
Open the Group Policy Management Console (Start, Administrat
ive Tools, Group Policy Management).

Group Policies and Access Control

Expand the various nodes in the snap-in tree until you see the c
ontainer object that you want.
In the Details pane, click the Group Policy Inheritance tab.

13

VTC 2012
 GROUP POLICY INHERITANCE
To view just the GPOs directly linked to an object, select
the Linked GPOs tab.
You can control which GPOs are inherited by an object.

Group Policies and Access Control

You can also have GPOs from higher in the Active Direc
tory tree actually override local policies.

14

VTC 2012
 NETWORK ACCESS PROTECTION
Group Policy provides a both fine-grained and yet extens
ible strategy for deploying policies on the network that c
ontrol both computer and user behavior in the domain.

Group Policies and Access Control

Moreover, Windows Server 2008 extends your bag of tric
ks in terms of securing the network with the role: Networ
k Policy and Access Services; which is kind of a grab bag
of services and features related to remote access, routin
g, and network policy.
For example, you can use network policy to help secure t
he network and keep network clients up to date (in terms
of their OS software). Or, you can configure a RADIUS ser
ver or VPN for remote access security.
15

VTC 2012