Group Policy

Last updated
Local Security Policy editor in Windows 11 Local Security Policy.png
Local Security Policy editor in Windows 11

Group Policy is a feature of the Microsoft Windows NT family of operating systems (including Windows XP, Windows 7, Windows 8.1, Windows 10, Windows 11, and Windows Server 2003+) that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy (LGPO or LocalGPO) allows Group Policy Object management without Active Directory on standalone computers. [1] [2]

Contents

Active Directory servers disseminate group policies by listing them in their LDAP directory under objects of class groupPolicyContainer. These refer to fileserver paths (attribute gPCFileSysPath) that store the actual group policy objects, typically in an SMB share \\domain.com\SYSVOL shared by the Active Directory server. If a group policy has registry settings, the associated file share will have a file registry.pol with the registry settings that the client needs to apply. [3]

The Policy Editor (gpedit.msc) is not provided on Home versions of Windows XP/Vista/7/8/8.1/10/11.

Operation

Group Policies, in part, control what users can and cannot do on a computer system. For example, a Group Policy can be used to enforce a password complexity policy that prevents users from choosing an overly simple password. Other examples include: allowing or preventing unidentified users from remote computers to connect to a network share, or to block/restrict access to certain folders. A set of such configurations is called a Group Policy Object (GPO).

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles , folder redirection , and offline files .

Enforcement

To accomplish the goal of central management of a group of computers, machines should receive and enforce GPOs. A GPO that resides on a single machine only applies to that computer. To apply a GPO to a group of computers, Group Policy relies on Active Directory (or on third-party products like ZENworks Desktop Management) for distribution. Active Directory can distribute GPOs to computers which belong to a Windows domain.

By default, Microsoft Windows refreshes its policy settings every 90 minutes with a random 30 minutes offset. On domain controllers, Microsoft Windows does so every five minutes. During the refresh, it discovers, fetches and applies all GPOs that apply to the machine and to logged-on users. Some settings - such as those for automated software installation, drive mappings, startup scripts or logon scripts - only apply during startup or user logon. Since Windows XP, users can manually initiate a refresh of the group policy by using the gpupdate command from a command prompt. [4]

Group Policy Objects are processed in the following order (from top to bottom): [5]

  1. Local - Any settings in the computer's local policy. Prior to Windows Vista, there was only one local group policy stored per computer. Windows Vista and later Windows versions allow individual group policies per user accounts. [6]
  2. Site - Any Group Policies associated with the Active Directory site in which the computer resides. (An Active Directory site is a logical grouping of computers, intended to facilitate management of those computers based on their physical proximity.) If multiple policies are linked to a site, they are processed in the order set by the administrator.
  3. Domain - Any Group Policies associated with the Windows domain in which the computer resides. If multiple policies are linked to a domain, they are processed in the order set by the administrator.
  4. Organizational Unit - Group policies assigned to the Active Directory organizational unit (OU) in which the computer or user are placed. (OUs are logical units that help organizing and managing a group of users, computers or other Active Directory objects.) If multiple policies are linked to an OU, they are processed in the order set by the administrator.

The resulting Group Policy settings applied to a given computer or user are known as the Resultant Set of Policy (RSoP). RSoP information may be displayed for both computers and users using the gpresult command. [7]

Inheritance

A policy setting inside a hierarchical structure is ordinarily passed from parent to children, and from children to grandchildren, and so forth. This is termed inheritance. It can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed.

Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured, then the value of the Group Policy Setting will take precedence.

Filtering

WMI filtering is the process of customizing the scope of the GPO by choosing a (WMI) filter to apply. These filters allow administrators to apply the GPO only to, for example, computers of specific models, RAM, installed software, or anything available via WMI queries.

Local Group Policy

Local Group Policy (LGP, or LocalGPO) is a more basic version of Group Policy for standalone and non-domain computers, that has existed at least since Windows XP,[ when? ] and can be applied to domain computers.[ citation needed ] Prior to Windows Vista, LGP could enforce a Group Policy Object for a single local computer, but could not make policies for individual users or groups. From Windows Vista onward, LGP allow Local Group Policy management for individual users and groups as well, [1] and also allows backup, importing and exporting of policies between standalone machines via "GPO Packs" – group policy containers which include the files needed to import the policy to the destination machine. [2]

Group Policy preferences

Group Policy Preferences are a way for the administrator to set policies that are not mandatory, but optional for the user or computer. There is a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences. [8]

Group Policy Preferences adds a number of new configuration items. These items also have a number of additional targeting options that can be used to granularly control the application of these setting items.

Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003, and Windows Vista with the addition of the Client Side Extensions (also known as CSE). [9] [10] [11] [12] [13] [14]

Client Side Extensions are now included in Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Group Policy Management Console

Originally, Group Policies were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7. [15] [16] [17] [18]

Advanced Group Policy Management

Microsoft has also released a tool to make changes to Group Policy called Advanced Group Policy Management [19] (a.k.a. AGPM). This tool is available for any organization that has licensed the Microsoft Desktop Optimization Pack (a.k.a. MDOP). This advanced tool allows administrators to have a check in/out process for modification Group Policy Objects, track changes to Group Policy Objects, and implement approval workflows for changes to Group Policy Objects.

AGPM consists of two parts - server and client. The server is a Windows Service that stores its Group Policy Objects in an archive located on the same computer or a network share. The client is a snap-in to the Group Policy Management Console, and connects to the AGPM server. Configuration of the client is performed via Group Policy.

Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function. [20]

Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values. [21]

Windows 8 enhancements

Windows 8 has introduced a new feature called Group Policy Update. This feature allows an administrator to force a group policy update on all computers with accounts in a particular Organizational Unit. This creates a scheduled task on the computer which runs the gpupdate command within 10 minutes, adjusted by a random offset to avoid overloading the domain controller.

Group Policy Infrastructure Status was introduced, which can report when any Group Policy Objects are not replicated correctly amongst domain controllers. [22]

Group Policy Results Report also has a new feature that times the execution of individual components when doing a Group Policy Update. [23]

See also

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

<span class="mw-page-title-main">Windows 2000</span> Fifth major release of Windows NT, released in 2000

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

<span class="mw-page-title-main">Windows XP Professional x64 Edition</span> Windows XP edition for x86-64 computers released in 2005

Microsoft Windows XP Professional x64 Edition, released on April 25, 2005, is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralized management of machines and users in an Active Directory environment.

Remote administration refers to any method of controlling a computer from a remote location. There are many commercially available and free-to-use software that make remote administration easy to set up and use. Remote administration is often used when it's difficult or impractical to be physically near a system in order to use it or troubleshoot it. Many server administrators also use remote administration to control the servers around the world at remote locations. It is also used by companies and corporations to improve overall productivity as well as promote remote work. It may also refer to both legal and illegal remote administration.

<span class="mw-page-title-main">Windows Server 2008</span> Fourth version of Windows Server, released in 2008

Windows Server 2008, codenamed "Longhorn Server", is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

<span class="mw-page-title-main">Windows Firewall</span> Firewall software for Windows

Windows Firewall is a firewall component of Microsoft Windows. It was first included in Windows XP SP2 and Windows Server 2003 SP1. Before the release of Windows XP Service Pack 2, it was known as the "Internet Connection Firewall."

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

<span class="mw-page-title-main">Microsoft Management Console</span> Component of Microsoft Windows

Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system. It was first introduced in 1998 with the Option Pack for Windows NT 4.0 and later came pre-bundled with Windows 2000 and its successors.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

Wireless Zero Configuration (WZC), also known as Wireless Auto Configuration, or WLAN AutoConfig, is a wireless connection management utility included with Microsoft Windows XP and later operating systems as a service that dynamically selects a wireless network to connect to based on a user's preferences and various default settings. This can be used instead of, or in the absence of, a wireless network utility from the manufacturer of a computer's wireless networking device. The drivers for the wireless adapter query the NDIS Object IDs and pass the available network names (SSIDs) to the service. The service then lists them in the user interface on the Wireless Networks tab in the connection's Properties or in the Wireless Network Connection dialog box accessible from the notification area. A checked (debug) build version of the WZC service can be used by developers to obtain additional diagnostic and tracing information logged by the service.

A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.

Microsoft Desktop Optimization Pack (MDOP) is a suite of utilities for Microsoft Windows customers who have subscribed to Microsoft Software Assurance program. It aims at bringing easier manageability and monitoring of enterprise desktops, emergency recovery, desktop virtualization and application virtualization.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

Windows XP, which is the next version of Windows NT after Windows 2000 and the successor to the consumer-oriented Windows Me, has been released in several editions since its original release in 2001.

A .ZAP File is a text file, which allows the publishing of an application to a user on a Microsoft Windows system, for applications for which a .MSI file does not exist. It is used in Active Directory Domains and is installed using a Group Policy.

References

  1. 1 2 LLC), Tara Meyer (Aquent (25 July 2008). "Step-by-Step Guide to Managing Multiple Local Group Policy Objects". go.microsoft.com.
  2. 1 2 Sigman, Jeff. "SCM v2 Beta: LocalGPO Rocks!". Microsoft. Retrieved 2018-11-24.
  3. "[MS-GPOD]: Group Policy Protocols Overview". Microsoft. Section 1.1.5 Group Policy Data Storage . Retrieved 2020-02-22.
  4. Gpupdate
  5. "Group Policy processing and precedence". Microsoft Corporation. 22 April 2012.
  6. "Group Policy - Apply to a Specific User or Group - Windows 7 Help Forums". www.sevenforums.com.
  7. Archiveddocs (18 April 2012). "Gpresult". technet.microsoft.com.
  8. "Group Policy Preference Migration Tool (GPPMIG)". Microsoft .
  9. "Group Policy Preference Client Side Extensions for Windows XP (KB943729)". Microsoft Download Center.
  10. "Group Policy Preference Client Side Extensions for Windows XP x64 Edition (KB943729)". Microsoft Download Center.
  11. "Group Policy Preference Client Side Extensions for Windows Vista (KB943729)". Microsoft Download Center.
  12. "Group Policy Preference Client Side Extensions for Windows Vista x64 Edition (KB943729)". Microsoft Download Center.
  13. "Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)". Microsoft Download Center.
  14. "Group Policy Preference Client Side Extensions for Windows Server 2003 x64 Edition (KB943729)". Microsoft Download Center.
  15. "How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)". 2009-12-23. Archived from the original on 2009-12-26. Retrieved 2010-03-12.
  16. Microsoft Remote Server Administration Tools for Windows Vista
  17. Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems
  18. Remote Server Administration Tools for Windows 7
  19. "Windows - Official Site for Microsoft Windows 10 Home & Pro OS, laptops, PCs, tablets & more". www.microsoft.com.
  20. Raymond Chen, "Shell policy is not the same as security"
  21. Russinovich, Mark (2019-06-26) [2005-12-12]. "Circumventing Group Policy as a Limited User". Microsoft Community Hub. Microsoft. Retrieved 2023-06-10.
  22. "Updated: What's new with Group Policy in Windows 8". 17 October 2011.
  23. "Windows 8 Group Policy Performance Troubleshooting Feature". 23 January 2012.

Further reading

  1. "Group Policy for Beginners". Windows 7 Technical Library. Microsoft. 27 April 2011. Retrieved 22 April 2012.
  2. "Group Policy Management Console". Dev Center - Desktop. Microsoft. 3 February 2012. Retrieved 22 April 2012.
  3. "Step-by-Step Guide to Managing Multiple Local Group Policy Objects". Windows Vista Technical Library. Microsoft. 25 July 2008. Retrieved 22 April 2012.
  4. "Group Policy processing and precedence". Windows Server 2003 Product Help. Microsoft. 21 January 2005. Retrieved 22 April 2012.