Where Active Directory is an Authentication and Authorization process Group Policy Management is a feature built on top. This controls the working environment of User Accounts and Computer Accounts from a Centralised location.
What does a Group Policy Do
There are many technical explanations when you Google what a Group Policy is. The non-technical way to explain it is something like this.
You are in charge of an Organization IT that has 150 users. Out of these users, only 20 need USB access. Thus you have to go to each of the other users and make the necessary changes to prevent the use of USB access.
Time-consuming right? Well with a Group Policy you can set the policy on the server and deploy it specific Organization Unit. This will do all the changes as the user login or on a scheduled update.
Now some of you are thinking but 150 is not a lot. Ok, what if you are running the IT for an Organization over Multiple continents with thousands of users each group with different configurations.
- USB Access
- Administrator Right
- Wireless Access
- MS Office Macros
- Software Installs
Where you will need hundreds of IT personnel to make the changes manually you now have to deploy one Group Policy Object and it will take effect in a few hours instead of a few months.
What is a Group Policy Not
A Group Policy is not an all-in-one solution. It assists with getting work done faster and more productive. There are instances when Group Policies will fail. You still need to check (Even Spot Checks) the configs took effect.
You still need other security measures in place. Antivirus, Firewalls, or Proxies. Just because a user does not have USB access and No Admin Rights does not mean the workstation in protected. In Short Group Policy’s allows Bulk Conformity of Configs in Logical Grouping.
Jumping into the configuration
The best way to understand anything is by actually working on it. I suggest if you are going in Hard-Core use a Test Environment. It is easy enough these days to create a quick virtual environment. The below was done from a Server 2019 Domain controller.
In Server Manager click on Tools and choose Group Policy Manager. In the Management console Open the Forest > Domains > “Domain Name”
Once there you will see the same structure as what you will see in the Active Directory Users and Computers Management Console.
Default Domain Policy
One of the first Policies is the Default Domain Policy. Once you click on it you will see a few Tabs giving you some information on the specifics of that Group Policy. A Group Policy like you see there is called a Group Policy Object or GPO.
- Scope Tab
- To which section of the AD does this Policy Apply
- Which Security Groups does this policy apply too
- When it was created? Who Owns it? Is it Enabled
- A detailed list of setting that is being changed by this Policy
- Who can do “what?” with the Policy?
As we are not going to cover any advanced features let’s only concentrate on the Settings. You will notice Two Sections, Computer Configuration, and User Configuration.
It is important to distinguish between the two.
This will pull through all the Group Policies assigned to it when booting the machine. Once the PC is turned on, if you make any changes to it a Complete PC reboot is required to apply the updated Policies. Regardless of the user logged in the policies will apply.
On the other side, the Users Configuration will pull through on Logon.
As well as reapply every 90 min (depending on the Update interval). This is user-specific so if two different users with different configurations logs in their interfaces will apply accordingly.
Creating a New Policy
When creating a policy I suggest keeping the Computer Policies and User Policies Separate. This will help you better assign Policies to the correct places and troubleshoot when a policy does not pull through.
You can click on any folder and choose “Create a GPO in this domain, and link it here…” which will open a new GPO. Alternatively, if you have predefined Policies you can choose to “Link an Existing GPO…“.
I suggest going to the Group Policy Object Folder and right-click and choosing New. Enter a Descriptive Name for what you want to get done in this GPO.
When starting with this try using a Naming Convention.
Example: CC: Block USB
CC – Computer Configuration \ UC – User Configuration
Block USB – What the Purpose is for this GPO
When created, Right-click the GPO and choose Edit. From here there are many options you can change. The USB access for the Computer is located in Computer Configuration > Administrative Templates > System > Removable Storage Access
While browsing through you will see many other options that can be changed. Be careful to not apply to many policies at the same time. You can easily overcomplicate an environment.
Once you browse to the Location choose the settings you want to change, each setting explains what will happen when you either Enable or disable it. When done you can simply exit the GPO and it will be saved.
Policy vs Preference
If the policy goes away the local (OS Default) takes over.
If Preferences goes away it is Tattooed to the Registry
Applying the GPO
Your Policies is created and hopefully, you planned out according to the structure of your AD. Time to roll out. Applying the required Policies to each OU is as easy as linking the Policy to the OU but the one thing that you have to keep in mind is the order in which the Policies apply.
GPO applies in a Specific Order. With the last policy taking precedence over all previously applied Policies. The order is Local, Site, Domain, and OU.
Local changes only affect the workstation it is created on
Site is any Policy applied to the Specific Site
The domain is the domain the Configuration Item resides in
OU is a hierarchy of OU’s with the last one taking precedence
Note that if the last policy does not conflict with any other policies the other Policies will affect. This is only important if Policies conflict with one another.
When there are multiple policies applied to note the number in the link order. Higher numbers get processed first and lower numbers last.
Link Enabled vs Enforced
When Linking a Policy there is two option you should take note of. Enforced and Link Enabled.
Link Enabled means the settings of the GPO are applied when Group Policy is processed.
Enforced means it cannot be blocked at a lower level in the Group Policy processing hierarchy, even if an OU has Blocked Inheritance. An Enforced Policy always applies (Wins) over any lower policy.
GPO are inherited by default, if required they can also be blocked, using the Block Inheritance. If the Block Inheritance setting is enabled, the inheritance of the group policy setting is blocked.
Group Policy filtering allows to narrow down the group policy target to security groups or individual objects. Only the Objects specified in the filter will be applied.