Group Policy Team Blog

GP Editorial: Group Policy Best Practices

Lots of people ask the Group Policy Team: What are the best settings to configure? What is the most secure GPO we can deploy? I've been talking about this a lot with the Group Policy customer support folks, and the topic resulted in the following editorial. We try to provide guidance with this blog, videos we post on our main page, and the Starter GPO's that ship in the box since Server 2008 R2 (available for download here). Unfortunately, there is no right answer that will work for everyone. I hope you appreciate this somewhat editorial-styled blog post. Back to regular programming after this.

 - LiliaG, aka @superlilia

The real best practice is to “go do work.” The minute you make any recommendation, it is wrong… somewhere. I know this answer is not what people want to hear. Everyone wants a template that requires no thinking—plug and play. 

GP is not a cookie cutter technology. It’s not “one size fits all.” Each setting must be properly evaluated for each environment. Each policy setting should have a business requirement that justifies its existence. The whole process takes time and planning and much of what I am saying has been incorporated into the 2008 Group Policy Planning and Deployment Guide.

 Anyone who tries to suggest a group of canned settings default configurations does not understand the power or depth of Group Policy. Yes, there might be settings common to “locking down a computer”, but what does “locking down” mean? Everyone is likely to have a different answer. Our best advice typically require a core understanding of Group Policy, some critical thinking, and a spoonful of common sense. Nothing we can suggest is a substitute for planning and testing… lots of testing in your environment.

Most Group Policy documentation authored for Windows Vista and 2008 is relevant for Windows 7 and Server 2008 R2.  The best thing to do is learn how it works, and then apply that knowledge to scenarios for your environment. Overall, GP fundamentally works the same as it always has, with some minor tweaks along the way.

The latest GP management tools have always supported managing policies for down-level operating systems.  That story has not changed either. Mixing Group Policy settings works. This is a common question that is asked after each release and the “song remains the same;” nothing new here. Older operating systems ignore newer operating system policy settings.

How you choose to deploy polices for mixed operating system should largely depend on the current Active Directory design, domain controller placement, sites, wan link speeds, current policy settings, the new settings and more. The number of successful permutations of “correct” is countless.  

Good luck, check the forums, read this blog, and keep learning.

 - Mike Stephens

 http://blogs.technet.com/askds/

Tales from the Community: How do I deploy Windows 7 policy settings

From the Newsgroups:

"Hi!

In order to use all of windows 7 AD Policies you need to be running Windows

Server 2008 R2?Can i get a list of Group Policies that i cannot be leveraging when a

windows 7 client is in a windows 2003 domain?

Pero"

Hey Pero,

Good to hear you’re interested in deploying Win7 and configuring it with Group Policy. You first sentence is more like a statement than a question :-) But I’m afraid (or happy? maybe both!), I need to make a contradicting statement here: of course you DO NOT have to be running Windows Server 2008 R2 for those great Windows 7 policies. At least it doesn’t have to be a Windows Server 2008 R2.

What you need is a management station that is capable of creating Win7/Server 2008R2 Group Policies. Creating that is pretty easy. Do you have a Win7 client? Maybe virtualized? A Windows Server 2008 R2 client? Yeah? Then you’re ready to go! That’s all it takes - no special DC requirements here.

 For Win7, there’s a Remote Server Administration Toolkit (RSAT) you can download and install here.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en

GPMC is one of the features included in this package. Once installed, GPMC from Win7 RSAT is capable of creating all those Windows 7 Group Policies you may want to deploy. It may be a little tricky to get the GPMC enabled after installation, but my fellow-Group Policy MVP Jeremy created a how-to video on installing and enabling it: http://www.youtube.com/watch?v=UsYkbLzVsM8

 (A good-looking guy, isn’t he!?). If you’re on Windows Server 2008R2, it’s already on board – you just need to enable it. Even then, Jeremy’s video just walks you through.

As for your second question, there are Excel spreadsheets you can look into and filter for your favorite categories. They enlist all ADMX and Security Group Policy settings available. Looking them up and filtering within this spreadsheet is easier, in my opinion, than searching. The latest spreadsheet can be downloaded from this link.

http://www.microsoft.com/downloads/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb&displaylang=en.

Cheers,

Florian (Group Policy MVP)

Tales from the Community: Enforced vs. Block Inheritance

From the Group Policy TechNet Forum, featuring Florian, ever-helpful Group Policy MVP:

Hi
What is the difference between “no-override” and “block policy inheritance” in group policy option?
Regards

M.

Hey M.!

It looks like you’re trying to tweak how Group Policy gets applied. Questions about “No override” and “Block policy inheritance” are not among the frequently asked questions out there in the Newsgroups or the Forums but definitely one of the more confusing ones - let’s be honest, there are easier things to learn than GP application. It’s not quantum physics…but sort of rocket science, right? For that reason, I hope you don’t mind me turning this into a blog posting.

Before grasping concepts, you will need to have a good understanding of “Basic” Group Policy Precenence which I discuss in this blog post. Basically: GPO’s are applied in the order LSDOU (Local Site Domain OU), and the last writer wins.

Okay, that sounds pretty logical, right? LSDOU, Last Writer Wins, no problem. Now here comes the juicy part. I know you’ve waited for this. GP admins love action. That’s why we’re GP admins. We love to see action. We love to see something actually *happen* on target objects: In order to give administrators the ultimate power, there are ways to …emm... yeah, ‘adjust’ GP processing. To break…I mean… circumvent the domain parts of L-S-D-OU, there are two options, ‘Enforced’ which previously was named ‘No Override’ and ‘Block Inheritance’.

Let’s tackle “Block Inheritance” first. We’ve seen that, from a directory tree perspective, down the tree to the target objects, all GPOs are applied and settings configured there are cumulated – where settings contradict, the last writers win. There may be situations you don’t want that. That’s what “Block Inheritance” is for. For example, we don’t want the IT-OU apply domain-level GPOs. We go right-click the “IT”-OU in GPMC and choose “Block Inheritance” from the context menu. Voilá! You see a blue exclamation mark on the OU icon. From now on, IT objects won’t be bugged with domain-level GPOs. GPOs from levels higher than IT-OU will simply be ignored. Even GPOs from the same level, such as OULevel2-GPO, will. We’ve cut up-level administrators off.

Well, it isn’t that easy. If you’re an up-level administrator, you can just beat that. That’s the second setting we’re going to look at – ‘Enforced’. Enforced is your way of making sure down-level admins don’t cut you off. Right-clicking your favorite GP-link and choosing ‘Enforced’ from the context menu protects the GPO and its settings from being overridden by a later GPO. It even overrides the “Block Inheritance” setting. ‘Enforced’ GPOs are marked with a little lock on the GP-link icon.

Didn’t sound too complicated? Well, implementing the whole thing might be an easy thing to do – but debugging GP application issues with lots of Enforced GP-links and blocked inheritances is less fun, I can tell you from experience so my recommendation would be to use these advanced concepts sparingly and with caution.

Cheers,

Florian (Group Policy MVP)

How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)

Happy Holidays!

http://www.youtube.com/user/jeremymoskowitz#p/u/0/UsYkbLzVsM8 

 This is the Group Policy present you've been asking for : a step by step video of how to install the GPMC using a GUI or a commandline from Jeremy Moskowitz, one of our fantastic MVPs!

Jeremy also walks you through how to install the GPMC (Group Policy Management Console) using RSAT (Remote Server Administration Tools) for Windows 7.

One note: he mentions getting the GPMC for Windows Server 2008 and 2008 R2; those are 2 different GPMC's. The 2008 GPMC will not have all of the same settings that 2008 R2 / Windows 7 has. If you have moved up to R2 / Windows 7, the Group Policy team strongly recommends only managing GPO's from the R2 / Windows 7 version of the GPMC. Remember, you only need one Windows 7 client to get the newer GPMC!

Check out more useful stuff from Jeremy at his website : http://www.gpanswers.com/

 Thanks and enjoy the holiday season,

 LiliaG aka @superlilia

 Group Policy PM

TechEd Australia 2009 talks published

If you couldn't make it to the TechEd Australia 2009 conference in the Gold Coast, you missed a lot of great presentations! Luckily, they were recorded and published here:

What’s new in Win7/Server 2008 R2 (Gutnik) SRV310

 http://www.msteched.com/online/view.aspx?tid=d9c80bdd-2413-4ca3-8d61-cfccb9200f77

The Power of Preferences (Burchill and Gutnik)  CLI308

 http://www.msteched.com/online/view.aspx?tid=4d73cdcc-169b-4df7-bc18-e91a27b50625

Enjoy :)

LiliaG (the G stands for Gutnik) aka @superlilia

Group Policy, PM

Why didn't my Group Policy settings apply?

Here’s a brief summary of everything you need to know about the way Group Policy applies, care of Florian, the always helpful Group Policy MVP.

Florian Frommherz is a systems engineer from Germany working in Switzerland. Specialized in Windows environments, Florian helps customers design their Directory Services and Group Policy implementations to unleash the central management capabilities. Read more of his advice on the Group Policy TechNet forum.

Opening our Group Policy Primer books, there’s a common abbreviation explaining the GP application rules:

Local-Site-Domain-OU(-subOU-subsubOU-subsubsubOU) – that’s L-S-D-OU.

As you can see, GP application goes from “generic” local policy settings that have low priority to pretty specific groups of machines with settings of higher priority. Application follows the “last writer wins” principle. If there are two GPOs that implement the same setting, the latter to be applied is the one that owns the setting. Let’s look at an example:

Imagine that domain-level GPO and sub-OU level GPO both have the WSUS GP setting: “Configure Automatic Updates” configured. While the domain-level GPO implements updating on Friday 7am, the sub-OU-level GPO implements updating daily, 3pm. Which setting is going to win on target clients in the Helpdesk-OU? Yeah, the sub-OU-level GPO configures last, so it wins.

Digging deeper in our GP Primer books, there’s another rule to point out:

When looking at the list of GPOs of the same level (domain, OU, …) in GPMC, policies are applied from the bottom up. That way if there are multiple policies implementing the same setting, the last to be applied is always the one that owns the setting.

In this example, there are three GPOs linked at the domain level. Given the above rule of application, what GPO is going to win the setting if all of them configure it with a different value? If your answer was “Default Domain Policy”, you’re right. Not because the Default Domain Policy is special (well, yeah, it sort of is). No, it’s because it’s linked at the top of the list: application is from bottom to top and last writer wins.

This behavior, by the way, is why custom Password Policies sometimes “don’t work”. The default Password Policy settings in the Default Domain Policy just have a “better” link order than a newly created GPO with custom settings. You’ll need to tweak GPO ordering in these cases.

Good luck, and remember: LSDOU, bottom to top on same-level settings, and last writer wins.

Cheers,

Florian

Reposted : 5 Group Policy Myths

I wish I had written this myself. Please read this:

http://blogcastrepository.com/blogs/skatterbrainz/archive/2008/12/07/5-group-policy-myths.aspx

In it, he dispels the following myths:

1 - Group Policy is Hype

2 - Group Policy will Break Your Network and Clog the Pipes

3 - Group Policy Takes an Expert to Make it Work Properly

4 - Group Policy is Great for Deploying Software Installations

 Enjoy!

 LiliaG, Group Policy PM aka @superlilia

Group Policy Cmdlets in Windows PowerShell Released!

In a previous post, Lilia wrote an Introduction to Windows PowerShell Cmdlets in Windows 7. Windows PowerShell is a command-line shell and scripting language that helps IT professionals achieve greater productivity and control system administration more easily without the need for a programming background.

PowerShell also introduces the concept of a cmdlet (pronounced "command-let"), which are specialized commands in the PowerShell environment that implement specific functions. In addition to more than two hundred core cmdlets that ship with PowerShell, you can also write your own cmdlets and share them with other users. To that end, the Group Policy Management Console (GPMC) ships with several PowerShell cmdlets that you can use to configure registry-based settings and various GPMC tasks.

 You can use these Group Policy cmdlets to perform the following tasks for domain-based Group Policy objects (GPOs):

·         Maintain GPOs: GPO creation, removal, backup, reporting, and import.

·         Associate GPOs with Active Directory Directory Services (AD DS) containers: Group Policy link creation, update, and removal.

·         Set inheritance and permissions on AD DS organizational units (OUs) and domains.

·         Configure registry-based policy settings and Group Policy Preferences Registry settings.

To learn more about these Group Policy cmdlets, including how to access the cmdlets, which cmdlets are available, how to use the cmdlets, and examples that you can copy and paste into your PowerShell console session or script, visit the TechNet topic “Group Policy Cmdlets”

Enjoy!

Tom Archer, Programming Writer

Group Policy Preferences : Colorful and Mysteriously Powerful, just like Windows 7

How could something like CRUD be desirable? In Group Policy world, even the impossible becomes possible. In this entry, you’ll discover why Red does not mean Error and what the different colors mean when you make a Preference item. Read on!

Let’s talk about some of the intricacies of Preferences, specifically what we fondly refer to as CRUD options. Now, keep in mind, CRUD only applies to “stuff”, meaning things you can create and delete on the client, like mapped drives and shortcuts and printers. There are no CRUD options for things you just make changes to but don’t create, like “folder options”. More on this at the end.

Despite it’s unfortunate acronym, CRUD is very useful. It is also the reason those little spots of color get associated with you new Preference items. Select one of the four actions from the drop down menu to choose between Create, Replace, Update, and Delete. That decides how your Preference item will be pushed onto the client. Let’s take drive mappings as an example.

This is the Preference item

(in UI)                                                                                             (in XML)

Now, under the “Action” drop down, you have four options :  Create, Replace, Update, Delete

Create – If a drive mapping doesn’t exist for this user for the share “\\share\userDocuments\”,  then create one. If there already is one, don’t do anything! It’s a kind, gentle sort of policy, it won’t overwrite anything you already have, so it has a Green icon associated in the UI.

Replace – Remove whatever drive mapping exists for this share, and create a new one with these settings. If there isn’t one, just create it. No matter what, you’re getting this drive mapping, whether something existed there or not. It’s very insistent, like the bully of the CRUD options, so it gets a Red icon. 

Update – Yellow – If that drive mapping exists, it will be updated with the settings specified here. If there are other settings associated with the drive mapping that aren’t specified here, they will be maintained. If no drive mapping exists for this share, create it. Nothing gets blasted away like with the Replace setting, but there is still a chance that you’ll overwrite something, so it gets a Yellow icon (warning! make sure you know what you’re going to be over-writing!).

Delete – X mark – If that drive mapping exists, it will be removed. That’s it, it’s just removed, so it gets an ‘x’ icon. It does not roll back, it gets deleted.

What did we learn? Red does not mean error! X marks the (delete) spot. Another picky note is that if you choose the “remove when no longer applicable” option under the common tab, it’ll force the CRUD action to Replace.

So, really, I’d recommend reading the help associated with each Preference item to make sure you know what you’re doing. 

Hope that helps!

liliaG aka @superlilia

P.S. The end! Here’s more on my stuff vs. state discussion. Stuff means something that can be created or deleted on the client machine / user account. Think of at is as something you can see appear. It has a new icon that becomes associated with it: when you add a new printer, an icon appears that looks like that printer in your Devices window. When you add a shortcut to the desktop, that shortcut appears. Similarly, when you remove a local security group, it is gone, the icon is removed, the group no longer exists. That doesn’t mean that not all local security groups are gone, just that instance of one. 

State is a state of being, like folder options. You can’t “create” a folder options, but you can make changes like “Show all hidden files”.

GP Preferences has both of these types of things, but CRUD only applies to the stuff bits. You can’t configure CRUD for state, and the UI isn’t there to let you try.

P.P.S. Here’s the help in the product:

Cross post: Terminal Server 2003 issues with Group Policy Preferences History Folder

I blogged on my blog today an article on Windows 2003 Terminal Servers and Group Policy Preferences issues with History folders. In the article I discuss why this occurs and what we have done about it.

Over to there...

Michael Kleef, Program Manager

Windows 7 - Do I need to change my Active Directory for new Group Policy features?

Now that you’ve obviously purchased, installed, and started playing with your Windows 7 client, you’re probably fantasizing about all the great things that will happen to your environment when you upgrade all of the machines in your site / OU / domain / basement to Windows 7 as well. Let me tell you, it’s going to be great. Why? Because you’ll have GP Preferences client side extensions installed already in all of those Windows 7 clients! That means that you can map drives and push out shortcuts and add printers and configure power plans for all these Windows 7 machines from your own Windows 7 client (with RSAT) or with Windows Server 2008 R2.

To answer the question in the title, NO, you do not need to change your update your Active Directoy (if it's at least 2000, when Group Policy came about) to take advantage of sweet new Group Policy features and settings. The exception is if the application that the setting is relevant to requires an AD upgrade, like BitLocker. This is a good article on configuring BitLocker in your AD, written by the guys on the Directory Services team: http://blogs.technet.com/askds/archive/2009/08/18/bitlocker-and-active-directory.aspx

Also - check out an overview plus good getting started tips on this website: Group Policy Management for IT Pros. If there was anything in the above paragraphs that you have questions on, read this article first. Seriously.

 http://windows.microsoft.com/en-US/windows7/Group-Policy-management-for-IT-pros

Have fun! Go Preferences! 

 LiliaG  (@superlilia)

Group Policy Changes in Windows XP SP3

Im seeing tons of people on forums trying to find the Group Policy Changes in XP SP3 and Windows 7. It seems that both Google and Bing dont return the relevant results if you search for “Group Policy Changes XP SP3” because of all the noise of people asking where they are…

So for your enjoyment they are all here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb

Enjoy!

Michael Kleef, Program Manager

TechEd Europe - Windows Server 2008 R2 GP Changes Session

I mentioned previously that I might be attending TechEd Europe this year to present on Windows Server 2008 R2 Group Policy changes. Well its confirmed. I am definitely coming! (Yeah!!)

So I started to think about what you might like to see from my sessions....and rather than me guess about what you want to see, Im going to turn it over to you to make the call. I want to hear from you!! If youre planning on attending TechEd Europe and youre interested in this session how about you just comment on this blog entry with what you want.

If your content idea makes it into my session, I promise to give you kudos for your idea and may even bring gifts along if I can get the marketing guys to give me stuff (no promises there as they are a pretty cheap bunch :) )

My current core ideas are:

• A brief recap on the work done in Vista/WS08 (as many customers didnt deploy that and dont know about all the cool stuff we did in it)
• Some GPP changes
• The new GP Powershell work
• Coverage of some of the new GP extensions
• Any known impacts in moving from XP/2003 to W7/WS08R2

The details of each of these areas and any extra ideas I will leave up to you! (BTW - If I dont get any feedback I will just do what I had planned with my own ideas :) )

Let the feedback roll in!

Michael Kleef, Program Manager

Managing Power with Group Policy Preferences: TechEd Online Video

We've mentioned managing power a couple times here on the blog, including a brief introduction and a detailed step-by-step walk through by Alan Burchill (shows how to configure power options that consider Business Hours vs . Off Hours using Group Policy Preferences targeting). Here's a high level discussion of GP Preferences and why managing power using GPP will save money, time, and energy in a TechEd Online video.

  Note: there's a bit of pre and post conversation chiat chat between Alan and I about my trip to Australia, so avoid it by skipping ahead to the 2:15 mark and stop at about 6:00.

 The TechEd Online link is here: 

http://www.msteched.com/online/view.aspx?tid=5da3f6a6-779a-45a9-9bab-a8b7c204da07

 LiliaG, Group Policy PM, @superlilia

Interested in managing desktops with an online service? Get in on the private beta!

Want to test out and use new bits for Microsoft’s new hosted management service? A good friend to the Group Policy team is the System Center Online team, who announced the first version of their product at MMS 2009.

They are looking for qualified customers to be part of their fall beta, check out the full details here:

http://blogs.technet.com/systemcenteronline/archive/2009/09/23/system-center-online-desktop-manager-beta-is-coming-soon.aspx

If you are an IT pro who manages an IT environment, look into this! They’ve been working with members of the Group Policy team to create a cool hosted management experience. The beta includes the following:

• Updates Management:  Manage the Microsoft updates from a web-based console.  Review available updates, choose updates and deploy to selected computers or groups of computers.  Imagine WSUS from the cloud.
• Policy Settings: Provides the ability to configure operational settings of the Windows Update and Anti-Malware agents installed on the client computers. 
• Anti-malware : Review anti-malware, anti-virus status and remedial actions from the SCODM console.  Ensure managed computers have up-to-date signatures.
• Assets Inventory: Collect detailed hardware and software inventory on managed computers. View this information in reports.  Use the License reconciliation feature to load your Microsoft volume license agreement information and compare installed application quantities with licensed quantities.
• Alerts : Helps you quickly and easily find problems (or potential) on your computers. You can also get help on how to solve the problem or how to start troubleshooting.

If you are chosen, here’s what they expect from you:

• Active involvement in discussion groups, good feedback and bug reporting
• Ability to deploy to a number of test PCs (preferably 5 or more)
• Test on a variety of browsers, Windows operating systems, and PC architectures.
• Ability to run through all the documented core scenarios and provide feedback

I’m going to test out some of this stuff tomorrow, you can too!

LiliaG, Group Policy PM