In the first implementation of Group Policies in Windows 2000, calculating effective policy for a given user or computer was challenging.. With Windows Server 2003, Microsoft introduced
Trang 1In the first implementation of Group Policies in Windows 2000, calculating effective policy for a given user or computer was challenging This was especially true when there were many different GPOs at various levels within a given domain At that time,
Microsoft did not provide helper tools that would allow administrators to model the results of policies applied to a given computer or user Thus, before undertaking a
massive deployment of Group Policies within a corporate environment, it was imperative
to carefully test all new policies
Note Many administrators used a command-line tool called GPResult.exe, which was supplied as part of the Windows 2000 Server Resource Kit This tool generates a list of current GPO settings for a given user logged onto a given Windows 2000 computer
With Windows Server 2003, Microsoft introduced several Group Policy management improvements, including:
Software Restriction Policies The rapid growth of the Internet increases security
threats to a network, both from worms or viruses and from attacks A network also could face internal threats, such as human errors With software restriction
policies, organizations can protect their networks from malicious software or even suspicious code by identifying and specifying the applications that are allowed to run Unfortunately, Windows 2000 and earlier versions of Windows NT are
unable to process software restriction policies To use such policies, all domains must be migrated to Windows Server 2003 domains in native mode and all clients must be upgraded to Windows XP (For more information on software restriction policies, refer to Chapter 9.)
Enhanced User Interface in the Group Policy Object Editor Policy settings are
more easily understood, managed, and verified with Web-view integration in the Group Policy Object Editor Clicking on a policy instantly shows the text
explaining its function and supported environments such as Windows XP or
Windows 2000
Group Policy Management Console Expected to be freely available as an add-in
component, the Group Policy Management Console (GPMC) provides a new framework for managing Group Policy With GPMC, an administrator can backup and restore Group Policy Objects (GPOs), import/export and copy/paste GPOs, report GPO settings, and more
New Policy Settings With Windows Server 2003, Microsoft introduced more than
200 new policy settings that let administrators easily lock down or manage
configurations These settings also enable or prohibit most new features, such as Remote Assistance, AutoUpdating, and Error Reporting
User Data and Settings Management Enhancements Administrators can
automatically configure client computers to meet specific requirements of a user's business roles, group memberships, and location Improvements include simplified
Trang 2folder redirection and more robust roaming capabilities These were addressed briefly in Chapter 10
Cross-Forest Support Although GPOs can only be linked to sites, domains, or
organizational units (OUs) within a given forest, the cross-forest feature in
Windows Server 2003 enables several new scenarios that Group Policy supports
Resultant Set of Policy (RSoP) The Microsoft RSoP tool is probably the most
important improvement, since it allows administrators to plan, monitor, and
troubleshoot Group Policy These capabilities in Windows 2000 were limited; only a GPResult.exe command-line Resource Kit utility was available With
RSoP, administrators can plan, preview, and verify policies and their effects on a specific computer or user Unfortunately, RSoP is unavailable for Windows 2000 and earlier
Using Resultant Set of Policy
Resultant Set of Policy (RSoP) is a long-awaited tool that allows system administrators to determine which Group Policy settings are being applied to a particular user or computer account This tool can be used both for planning Group Policies before deploying them in
a production environment and for troubleshooting problems with specific Group Policy settings It implements one of the newest mechanisms for managing and troubleshooting Group Policies, and, therefore, deserves special attention Unfortunately, like many
improvements recently introduced by Microsoft, it is not available for Windows 2000 and earlier versions of Windows NT, nor for other legacy operating systems
On Windows Server 2003, RSoP can operate in two modes:
Logging mode, which displays Group Policy settings for a specific user or
computer This mode is applicable for standalone computers running Windows Server 2003 At the time of this writing, it also could be used on Windows XP computers joined to Windows 2000 or Windows Server 2003 domains
Planning mode, which allows administrators to evaluate the affect of applying different Group Policy Objects
Where does RSoP get information on the resulting Group Policies? To gather this data, it queries the Common Infrastructure Management Object Manager (CIMOM) database through Windows Management Instrumentation The CIMOM database contains
information on computers' hardware, software installation settings, scripts, folder
redirection settings, security settings, and Internet Explorer maintenance settings The CIMOM database is refreshed with the current information each time a computer logs on
to the network
Note The Common Infrastructure Management (CIM) model, now known as the Web-Based Enterprise Management (WBEM) initiative, was adopted by the Distributed
Trang 3Management Task Force (DMTF) This emerging standard, intended for all
computer systems, offers a common way of describing and managing systems Windows Management Instrumentation, which is built into Windows 2000,
Windows XP, and Windows Server 2003, is the Windows-specific implementation
It can be used to discover information about Windows systems as well as manage them
To obtain results using RSoP:
1 Start MMC console, then select the Add/Remove Snap-in command from the File menu Click the Add button on the Standalone tab, and select the Resultant Set
of Policy from the list of available standalone snap-ins Click Close, then click
OK
Note To request RSoP, you must either be logged on to the machine as the user whose policy you want to see, have local Administrator privileges on the machine you are querying (membership in the local Administrators, Domain Admins, or Enterprise Admins group is required), or have been delegated control over RSoP
2 After adding the Resultant Set of Policy snap-in, select Generate RSoP Data from the Action menu RSoP Wizard will start Click Next
3 RSoP Wizard will display the Mode Selection window (Fig 11.9) To see Group Policy settings applied to a specific user or computer, select the Logging mode option and click Next Note that logging mode might be the only mode available
Figure 11.9: RSoP Wizard prompts you to select a mode
Trang 44 Next, the wizard will display a window prompting you to select a computer You can either display Group Policy settings for the local computer or click the
Browse button and select a remote system Make your selection and click Next
You will be prompted to select a specific user for whom you need to display policy settings (Fig 11.10) Select a user and click Next
Figure 11.10: The User Selection window displayed by RSoP Wizard
5 The wizard will display the next window summarizing your selections To change
your selections, click Back To confirm the selected options and proceed with the query, click Next, and RSoP will start the query When the query completes, the wizard will display the final window, where you need to click Finish
6 RSoP will appear for the selected user on the selected computer (Fig 11.11) Click the RSoP folder to view data Note that you can also set the order in which
policies are applied Simply right-click on the policy element, select Properties, then click the Precedence tab (Fig 11.12)
Trang 5Figure 11.11: RSoP query results
Figure 11.12: The Precedence tab displays the order of policy application
Note To immediately view RSoP for the current user on the local Windows Server 2003
computer, click the Start button, select the Run command, enter the rsop.msc command into the Open field, and click OK
You will immediately notice that there is a Group Policy problem if a red × on the user or computer configuration level appears (This indicates an error.) To view information on
the error, right-click the marked object, select Properties and go to the Error
Information tab
How Group Policy Administrative Templates Affect the Registry
Trang 6Now that I have introduced some theoretical foundation required for understanding
Group Policy Objects (GPOs), it is time to present some of the GPO features that
influence the system registry
As previously emphasized in this chapter and in Chapter 10, both Windows NT 4.0 and
Windows 9x supported so-called System Policies, which were simply special types of
registry files delivered to users at logon time These registry files (their default names were Ntconfig.pol and Config.pol) were used to centrally modify
HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE registry root keys For example, within a given policy file, it was possible to specify different registry
modifications for different users, computers, or global groups The template ADM files controlled which registry keys and values could be modified and what the possible values could be These template files represented text files using special macro language to specify which key or value was to be modified and how Most savvy administrators
customized ADM files to enforce the desirable policy In particular, the following two keys became the primary targets for enforcing system policies:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio\Policie
s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies However, System Policies were limited and difficult to use Starting with Windows 2000, the situation has improved
If you refer back to Table 11.1, you'll notice that old-style System Policies used in legacy versions of Windows have become part of Group Policy Object (GPO) In Windows 2000
and its successors, the Administrative Templates portion of GPO performs functions
identical to those of old system policies Furthermore, GPO-based administrative
templates still use the ADM file format
The default templates, such as System.adm and Inetres.adm, are stored under the \ADM folder within the Group Policy Template (GPT) If you carefully study the format of these files, you will notice that the structure of ADM files in Windows Server 2003 is similar to that of Windows 2000 and even of Windows NT 4.0 The main difference is that each new version supports additional macro keywords to provide new functionality For example, the EXPLAIN keyword, introduced with Windows 2000 and supported on all later versions, lets the developer of a specific ADM file create Help text associated with a given policy item The SUPPORTED keyword, introduced with Windows XP and Windows Server 2003, allows the developer to specify supported OS versions This is an important point, since, as multiple examples have shown in this chapter, not all new
features introduced with the release of Windows Server 2003 are supported on Windows
XP, to say nothing of earlier Windows versions
Trang 7Each GPO can have a different set of ADM files, and each machine or user can process multiple GPOs Flexibility in the area of desktop and application control and lockdown is
as granular as you want to make it
Having looked at the mechanics of how administrative templates are used, let's move on
to what administrators see when they edit a GPO using these templates Start up the Group Policy tool MMC snap-in, focused on a GPO Every Windows 2000 or Windows Server 2003 domain contains a Default Domain Policy when first installed, so if you haven't created any other GPOs, you can start by editing that one To do so:
1 Start the Active Directory Users and Computers MMC snap-in, right-click the
name of the domain of interest, and select the Properties command from the
context menu
2 Go to the Group Policy tab Highlight the GPO of interest (Note that if you
haven't created any GPOs, only the Default Domain Policy will be available.)
Click the Edit button