Group Policy, What Does This Mean ?
Before we can start talking about the Group Policies, we need to know what is a Group Policy and what is it used for.
"Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment." – Quote Wikipedia
As we can see, Group Policies helps administrators to control and configure the working environment in a Active Directory domain architecture such as Windows 2000, Windows 2003 or Windows 2008. Previous versions of windows like Windows NT were not supporting the Active Directory configuration. Active Directory (AD) was created by Microsoft once with the Windows 2000 Server platform and it is a directory service system that automates the network management, user data, security, and other resources in the domain. All the information is stored in a central database which is accessible through all the domain. In order to be able to control and manage all these resources, Microsoft has developed the Group Policies so all the resources and domain configuration and settings can be managed in a more centralized way. Domain Administrators don't need to configure each server and computer or other type of resource in the domain individually, they can instead use Group Policy to manage groups of users, computers, or other resources.
Mainly, a Group Policy is an infrastructure that allows you to implement specific configurations for users and computers in a domain. Group Policies can be also used to deploy software to the computers, install printers, connect network drives or simply to lock down the security.
Group Policy Implementation Perquisites
In order to be able to implement a Group Policy infrastructure we will need to have a domain and an Active Directory database that will hold all our information about the objects in our network. To have a fully functional Active Directory domain we will need to have a server that will act as a Domain Controller, which is a server that holds a writable copy of the Active Directory Database. In our scenario we will use Windows 2008 R2 as a server platform.
To install and configure a domain controller, we will need to complete these tasks:
- Install Windows Server 2008 R2
- Install Active Directory on the domain controller
- Configure the DNS service
The first step is to install the Windows 2008 R2 Server. After the server installation is complete we will assign a static IP address to the newly installed server. Typically we do not want to have a Domain Controlled with a dynamic IP address. We will assign 10.131.25.125 as the IP address for the new installed server and we will give it the name of "DC001".
To perform the Active Directory installation we can simply go to the Start > Run and type "dcpromo". This command will install or remove the Active Directory Domain Services. Follow the wizard for installing the Active Directory and choose to join an existing domain if you already have a domain infrastructure, else choose to create a new forest / domain. The wizard will guide you through the rest of the installation process and if necessary will also install and configure the DNS service. When asked for the domain name (if you do not already have a domain) write "mydomain.com" and continue the wizard.
After the installation is complete choose to reboot the machine. You now have a fully functional Windows 2008 Domain controller running Active Directory Domain Services.
Active Directory Installation
Creating a Group Policy Object
After you promoted the server to be a Domain Controller you will no longer be able to login as a Local User on the machine and you will need to use a Domain User account. The only Domain Users that are by default permitted to log on locally on a domain controller are the users members of the "Domain Admins" group. Please log in on the server with an account that is a member of the "Domain Admins" group.
To create, edit and deploy Group Policy Objects you will need to access the Group Policy Management Console. Go to Start > Administrative Tools > Group Policy Management.
A new window with the Group Policy Management console will open. Expand Forests, expand Domains, expand "mydomain.com". Select "Group Policy Objects". As default you will see two Group Policy Objects (GPO). The "Default Domain Controllers Policy" which is the GPO assigned to all the Domain Controllers in the domain, and the "Default Domain Policy" which is applied domain wide.
Let's try to make a new simple GPO. The goal of this GPO would be something simple like:
- Disable the sound on all the machines this policy is applied to.
- Do not allow the users access to the Control Panel.
In order to accomplish this we will need to create a new GPO. Right click the Group Policy Objects and select "New". A "New GPO" window will pop-up and we will have to write the name of the new GPO. Let's call it "Lock Down" so we know by the name what is this policy about. Press OK, select it from the list, right click and select "Edit".
Editing the GPO Settings
Now, the Goup Policy Objects have two components, the Computer Configuration that will apply to the computer objetcs and the User Configuration that will apply to the user objects. To accomplish our goal, we will need to make changes to both User and Computer Configuration.
The first thing we want to accomplish is to disable the sound on the client computer. Lucky for us there is a special setting under the User Configuration that will help us with that. Expand "Computer Configuration" > "Windows Settings" > "Security Settings" and go to the "System Services". On the right side you will see a list with the standard services present on the client computers. Find the "Windows Audio" service, double click it and mark the "Define this Policy Setting" and select the "Disabled" Startup option then press OK. Our first goal is now accomplished.
Next we need to remove the access to the Control Panel to any users affected by this GPO. We will go now to the User Configuration and expand "Policies" > "Administrative Templates" > "Control Panel" and select it. On the right side we can see the available settings. Select the "Prohibit access to the Control Panel" from the right side, right click and select "Edit".
On the left side select "Enabled" then click OK. All the users affected by this GPO are now restricted from accessing the Control Panel. The only thing remaining now it is to LINK this GPO to an Active Directory Organizational Unit (OU). An Organizational Unit is an Active Directory container into which you can place users, groups, computers, and other organizational units.
Go to Start > Administrative Tools > Active Directory Users and Computers. A new management console will open displaying your Active Directory structure. Expand the "mydomain.com" domain, select it, then right click and select "New" > "Organizational Unit". Name it "Test OU". You have now created a new OU where you can place the computers or users that should be affected by the new GPO. Go back to the Group Policy Management console and press F5 to refresh the configuration. The newly created OU will now appear under your domain. Select the "Test OU" right click it and select "Link an Existing GPO". Select the "Lock Down" GPO from the list and press OK.
In the same way you can create other Group Policy Objects and link them to your Organisational Units in the domain or to the whole domain in order to simplify your administrative tasks.