Setting and creating Group Policy is now most often done using the Group Policy Management Console (GPMC, which we will also use throughout the article), previously (or for local policies) the Group Policy Object Editor (GPedit) was used. The settings are stored in a Group Policy Object (GPO). Group Policies have several predefined parts (depending on the OS version) and then possible extensions using Administrative Templates. They most often modify the registry, but can also change security settings, install software, configure Internet Explorer, and so on. Policies have two main parts: Computer Configuration and User Configuration.
Group Policy most often works on the principle of modifying the registry on the client station or server. The Computer Configuration part deals with settings for the computer, these settings can be applied to computer objects in Active Directory (it applies to the selected computer and does not depend on the logged-in user). They modify the HKEY_LOCAL_MACHINE (HKLM) registry branch, for example HKLM\Software\Policies\Microsoft\Windows, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System.
The User Configuration part deals with settings for the user, the policy with this setting can be applied to user accounts in Active Directory (it applies to the selected user and does not depend on the computer). It modifies the HKEY_CURRENT_USER (HKCU) registry branch, for example HKCU\Software\Policies\Microsoft\Windows, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies.
Policies applied to the computer are normally applied at computer startup, policies applied to the user occur at user logon. Both are then applied during the periodic Group Policy refresh (this is normally every 90 minutes + a random shift of up to 30 minutes). We can also manually force the application of policies using the command
gpupdate /force
Policy Application
Group Policies are applied by linking them to a container (link to). These are Active Directory containers site, domain, or organizational unit (OU).
When applying policies, inheritance (inheriting) is applied, given the hierarchical structure of AD, and the cumulative effect. This means that a policy applied to an OU will affect all computers and users located in that and nested OUs. When there are multiple policies, their effect is combined. Of course, if a policy contains only the computer part, it will be applied to the user, but will have no effect. It also depends on whether the computer or user has rights to the given policy (this is where filtering is used).
Policies are processed sequentially, with the later processed policy able to overwrite the settings of the previous one. The order is local GPO, site, domain, OU, the last being the OU closest to the object. Policies on one container are processed in the order they are set on the Linked Group Policy Objects tab.
Disabling Part of the Policy
Even though a policy contains only one part (computer or user), it is normally processed on all objects (users and computers) that fall within the scope of application. Processing each policy, even an empty one, loads the target computer. So it is appropriate to disable the other part in policies where we only use one part. It is also appropriate to minimize the number of policies by combining them into one.
On the policy, we switch to the Details tab and here is the GPO Status item. We can set one of four values.
- Enabled - everything enabled
- All settings disabled - everything disabled
- Computer configuration settigs disabled - only the user part is applied
- User configuration settigs disabled - only the computer part is applied
Loopback Processing
Sometimes we may need to apply some user settings, but assign them to the computer. So that any user who logs in to this computer has the given settings. But if they connect elsewhere, the settings may be different. This applies, for example, to terminal servers, laptops vs. workstations, etc.
To achieve this, we can use Group Policy in Loopback processing mode. It can be in Replace mode, where it replaces the settings that are applied for the user, or Merge mode, where the two settings are combined. The setting is done in the given policy. The value Computer Configuration - Administrative Templates - System - Group Policy - User Group Policy loopback processing mode. We set Enabled and select Mode Replace or Merge.
This seemed so pleasant to me when I read about this method. Unfortunately, in practice, one finds that this solution is almost unusable. It is not a matter of setting the given policy so that a certain setting according to the computer is executed on the user. But it is a global setting that sets the behavior of the computers to which it is applied. So it then applies to all policies.
This means that when we have the Replace mode set, no user policies that are applied only to the user will be used. We have to assign user policies to computers. We can set policies maybe for the entire domain, but then we lose the targeting of policies to certain OUs with users (which will probably always bother us). Or we can use Merge mode, then the policies that are applied to the user and the policies on the computer are applied. But this will extend the policy processing time, unexpected situations may arise, and troubleshooting becomes difficult.
Restricting Policy Application
Filtering Policy Application
For dynamic control of which computers and users a policy should apply to, we can use WMI Filtering or Security Filtering. Using WMI (Windows Management Instrumentation) we can create filters that detect various computer details and the policy is then applied only to those that meet the given condition. An example is a certain OS version. Security filtering, on the other hand, allows the policy only for those who are members of a certain security group or certain computers or users.
Blocking Inheritance
Another way to control policy application is to disable inheritance for a certain container. Right-click on the object and choose Block Inheritance, this will stop processing all parent policies except enforced ones.
Another option is to enforce the application of the policy, so that it cannot be overwritten (or even blocked). Right-click on the policy and choose Enforced.
We can see which policies are applied to an object on the Group Policy Inheritance tab. We also see the processing order here.
Checking Policy Application
Part of the Group Policy Management Console are two tools that we can use to troubleshoot problems. Group Policy Results will return online information about the applied policies, including errors, for a selected computer and user. It gets the information directly from the DC and the given computer. This is a very useful tool. The second tool is Group Policy Modeling, which simulates policy application and displays the result.
Díky!
Výborně vysvětleno
I po tolika letech je tento článek užitečný. Děkuji
Zdravím,
řeším následující problém a potřeboval bych poradit s konkrétním problémem.
Potřebuji pomoci doménových politik GPO aplikovat na konkrétní stanice Powershell script, který upravuje chování metro aplikací pod Windows 10 build 1511 - 10586. Rád bych, aby se tento skript spouštěl hned po startu, čili měl by to být Startup script. PC s tímto buildem si umím vyfiltrovat v AD.
Ale nejsou mi jasné následující věci:
1. Na jaký AD kontejner to mám konkrétně aplikovat? Na celý kontejner Computers? Nikde jsem bohužel nepřišel na to, jak to aplikovat pouze na konkrétní vyfiltrované PC v kontejneru Computers - narazil jsem pouze na nějaké WMI filtry, kde by to snad mělo jít nějak nastavit, ale to jsem bohužel nepochopil, jak to přesně funguje.
2. Některá PC mají LOKÁLNĚ (NE přes GPO) deployované nějaké starší skripty, kterých bych se rád zbavil a nastavil tam pouze tento jeden - mohu je přes GPO nějak hromadně smazat?
3. Jak mám nastavit přístupová práva? Defaultně je Security Filtering v GPO nastaven na Authenticated Users - můžu to tam nechat, nebo je třeba to nějak měnit?
3. Jak konkrétně nastavit ten GPO? Dle mě by to mělo být GPO - EDIT - Computer Configuration - Policies - Windows settings - Scripts - Startup - karta PowerShell Scripts a tam přes Add... zadat cestu na síťový disk k tomu souboru. Stačí to takto, nebo ten soubor se skriptem musím ještě zkopírovat do složky SYSVOL (tlačítko Show Files) a musím to někde potvrzovat a nějak ukládat?
5. Na stanicích nakonec stačí zadat gpupdate/force a po restartu by se měl skript aplikovat?
Díky moc za odpovědi
xDDDDD číst ty komentáře lol