Group Policy

Probably every MS domain administrator uses Group Policy. I think it is an excellent feature, even though it dates back many years. Recently, with the advent of Windows Server 2008, MS extended Group Policy with additional options and features called Group Policy Preferences. A brief description of these new features is provided in this article. As a side note, since I know Group Policy, I use it locally on my home PC. It's easier than setting various properties through the registry, for example.

Group Policy is used to centrally manage computers by using Active Directory. Thus, they are mainly used for computers that are joined to a domain. However, we can also use local policies (Local Group Policy), which offer slightly more limited functionality, but also work on standalone computers. Now we have not only Group Policy, but also Group Policy Preferences, which have a slightly different behavior. Here we will look at how Group Policies are applied to objects (users and computers), how we can filter them, use Loopback processing or look for application errors.

Group Policy consists of two main parts, Computer Configuration and User Configuration. The two parts have different individual items (setting options) but share common categories. These are Software Settings, Windows Settings, and Administrative Templates. The first two are fixed, whereas Administrative Templates are loaded from configuration files (ADM and ADMX/ADML) and we can extend them ourselves. They contain registry-based policies. In this article, we will look at the Administrative Templates area and what changes have occurred with the advent of Windows Server 2008.

Security needs to be managed in any network. One of the main attacks is password cracking, so we need to have a defined policy on how strong passwords should be and what happens if the wrong passwords are entered. In the Microsoft environment we use Group Policy to do this, which allows us to define and enforce password parameters. We can define passwords for local accounts and in a domain environment also for domain accounts. In addition, Windows Server 2008 provides the ability to define multiple different policies for domain accounts.

The article discusses some options for how to centrally configure MS Office applications with a special focus on Outlook (primarily version 2010, but mostly not essential). We can start by modifying the installation (only a mention here), the main part will be done using Group Policy Administrative Templates for Office, some requirements will be solved by modifying registries and for a more complex practical example we will use PowerShell.

If you want to log operations (record events in a log) over Active Directory Domain Services (AD DS) - basically, creating, changing, or deleting user and computer accounts and groups - you use the AD DS auditing feature. This auditing was already possible before in a similar way, but Windows Server 2008 brings extensions and refinements. We can now audit only a specific subcategory (an improved setting offered by Windows Server 2008 R2), the original and new values are logged for changes (not just who changed what attribute), and the event IDs have changed.

When we run a certification authority from MS, which is suitable for almost every company, it is good to set up some logging of operations. In the meantime, we can only track information, such as certificate issuance failures, in the CA console. This article is for overview only, the same information can be found directly from MS.

There are a number of security events that can occur on computers, servers, and especially domain controllers that we should monitor and control. In Windows, we use event logs (Event Log) where many situations are recorded. For various events, we can set whether and when we want to save them in the log. We solve this by setting up auditing (Security Auditing). But that alone is not enough. Furthermore, it is necessary to somehow automatically process the audit log of events and select information that is important to us, and display or send it somewhere.

I needed to find out how to set the options in a corporate environment to open a certain page (address) after starting a regular web browser. I practically tested the latest versions of Microsoft Edge (Chromium), Google Chrome and Mozilla Firefox web browsers. I looked at local configuration options and then at central configuration using Group Policy. Everything is only briefly described.