group policy/active directory
Can anyone tell me what is group policy in relation to active directory (in non tech management speak), what does it do and why is it so effective, and can you use "group policy" with a different directory service product aside from MS ad?
June 6th, 2011 5:57am
Group Policies are related with Directory Service and are designed only for them Sometimes you can find in the Internet additional Administrative Templates (ADM or ADMX files) to manage 3rd party tools.
The most important part of them is to easy domain administrator work. When you have no GPOs (Group Policies) you have to set up some security or adjust programs configuration manually on each workstation/server within your newtrok. Eventhou, you cannot be
sure that other user with administrative privileges doesn't modify them (according to his needs/wishes).
GPOs are stored centrally and can be linked to users or computers from one management console (the most conevnient is Group Policy Manegement Console (GPMC)). Then they are applied to all specifies users/computers accounts and if someone (with administrative
privileges) modifies them locally, policy will be re-applied aftre 90 minutes (default value; can be modified).
So, you have easier life, consistant configuration on your workstations and you can be sure that you control your infrastructire (devices with MS OSes).
They are effective because, you don't have to configure each PC/Server manually. I.E you can set up policy to install software over GPO, disallow some modification aso.
If you need more specific information, just let me know. I will try to explain it for you. Regards, Krzysztof
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 6:13am
Also, see these links:
http://technet.microsoft.com/en-us/library/cc725828(WS.10).aspx
http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx
Group Policy Preferences:
http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
Richard Mueller - MVP Directory Services
June 6th, 2011 6:20am
Hello,
Have a look to this Microsoft article: http://technet.microsoft.com/en-us/library/cc725828(WS.10).aspx
Note that there is a group policy forum so if you need more information, post there: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads
AFAIK, group policy administrative templates can not be used for environments other than AD.
For GPP, have a look to that: http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft Certified
Professional
Microsoft Certified
Systems Administrator: Security
Microsoft Certified
Systems Engineer: Security
Microsoft Certified
Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified
Technology Specialist: Windows 7, Configuring
Microsoft Certified
IT Professional: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 6:23am
Group Policies are related with Directory Service and are designed only for them Sometimes you can find in the Internet additional Administrative Templates (ADM or ADMX files) to manage 3rd party tools.
The most important part of them is to easy domain administrator work. When you have no GPOs (Group Policies) you have to set up some security or adjust programs configuration manually on each workstation/server within your newtrok. Eventhou, you cannot be
sure that other user with administrative privileges doesn't modify them (according to his needs/wishes).
GPOs are stored centrally and can be linked to users or computers from one management console (the most conevnient is Group Policy Manegement Console (GPMC)). Then they are applied to all specifies users/computers accounts and if someone (with administrative
privileges) modifies them locally, policy will be re-applied aftre 90 minutes (default value; can be modified).
So, you have easier life, consistant configuration on your workstations and you can be sure that you control your infrastructire (devices with MS OSes).
They are effective because, you don't have to configure each PC/Server manually. I.E you can set up policy to install software over GPO, disallow some modification aso.
If you need more specific information, just let me know. I will try to explain it for you.
Regards, Krzysztof
Thanks again. What would typically be included in a group policy audit?
And what risks would you consider within group policy? Would this be stuff like policies you thought were being applied to machines - actually arent being for whatevr reason (What could cause this).
And aside from domain password policy, what other key security issues would be covered by group policy, or aside from security, what other key risk areas are managed via group policy?
Your help, as ever, greatly appreciated...
June 6th, 2011 8:10am
Group Policy audit (if enabled and configured).
You can check who,when and from changed user password, modified AD object aso. Also there, you will find failed logons and you will be able to evaluate if someone is trying to break your network (using some user account on particular computer).
Additionally, you can enable auditing of Folders/Files and then you know who deleted/changed aso. object (it's a lot of entries in a log if enabled all actions, but you can specify the most interesting for you like "delete"). Then you have to mark each folder/file
to be audited.
Using GPOs within AD aside of Password policy, you can distribute certificates from your CA without manual intervention on each PC, prevent user's access to some OS settings (i.e desktop/explorer/start menu aso.) or modify Internet Explorer settings and
much more.
Using ADM templates you can define your own policies (but only for these apps which are adjusted using registry branches HKLM and HKCU). Then it's even possible to manage Firefox from GPO! :)
It's hard to cover each GPO policy, because there are over 2000 policies? (in 2008/7 I think there is more) :] In 2008 you can create many password policies within one domain! (Fine grained password policies or other name PSOs).
Risk within Group Policy -> what do you mean?
Policies are created by Enterprise/Domain Admins or users who has delegated approrpiated rights for that. No one else can do that, so you can be sure that linked policies to users/computers cannot be overwritten by someone without sufficient privileges. And
it's much easier to manage domain environment using GPOs. Even if some users would modify their local policies, GPO will be re-applied after 90 minutes (by default as I wrote above).
Can you specify your GPOs requirements and we will try to help you with that, please?
Regards, Krzysztof
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 8:33am
Group Policy audit (if enabled and configured).
You can check who,when and from changed user password, modified AD object aso. Also there, you will find failed logons and you will be able to evaluate if someone is trying to break your network (using some user account on particular computer).
Additionally, you can enable auditing of Folders/Files and then you know who deleted/changed aso. object (it's a lot of entries in a log if enabled all actions, but you can specify the most interesting for you like "delete"). Then you have to mark each folder/file
to be audited.
Using GPOs within AD aside of Password policy, you can distribute certificates from your CA without manual intervention on each PC, prevent user's access to some OS settings (i.e desktop/explorer/start menu aso.) or modify Internet Explorer settings and
much more.
Using ADM templates you can define your own policies (but only for these apps which are adjusted using registry branches HKLM and HKCU). Then it's even possible to manage Firefox from GPO! :)
It's hard to cover each GPO policy, because there are over 2000 policies? (in 2008/7 I think there is more) :] In 2008 you can create many password policies within one domain! (Fine grained password policies or other name PSOs).
Risk within Group Policy -> what do you mean?
Policies are created by Enterprise/Domain Admins or users who has delegated approrpiated rights for that. No one else can do that, so you can be sure that linked policies to users/computers cannot be overwritten by someone without sufficient privileges. And
it's much easier to manage domain environment using GPOs. Even if some users would modify their local policies, GPO will be re-applied after 90 minutes (by default as I wrote above).
Can you specify your GPOs requirements and we will try to help you with that, please?
Regards, Krzysztof
I think we are a bit crossed wires. I am not after an audit policy for being able to trace actions to an individual. I was just after things that can go wrong (misconfigurations that pose a risk within group policy).
In uk/us we use the term "IT audit" as something that will look at the configuration of a specific technology to ensure its set up to best practice to mitigate all risks associated with that technology. One example I guess could be would be whether
each GPO you expected to be applied to all workstations, actually, was it being applied to all workstations, or due to a misconfiguration was it only being applied to 90% of the workstations...
Another example could be a security audit of payroll application, this in an "IT audit" would be looking for weak passwords, acls', server configuration, input sanitization etc, as opposed to just looking at audit logs and settings for each time user
X logged into the application, or each time they updated a record in the database...
June 6th, 2011 8:37am
OK :)
No, GPOs are not for audit purposes in this meaning. You cannot check which workstations have applied GPO and which not. You need to run on each PC
RSoP.msc or gpresult to see if policies which interest you, are applied. There is also no policies to check for "weak passwords" in apps.
You can use MBSA (Microsoft Baseline Security Analyzer) fro checking security of MS OS (http://technet.microsoft.com/en-us/security/cc184924)
- Windows Updates status
- local account without password
- local administrator account aso.
You can check it, it's free.
ACLs also cannot be checked easily via GPO. You need for that 3rd party software like Security Explorer form Script Logic (trial version for tests available)
http://www.scriptlogic.com/products/security-explorer/
or use free DumpSec
http://www.systemtools.com/somarsoft/?somarsoft.com
for those requirements you need to use some 3rd party tools. GPOs cannot help :)
According to Group Policy Best Practices, you can read a little bit more at
http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx
http://technet.microsoft.com/en-us/library/cc779168(WS.10).aspx
and non Microsoft web page (about designing GPOs)
http://www.windowsnetworking.com/articles_tutorials/best-practices-designing-group-policy.htmlRegards, Krzysztof
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 9:05am
OK :)
No, GPOs are not for audit purposes in this meaning. You cannot check which workstations have applied GPO and which not. You need to run on each PC
RSoP.msc or gpresult to see if policies which interest you, are applied. There is also no policies to check for "weak passwords" in apps.
You can use MBSA (Microsoft Baseline Security Analyzer) fro checking security of MS OS (http://technet.microsoft.com/en-us/security/cc184924)
- Windows Updates status
- local account without password
- local administrator account aso.
You can check it, it's free.
ACLs also cannot be checked easily via GPO. You need for that 3rd party software like Security Explorer form Script Logic (trial version for tests available)
http://www.scriptlogic.com/products/security-explorer/
or use free DumpSec
http://www.systemtools.com/somarsoft/?somarsoft.com
for those requirements you need to use some 3rd party tools. GPOs cannot help :)
According to Group Policy Best Practices, you can read a little bit more at
http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx
http://technet.microsoft.com/en-us/library/cc779168(WS.10).aspx
and non Microsoft web page (about designing GPOs)
http://www.windowsnetworking.com/articles_tutorials/best-practices-designing-group-policy.html
Regards, Krzysztof
I think we are still confusing each other a little.
I wasnt after some advice in how to use GPO's to audit security of our active directory, servers, desktops and domains. What I was after, was some things (risks) on what to look at from a risk perspective at the group policy settings themselves?
It is such a big technology (group policy) there must be control issues / risks with GPO?
Specifically, what I am trying to accomplish, is - are there any risks / misconfgurations with our current use of group policy, if so, how can we check, and what risk do such misconfigurations pose...
June 6th, 2011 9:12am
Hi,
Please explain more about the
"risk" you are talking about. Besides the above examples you have
given, could you please list more incidents you can consider of?
As to the
Group Policy Best Practices you mentioned, you may want to have a look at the link below:
GP Editorial: Group Policy Best Practices
http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx
Regards,
Cecilia Zhou
--------------------------------------------------------------------------------
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not
actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 5:49am
Hi,
Please explain more about the
"risk" you are talking about. Besides the above examples you have
given, could you please list more incidents you can consider of?
As to the
Group Policy Best Practices you mentioned, you may want to have a look at the link below:
GP Editorial: Group Policy Best Practices
http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx
Regards,
Cecilia Zhou
--------------------------------------------------------------------------------
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not
actually answer your question. This can be beneficial to other community members reading the thread.
That was kind of the point of the thread, to brain storm common risks and mitigating controls within group policy...
I just noticed there is a group policy best practices analyzer!! So there must be issues that that flags up...
June 7th, 2011 5:54am
Hi,
As far as I know, there is no such article to describe how to evaluate the risk of applying Group Policy Objects. If a GPO is not configured well, we will find it
out according to the behavior on the client side of the GPO. The link below may be a little helpful to your concern:
Troubleshooting Group Policy Problems
http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
If there are errors when applying some GPOs, we can refer to the methods in the article above to troubleshoot the issue. Besides, I would like to share the links
below with you as well:
Group Policy Management
http://technet.microsoft.com/en-us/library/cc758290(WS.10).aspx
Group Policy (pre-GPMC)
http://technet.microsoft.com/en-us/library/cc778065(WS.10).aspx
SolutionBase: Check Group Policy assignment with RSoP
http://www.techrepublic.com/article/solutionbase-check-group-policy-assignment-with-rsop/5165777
Regards,
Cecilia Zhou
--------------------------------------------------------------------------------
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not
actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2011 5:33am