group policy/active directory
Can anyone tell me what is group policy in relation to active directory (in non tech management speak), what does it do and why is it so effective, and can you use "group policy" with a different directory service product aside from MS ad?
June 6th, 2011 5:57am

Group Policies are related with Directory Service and are designed only for them Sometimes you can find in the Internet additional Administrative Templates (ADM or ADMX files) to manage 3rd party tools. The most important part of them is to easy domain administrator work. When you have no GPOs (Group Policies) you have to set up some security or adjust programs configuration manually on each workstation/server within your newtrok. Eventhou, you cannot be sure that other user with administrative privileges doesn't modify them (according to his needs/wishes). GPOs are stored centrally and can be linked to users or computers from one management console (the most conevnient is Group Policy Manegement Console (GPMC)). Then they are applied to all specifies users/computers accounts and if someone (with administrative privileges) modifies them locally, policy will be re-applied aftre 90 minutes (default value; can be modified). So, you have easier life, consistant configuration on your workstations and you can be sure that you control your infrastructire (devices with MS OSes). They are effective because, you don't have to configure each PC/Server manually. I.E you can set up policy to install software over GPO, disallow some modification aso. If you need more specific information, just let me know. I will try to explain it for you. Regards, Krzysztof
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 6:13am

Also, see these links: http://technet.microsoft.com/en-us/library/cc725828(WS.10).aspx http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx Group Policy Preferences: http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx Richard Mueller - MVP Directory Services
June 6th, 2011 6:20am

Hello, Have a look to this Microsoft article: http://technet.microsoft.com/en-us/library/cc725828(WS.10).aspx Note that there is a group policy forum so if you need more information, post there: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads AFAIK, group policy administrative templates can not be used for environments other than AD. For GPP, have a look to that: http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 6:23am

Group Policies are related with Directory Service and are designed only for them Sometimes you can find in the Internet additional Administrative Templates (ADM or ADMX files) to manage 3rd party tools. The most important part of them is to easy domain administrator work. When you have no GPOs (Group Policies) you have to set up some security or adjust programs configuration manually on each workstation/server within your newtrok. Eventhou, you cannot be sure that other user with administrative privileges doesn't modify them (according to his needs/wishes). GPOs are stored centrally and can be linked to users or computers from one management console (the most conevnient is Group Policy Manegement Console (GPMC)). Then they are applied to all specifies users/computers accounts and if someone (with administrative privileges) modifies them locally, policy will be re-applied aftre 90 minutes (default value; can be modified). So, you have easier life, consistant configuration on your workstations and you can be sure that you control your infrastructire (devices with MS OSes). They are effective because, you don't have to configure each PC/Server manually. I.E you can set up policy to install software over GPO, disallow some modification aso. If you need more specific information, just let me know. I will try to explain it for you. Regards, Krzysztof Thanks again. What would typically be included in a group policy audit? And what risks would you consider within group policy? Would this be stuff like policies you thought were being applied to machines - actually arent being for whatevr reason (What could cause this). And aside from domain password policy, what other key security issues would be covered by group policy, or aside from security, what other key risk areas are managed via group policy? Your help, as ever, greatly appreciated...
June 6th, 2011 8:10am

Group Policy audit (if enabled and configured). You can check who,when and from changed user password, modified AD object aso. Also there, you will find failed logons and you will be able to evaluate if someone is trying to break your network (using some user account on particular computer). Additionally, you can enable auditing of Folders/Files and then you know who deleted/changed aso. object (it's a lot of entries in a log if enabled all actions, but you can specify the most interesting for you like "delete"). Then you have to mark each folder/file to be audited. Using GPOs within AD aside of Password policy, you can distribute certificates from your CA without manual intervention on each PC, prevent user's access to some OS settings (i.e desktop/explorer/start menu aso.) or modify Internet Explorer settings and much more. Using ADM templates you can define your own policies (but only for these apps which are adjusted using registry branches HKLM and HKCU). Then it's even possible to manage Firefox from GPO! :) It's hard to cover each GPO policy, because there are over 2000 policies? (in 2008/7 I think there is more) :] In 2008 you can create many password policies within one domain! (Fine grained password policies or other name PSOs). Risk within Group Policy -> what do you mean? Policies are created by Enterprise/Domain Admins or users who has delegated approrpiated rights for that. No one else can do that, so you can be sure that linked policies to users/computers cannot be overwritten by someone without sufficient privileges. And it's much easier to manage domain environment using GPOs. Even if some users would modify their local policies, GPO will be re-applied after 90 minutes (by default as I wrote above). Can you specify your GPOs requirements and we will try to help you with that, please? Regards, Krzysztof
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 8:33am

Group Policy audit (if enabled and configured). You can check who,when and from changed user password, modified AD object aso. Also there, you will find failed logons and you will be able to evaluate if someone is trying to break your network (using some user account on particular computer). Additionally, you can enable auditing of Folders/Files and then you know who deleted/changed aso. object (it's a lot of entries in a log if enabled all actions, but you can specify the most interesting for you like "delete"). Then you have to mark each folder/file to be audited. Using GPOs within AD aside of Password policy, you can distribute certificates from your CA without manual intervention on each PC, prevent user's access to some OS settings (i.e desktop/explorer/start menu aso.) or modify Internet Explorer settings and much more. Using ADM templates you can define your own policies (but only for these apps which are adjusted using registry branches HKLM and HKCU). Then it's even possible to manage Firefox from GPO! :) It's hard to cover each GPO policy, because there are over 2000 policies? (in 2008/7 I think there is more) :] In 2008 you can create many password policies within one domain! (Fine grained password policies or other name PSOs). Risk within Group Policy -> what do you mean? Policies are created by Enterprise/Domain Admins or users who has delegated approrpiated rights for that. No one else can do that, so you can be sure that linked policies to users/computers cannot be overwritten by someone without sufficient privileges. And it's much easier to manage domain environment using GPOs. Even if some users would modify their local policies, GPO will be re-applied after 90 minutes (by default as I wrote above). Can you specify your GPOs requirements and we will try to help you with that, please? Regards, Krzysztof I think we are a bit crossed wires. I am not after an audit policy for being able to trace actions to an individual. I was just after things that can go wrong (misconfigurations that pose a risk within group policy). In uk/us we use the term "IT audit" as something that will look at the configuration of a specific technology to ensure its set up to best practice to mitigate all risks associated with that technology. One example I guess could be would be whether each GPO you expected to be applied to all workstations, actually, was it being applied to all workstations, or due to a misconfiguration was it only being applied to 90% of the workstations... Another example could be a security audit of payroll application, this in an "IT audit" would be looking for weak passwords, acls', server configuration, input sanitization etc, as opposed to just looking at audit logs and settings for each time user X logged into the application, or each time they updated a record in the database...
June 6th, 2011 8:37am

OK :) No, GPOs are not for audit purposes in this meaning. You cannot check which workstations have applied GPO and which not. You need to run on each PC RSoP.msc or gpresult to see if policies which interest you, are applied. There is also no policies to check for "weak passwords" in apps. You can use MBSA (Microsoft Baseline Security Analyzer) fro checking security of MS OS (http://technet.microsoft.com/en-us/security/cc184924) - Windows Updates status - local account without password - local administrator account aso. You can check it, it's free. ACLs also cannot be checked easily via GPO. You need for that 3rd party software like Security Explorer form Script Logic (trial version for tests available) http://www.scriptlogic.com/products/security-explorer/ or use free DumpSec http://www.systemtools.com/somarsoft/?somarsoft.com for those requirements you need to use some 3rd party tools. GPOs cannot help :) According to Group Policy Best Practices, you can read a little bit more at http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx http://technet.microsoft.com/en-us/library/cc779168(WS.10).aspx and non Microsoft web page (about designing GPOs) http://www.windowsnetworking.com/articles_tutorials/best-practices-designing-group-policy.htmlRegards, Krzysztof
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2011 9:05am

OK :) No, GPOs are not for audit purposes in this meaning. You cannot check which workstations have applied GPO and which not. You need to run on each PC RSoP.msc or gpresult to see if policies which interest you, are applied. There is also no policies to check for "weak passwords" in apps. You can use MBSA (Microsoft Baseline Security Analyzer) fro checking security of MS OS (http://technet.microsoft.com/en-us/security/cc184924) - Windows Updates status - local account without password - local administrator account aso. You can check it, it's free. ACLs also cannot be checked easily via GPO. You need for that 3rd party software like Security Explorer form Script Logic (trial version for tests available) http://www.scriptlogic.com/products/security-explorer/ or use free DumpSec http://www.systemtools.com/somarsoft/?somarsoft.com for those requirements you need to use some 3rd party tools. GPOs cannot help :) According to Group Policy Best Practices, you can read a little bit more at http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx http://technet.microsoft.com/en-us/library/cc779168(WS.10).aspx and non Microsoft web page (about designing GPOs) http://www.windowsnetworking.com/articles_tutorials/best-practices-designing-group-policy.html Regards, Krzysztof I think we are still confusing each other a little. I wasnt after some advice in how to use GPO's to audit security of our active directory, servers, desktops and domains. What I was after, was some things (risks) on what to look at from a risk perspective at the group policy settings themselves? It is such a big technology (group policy) there must be control issues / risks with GPO? Specifically, what I am trying to accomplish, is - are there any risks / misconfgurations with our current use of group policy, if so, how can we check, and what risk do such misconfigurations pose...
June 6th, 2011 9:12am

Hi, Please explain more about the "risk" you are talking about. Besides the above examples you have given, could you please list more incidents you can consider of? As to the Group Policy Best Practices you mentioned, you may want to have a look at the link below: GP Editorial: Group Policy Best Practices http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx Regards, Cecilia Zhou -------------------------------------------------------------------------------- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 5:49am

Hi, Please explain more about the "risk" you are talking about. Besides the above examples you have given, could you please list more incidents you can consider of? As to the Group Policy Best Practices you mentioned, you may want to have a look at the link below: GP Editorial: Group Policy Best Practices http://blogs.technet.com/b/grouppolicy/archive/2010/01/25/gp-editorial-group-policy-best-practices.aspx Regards, Cecilia Zhou -------------------------------------------------------------------------------- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. That was kind of the point of the thread, to brain storm common risks and mitigating controls within group policy... I just noticed there is a group policy best practices analyzer!! So there must be issues that that flags up...
June 7th, 2011 5:54am

Hi, As far as I know, there is no such article to describe how to evaluate the risk of applying Group Policy Objects. If a GPO is not configured well, we will find it out according to the behavior on the client side of the GPO. The link below may be a little helpful to your concern: Troubleshooting Group Policy Problems http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx If there are errors when applying some GPOs, we can refer to the methods in the article above to troubleshoot the issue. Besides, I would like to share the links below with you as well: Group Policy Management http://technet.microsoft.com/en-us/library/cc758290(WS.10).aspx Group Policy (pre-GPMC) http://technet.microsoft.com/en-us/library/cc778065(WS.10).aspx SolutionBase: Check Group Policy assignment with RSoP http://www.techrepublic.com/article/solutionbase-check-group-policy-assignment-with-rsop/5165777 Regards, Cecilia Zhou -------------------------------------------------------------------------------- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2011 5:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics