Group Policy

Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles, folder redirection and offline files.

Group Policy Objects don't necessarily need Active Directory; Novell has supported roaming profiles since Windows 2000 with their ZENworks Desktop Management software package, and starting with Windows XP also supports group policy objects.

Contents

Overview

Windows Management Instrumentation (WMI) filtering is the process of customizing the scope of the GPO by choosing a WMI filter to apply.

GPO application

The Group Policy client operates on a "pull" model - every so often (a randomized delay of between 60 and 120 minutes, although this offset is configurable via Group Policy) it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs which will thereafter affect the behavior of policy-enabled operating system components.

Local Group Policy

Local Group Policy (LGP) is a more basic version of the Group Policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the Group Policy for a single local computer, but unlike Active Directory Group Policy, can not make policies for individual users or groups. It also has many fewer options overall than Active Directory Group Policy. The specific-user limitation can be overcome by using the Registry Editor to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users. The same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure Group Policy available on TechNet.[1] LGP can be used on a computer on a domain, and it can be used on Windows XP Home Edition.

Windows Vista supports Multiple Local Group Policy objects (MLGPO), which allows setting local Group Policy for individual users.[2] ..

Group Policy Preferences

They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[3]

Group Policy Preferences adds a number of new configuration items. These items also have number of additional targeting options that can be used to granularly control the application of these setting items.

Group Policy Preferences are compatible with x86 and x64 versions of Windows Windows XP, Windows Server 2003 and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[4] [5] [6] [7] [8] [9]

Client Side Extensions are now included in Windows Server 2008, Windows 7 and Windows Server 2008 R2.

Group Policy Management Console

Originally Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[10][11] [12] [13]

Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function, without disabling lower-level means of accessing it.[14]

Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings thus enforcing potentially lower security defaults or even returning arbitrary values.[15]

See also

References

  1. Group Policy Settings Reference
  2. Step-by-Step Guide to Managing Multiple Local Group Policy Objects
  3. Group Policy Preference Migration Tool (GPPMIG)
  4. Group Policy Preference Client Side Extensions for Windows XP (KB943729)
  5. Group Policy Preference Client Side Extensions for Windows XP x64 Edition (KB943729)
  6. Group Policy Preference Client Side Extensions for Windows Vista (KB943729)
  7. Group Policy Preference Client Side Extensions for Windows Vista x64 Edition (KB943729)
  8. Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
  9. Group Policy Preference Client Side Extensions for Windows Server 2003 x64 Edition (KB943729)
  10. Microsoft Group Policy Team (2009-12-23). "How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)". http://blogs.technet.com/grouppolicy/archive/2009/12/23/how-to-install-rsat.aspx. 
  11. Microsoft Remote Server Administration Tools for Windows Vista
  12. Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems
  13. Remote Server Administration Tools for Windows 7
  14. Raymond Chen, "Shell policy is not the same as security"
  15. Mark Russinovich, "Circumventing Group Policy as a Limited User"

External links

Microsoft Windows components
Core
Active Scripting (WSH · VBScript · JScript) · Aero · AutoPlay · AutoRun · ClearType · COM (ActiveX · ActiveX Document · COM Structured storage · DCOM · OLE · OLE Automation · Transaction Server) · Desktop Window Manager · DirectX · Explorer · Graphics Device Interface · Imaging Format · .NET Framework · Search (IFilter · Saved search) · Server Message Block · Shell (Extensions · File associations · Namespace · Special Folders) · Start menu · Previous Versions · Taskbar · Windows USER · Win32 console · XML Paper Specification
Management
tools
Backup and Restore Center · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Driver Verifier · Event Viewer · IEAK · IExpress · MSDT · Management Console · Netsh · Problem Reports and Solutions · Resource Monitor · ‎Sysprep · System Policy Editor · System Configuration · Task Manager · System File Checker · System Restore · WMI · Windows Installer · Windows PowerShell · Windows Update · WAIK · WinSAT · Windows Easy Transfer
Applications
Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · File Manager · Internet Explorer · Journal · Mail · Magnifier · Media Center · Media Player · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Windows Desktop Gadgets · Snipping Tool · Sound Recorder · Speech Recognition · Tablet PC Input Panel · WordPad
Games
Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Pinball · Purble Place · Solitaire · Spider Solitaire · Tinker
Kernel
Ntoskrnl.exe · hal.dll · System Idle Process · svchost.exe · Registry · Windows service · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection
Services
BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Error Reporting · Multimedia Class Scheduler · CLFS
File systems
NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · WinFS · FAT (FAT12 · FAT16 · FAT32· exFAT · CDFS · UDF · DFS · IFS
Server
Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Windows SharePoint Services · Network Access Protection · PWS · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · System Resource Manager · Hyper-V
Architecture
NT series architecture · Object Manager · Startup process (Vista/7) · I/O request packet · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows File Protection / Windows Resource Protection · Windows library files · LSASS · CSRSS · SMSS · MinWin
Security
User Account Control · BitLocker · Defender · Data Execution Prevention · Security Essentials · Protected Media Path · Mandatory Integrity Control · User Interface Privilege Isolation · Windows Firewall · Security Center
Compatibility
Unix subsystem (Microsoft POSIX  · Interix) · Virtual DOS machine · command.com · Windows on Windows · WoW64 · Windows XP Mode