As a Windows domain administrator, we all depend on Group Policy to deliver configuration settings such as:
- Security settings such as password and lockout policies
- The correct display settings for the designated machine
- The method in which Windows Updates will be delivered
- Power management settings for portable devices
We can also use Group Policy to prevent access to certain parts of the operating system for normal users, such as hiding various applets in the Control Panel or preventing access to the command prompt or registry editor. Group Policy is a highly powerful tool which offers the network admin a great amount of leverage to manage both users and devices within the network and ensure that application settings remain in compliance. GP is actually made up of two subgroups: the original Group Policy and Group Policy Preferences. Policies made from either of these subgroups are applied to systems when they boot up (computer-side policies) and when users log on (user-side policies). In order to deliver settings to the desired target you need to create a Group Policy Object or GPO and assign it to an area with Active Directory where the targeted users or computers reside. (For more on Active Directory, see The Top Five Active Directory Management Pain Points.)
Although you probably use Group Policy in some way most every day in a large enterprise environment, you may be surprised to learn a few things about this powerful tool.
1. One-Time Delivery of Template Settings
Group Policy Administrative Templates settings are delivered one time and one time only. In other words, once a setting based on the GP Administrative Templates has been delivered and applied, it is never delivered again. Let’s say that you made a computer policy that turned off System Restore. That setting would then be delivered to the registry and prevent users from utilizing this feature. No matter how many times that computer will boot up, it will never download that setting again. Now let’s pretend that a user with local admin rights accesses the registry and reverses the setting. Guess what? The policy will never be redelivered despite its non-compliance. So while Group Policy does a good job of enforcing settings for most users, GP cannot prevent local admins or registry savvy users from circumventing them. On top of that, there is no remediation.
2. Settings in Four Registry Areas
According to Microsoft, true policies that lock down settings are targeted in four primary areas within the registry:
- HKLM\Software\Policies (computer settings, the preferred location)
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies (computer settings, an alternative location)
- HKCU\Software\Policies (user settings, the preferred location)
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies (user settings, an alternative location)
When a GPO falls out of scope, settings that were delivered within these four registry areas are automatically reverted back to their default values. An example of falling out of scope is when a user gets promoted to a new position and is now hosted in an area of Active Directory which the GPO no longer targets. Another instance could be that an administrator simply deletes the GPO.
But what about settings that fall outside of these designated registry areas? In that case, settings can be tattooed within the registry. In other words, settings are not reverted back to their default state. The only way to undo settings that have fallen out of scope in these instances is to modify the GPO and disable the setting. When the policy is refreshed, the setting will no longer be tattooed.
3. Group Policy Preferences
Group Policy Preferences give us the ability to deliver settings just as the traditional Group Policy. GPP has several differences though, and as its name implies, GPP delivers just that, preferences. Unlike traditional policies, the settings are not locked down within the user interface so users can easily modify the delivered settings at will. However, a GPO made with Group Policy Preferences is refreshed regularly, about every 90 minutes or so as long as the machine is on line. A GPP-configured Group Policy Object will tattoo settings as well when it falls out of scope. Many users think that this can be alleviated by checking one of the property setting selections, though, which states, “Remove this item when it is no longer applied.”
While it’s true that this setting will prevent tattooed settings, what many don’t know is that the entire settings is deleted. That’s right, the registry setting will be completely obliterated from the machine. This process is referred to as nuking the registry. The only way to configure this setting in the future will be to actually manually recreate it within the registry.
4. Advanced Group Policy Management
Group Policy Objects are created and managed using the default Group Policy Management Console or GPMC. Microsoft offers an additional a tool called Advanced Group Policy Management that you can download. Since it is marketed as an advanced tool, one would think that it comes with additional settings and advanced features that will elevate and enhance your ability to deliver settings. In reality, AGPM doesn’t add any new features or functionality to Group Policy at all. AGPM is strictly a work flow management tool, allowing multiple administrators to simultaneously modify policies. AGPM allows you to audit changes and easily find differences between GPO versions. It also supports version tracking, history capture, and quick rollback of deployed GPO changes should the final result of a policy be not what you intended. (To learn about planning your IT setup, see The Basics of IT Planning.)
All of us from time to time have utilized the “gpupdate” command at some point. Perhaps you have made a new GPO and wanted to test it out so you issued that command to deliver the settings to your designated machine. Or perhaps you are modifying the GPO and want to test the new settings. Many people oftentimes issue the "gpudpate/force" command, not knowing the difference between that and using "gpupdate." The addition of the word “force” sounds so much more powerful and managerial. The fact is that 99% of the time, "gpupdate" is all you need. The command, "gpupdate" downloads any new GPO or any GPO that has been modified, which is all you want to download anyway. Remember, traditional Group Policies are only downloaded one time anyway regardless, so even though the "gpupdate/force" command does search a domain controller for any and all GPOs that are assigned to the targeted machine, many of the settings will not be reapplied. The fact is that "gpudpate/force" simply takes a lot longer having to deal with every single assigned GPO and doesn't garner any added results.