Mastering Windows Group Policy

Mastering Windows Group Policy

by Jordan Krause
Released November 2018
Publisher(s): Packt Publishing
ISBN: 9781789347395

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Improve and reimagine your organization's security stance, desktop standards, and server administration with centralized management via Group Policy.

Key Features

  • Explore advanced filtering techniques for Group Policy Objects
  • Interact with Group Policy through GPMC and PowerShell
  • Practical guide covering the daily and advanced administration of group policy

Book Description

This book begins with a discussion of the core material any administrator needs to know in order to start working with Group Policy. Moving on, we will also walk through the process of building a lab environment to start testing Group Policy today. Next we will explore the Group Policy Management Console (GPMC) and start using the powerful features available for us within that interface. Once you are well versed with using GPMC, you will learn to perform and manage the traditional core tasks inside Group Policy. Included in the book are many examples and walk-throughs of the different filtering options available for the application of Group Policy settings, as this is the real power that Group Policy holds within your network. You will also learn how you can use Group Policy to secure your Active Directory environment, and also understand how Group Policy preferences are different than policies, with the help of real-world examples. Finally we will spend some time on maintenance and troubleshooting common Group Policy-related issues so that you, as a directory administrator, will understand the diagnosing process for policy settings.

By the end of the book, you will be able to jump right in and use Group Policy to its full potential.

What you will learn

  • Become familiar with the Group Policy Management Console
  • Create, link, and filter new policies
  • Secure your users and devices using Group Policy
  • Maintain and troubleshoot Group Policy
  • Administer Group Policy via PowerShell
  • Control your Active Directory environment efficiently with Group Policy settings

Who this book is for

If you are an IT professional who works with Windows Servers or are interested in an Active Directory environment then this book is for you. General knowledge of Microsoft Windows, how Windows Server fits into an enterprise's infrastructure and also some existing knowledge of an Active Directory domain environment is expected.

Publisher resources

View/Submit Errata

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Mastering Windows Group Policy
  3. Contributors
    1. About the author
    2. About the reviewers
    3. Packt is searching for authors like you
  4. About Packt
    1. Why subscribe?
    2. Packt.com
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  6. Group Policy - The Basics
    1. Terminology
    2. What is Group Policy?
      1. Active Directory Group Policy versus Local Group Policy
        1. Local Group Policy
        2. Active Directory Group Policy
      2. What does Group Policy look like?
    3. Requirements for Group Policy
      1. Who can use Group Policy?
    4. Hierarchy of Group Policy processing
      1. Levels of GPO processing
        1. Local Policy
        2. Site-level policies
        3. Domain-level policies
        4. OU-level policies
      2. GPO workflow
    5. Building a lab to test Group Policy today
      1. Domain Controller
      2. Windows 10 Client
      3. Configuring the Windows Server 2016 Domain Controller
      4. Configuring the Windows 10 client
    6. Summary
  7. Group Policy Management Console (GPMC)
    1. Technical requirements
    2. Launching the console locally
      1. Server Manager – the most common way
      2. Microsoft Management Console (MMC) snap-in
      3. Start menu
      4. GPMC.MSC
    3. Accessing Group Policy remotely
      1. Installing the GPMC on another server
      2. RSAT on Windows 10
    4. Exploring the GPMC
    5. Summary
  8. Daily Tasks in Group Policy
    1. Default policies and permissions
      1. Default Domain Policy
        1. Authenticated users
      2. Default Domain Controllers Policy
      3. Permissions
    2. Modifying an existing GPO
      1. Using the newest GPMC
      2. Editing settings inside a GPO
        1. Quickly finding your settings
        2. An annoying Internet Explorer popup
      3. Updating the default password policy
      4. Not configured versus enabled versus disabled
        1. Example – configuring Teredo
    3. Creating a new GPO
      1. Naming your GPOs
      2. Creating the GPO
      3. Configuring the policy to apply a desktop wallpaper
    4. More on GPO links
      1. The difference between GPOs and GPO links
      2. The GPO link warning message
      3. Linking our new GPO
      4. Creating and linking new GPOs at the same time
      5. Linking at the site level
      6. Deleting a GPO link versus deleting a GPO
        1. Deleting a GPO link
        2. Deleting a GPO
      7. Disabling GPO links
    5. Everyday command-line tools
      1. GPUpdate
        1. Background refresh
        2. Foreground refresh
        3. GPUpdate.exe switches
      2. GPResult
        1. Sending the output to a file
        2. Checking GPResult data from a remote machine
      3. Resultant Set of Policy
    6. Summary
  9. Advanced Filtering of Group Policy Objects
    1. Link order precedence
      1. OUs trump domains
      2. Multiple GPOs linked at the same level
      3. Changing the order of link precedence
      4. Seeing the big picture
    2. Blocking GPO inheritance
    3. Enforcing GPOs
      1. Will enforcing GPOs affect GPO precedence?
    4. User settings versus computer settings
      1. Disabling half of a GPO
    5. Exercises with OUs and links
      1. Creating or deleting OUs
        1. OUs inside ADUC
        2. OUs inside GPMC
        3. Default containers that are not OUs
      2. Moving machines from one OU to another
      3. OUs protected from accidental deletion
      4. A warning on cross-domain policy linking
    6. Filtering GPOs with security filters
      1. How to filter a GPO to a particular Active Directory group
        1. Filtering to specific users or computers
      2. Security filtering – permission changes
      3. How to block a GPO from a particular Active Directory group
    7. Filtering GPOs with WMI filters
      1. WMI filters could cause a performance hit
      2. Applying a WMI filter to our GPO
    8. Summary
  10. Deploying Policy Settings
    1. Managed versus unmanaged policies
    2. Administrative Templates
      1. ADMX/ADML files
      2. Self-regulating policies
        1. Special registry keys
      3. Sticky preferences
        1. Unmanaged Policies versus Group Policy Preferences
          1. Preferences can usually be overwritten by a user
          2. Preferences stick around after the GPO is removed
      4. Creating or importing new templates
      5. How can you tell the difference?
    3. Computer configuration policies
      1. Idle-time lockout policy
        1. What about Windows 7?
      2. Launching an application upon login
      3. Configuring certificate auto-enrollment
      4. Startup and shutdown scripts – running scripts at the computer level
      5. Disabling Local Group Policy processing
    4. User configuration policies
      1. Remove the shutdown button
      2. Locking down display settings
      3. Prohibiting access to the Control Panel and Settings
      4. Logon and logoff scripts – running scripts at the user level
    5. Group Policy loopback processing
      1. What's really happening?
        1. Merge mode
        2. Replace mode
      2. How to do it?
    6. Summary
  11. Group Policy Preferences
    1. How is a preference different from a policy setting?
    2. Create, Replace, Update, or Delete
    3. Green and red marks
      1. Green and red lines
        1. How to change them
      2. Green and red circles
        1. Internet Explorer tabs
    4. The Common tab
      1. Stop processing items in this extension if an error occurs
      2. Run in logged-on user's security context
      3. Remove this item when it is no longer applied
      4. Apply once and do not reapply
      5. Item-level targeting
    5. Implementing Preferences
      1. Modifying the power options
      2. Environment variables
      3. Registry keys
      4. Drive mappings
      5. Creating a printer connection
      6. Forcing an Internet Explorer proxy server
    6. Summary
  12. Group Policy as a Security Mechanism
    1. Password rules and regulations
    2. A plethora of security settings
    3. Windows Firewall with Advanced Security
      1. Location of WFAS policy settings
        1. General settings
        2. Inbound Rules
        3. Outbound Rules
        4. Connection Security Rules
      2. Forcing Windows Firewall to always be enabled
        1. An aside about WFAS Profiles
      3. Disabling Windows Firewall by policy
      4. Creating a rule to allow inbound traffic
      5. Creating a rule to block outbound traffic
      6. What about conflicting rules?
      7. Configuring GPO to clear local WFAS rules
    4. Manipulating Local Users and Groups
    5. Denying access to Command Prompt
    6. Prohibiting user software-installation
    7. Disabling IPv6 via Group Policy
    8. User Account Control
      1. Configuring UAC via GPO
        1. User Account Control – Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
        2. User Account Control – Behavior of the Elevation Prompt for Standard Users
        3. User Account Control – Detecting Application Installations and Prompting for Elevation
        4. User Account Control – Running All Administrators in Admin Approval Mode
    9. Blocking USB Drives
    10. Summary
  13. Group Policy Maintenance
    1. Documenting Group Policy
      1. Commenting inside GPOs
      2. Generating a GPO report
    2. Searching Group Policy
      1. Searching for GPOs
      2. Filtering settings
        1. Filtering by keywords
        2. Filtering by your own comments
        3. Filtering by settings that have been modified
        4. Clearing the filter
    3. Starter GPOs
      1. Creating a Starter GPO
      2. Editing a Starter GPO
      3. Using a Starter GPO to build finalized GPOs
    4. Backing up and restoring GPOs
      1. Backing up GPOs
        1. Permissions needed to back up a GPO
        2. Backing up a single GPO
        3. Backing up all GPOs at once
      2. Restoring GPOs
        1. Permissions needed to restore an existing GPO
        2. Permissions needed to restore a deleted GPO
        3. Two ways to restore a GPO
          1. Managing backups
        4. Relinking restored GPOs
      3. Exporting and Importing WMI Filters
    5. Implementing ADMX/ADML files
      1. Importing a new ADMX file
        1. The location for placing ADMX files
        2. The location for placing ADML files
      2. The Central Store
        1. Creating the Central Store
        2. Verifying Central Store is working
        3. Importing new ADMX/ADML files into the Central Store
    6. Delegating permissions to manage Group Policy
      1. Delegation to edit GPOs
      2. Delegation to link GPOs
      3. Delegation to create new GPOs
      4. Additional delegation capabilities
    7. Summary
  14. Group Policy Troubleshooting
    1. Troubleshooting tools and procedures
      1. GPUpdate
      2. GPResult and RSOP
        1. RSOP
        2. GPResult
        3. User or computer results – not usually both
      3. GPO permissions
      4. Map out policy settings
      5. Is the GPO disabled?
      6. Watching for inheritance blocking
      7. Looking out for Enforced GPOs
      8. Conflicting settings
      9. Is your operating system supported?
      10. Windows Event Logs
    2. GPO version numbers
      1. Checking Domain Controller synchronization
      2. Version numbers triggering the client
    3. Checking the replication status via GPMC
    4. Detecting slow links
      1. Changing slow-link detection behavior
    5. The trouble with FRS
      1. What's wrong with FRS?
      2. Which one am I running?
    6. Group Policy results wizard
      1. Running the report
    7. Group Policy Modeling
    8. Summary
  15. PowerShell for Group Policy Administration
    1. Importing PowerShell Group Policy modules
    2. PowerShell for GPOs and Links
      1. Creating new GPOs
      2. Deleting GPOs
      3. Linking a GPO
      4. Disabling a GPO Link
      5. Deleting a GPO Link
      6. Creating a new Starter GPO
      7. Enforcing a GPO
      8. Disabling GPO enforcement
      9. Setting inheritance blocking on an OU
      10. Configuring security filtering on a GPO
    3. GPO information and reporting
      1. Viewing information about a GPO
      2. GPO Reports
      3. RSOP data via PowerShell
    4. GPO permissions via PowerShell
      1. Viewing current GPO permissions
      2. Setting GPO permissions
      3. Removing GPO permissions
    5. Using PowerShell to back up and restore GPOs
      1. Backing up a single GPO
      2. Backing up all of the GPOs
      3. Restoring a GPO
    6. Remotely running GPUpdate
    7. Using PowerShell Help
    8. Summary
  16. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Mastering Windows Group Policy
  • Author(s): Jordan Krause
  • Release date: November 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781789347395