Group Policy

Group Policy
Local Security Policy editor in Windows 7

Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and cannot do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses, and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files, and so on.

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles, folder redirection, and offline files.

Group Policy Objects do not necessarily need Active Directory; Novell has supported roaming profiles since Windows 2000 with their ZENworks Desktop Management software package, and starting with Windows XP also supports group policy objects.

Contents

Overview

Windows Management Instrumentation (WMI) filtering is the process of customizing the scope of the GPO by choosing a WMI filter to apply.

GPO (Group Policy Object) refresh

The Group Policy client will refresh the policy settings for workstations and servers on a "pull" model - every 90 minutes (by default) (Domain Controllers every 5 minutes) with a random +30 min offset. During this refresh period it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs that will thereafter affect the behavior of policy-enabled operating system components. Some settings, however, are only applied during reboot and/or logon of the user to the computer (e.g. Software Installation for computers and drive mapping for users).

Since Windows XP, a refresh of the group policy can be manually initiated by the user using the "gpupdate" command from a command prompt.[1]

Local Group Policy

Local Group Policy (LGP) is a more basic version of the Group Policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the Group Policy for a single local computer, but unlike Active Directory Group Policy, can not make policies for individual users or groups. It also has far fewer options overall than Active Directory Group Policy. The specific-user limitation can be overcome by using the Registry Editor to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users. The same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure Group Policy available on TechNet.[2] LGP can be used on a computer on a domain, and it can be used on Windows XP Home Edition.

Windows Vista supports Multiple Local Group Policy objects (MLGPO), which allows setting local Group Policy for individual users.[3]

Processing order for policy settings

Group policies are processed in the following order:[4]

  1. Local Group Policy objects - This applies to any settings in the computer's local policy (accessed by running gpedit.msc). Previous to Windows Vista, there was only one local group policy stored per computer. There are now individual group policies settable per account of a Windows Vista and 7 machine.[5]
  2. Site - Next, the computer processes any group policies that are applied to the site the computer is currently in. If multiple policies are linked to a site, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
  3. Domain - Any policies applied at the domain level (default domain policy) are processed next. If multiple policies are linked to a domain, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
  4. Organizational Unit - Last, group policies assigned to the organizational unit that contains the computer or user are processed. If multiple policies are linked to an organizational unit, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
  • Inheritance - Inheritance can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed.

Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured, then the value of the Group Policy Setting will take precedence.

Group Policy Preferences

They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[6]

Group Policy Preferences adds a number of new configuration items. These items also have a number of additional targeting options that can be used to granularly control the application of these setting items.

Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003, and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[7] [8] [9] [10] [11] [12]

Client Side Extensions are now included in Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Group Policy Management Console

Originally, Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[13][14] [15] [16]

Advanced Group Policy Management

Microsoft has also released a tool to make changes to Group Policy called Advanced Group Policy Management [17] (a.k.a. AGPM). This tool available for any organisation that has licensed the Microsoft Desktop Optimization Pack (a.k.a. MDOP). This advanced tool allows administrators to have a check in/out process for modification Group Policy Objects, track changes to Group Policy Objects, and implement approval workflows for changes to Group Policy Objects.

To use this software you must license all of your Windows Active Directory clients for MDOP.

Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function without disabling lower-level means of accessing it.[18]

Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.[19]

See also

References

  1. ^ http://technet.microsoft.com/en-us/library/bb490983.aspx
  2. ^ Group Policy Settings Reference
  3. ^ Step-by-Step Guide to Managing Multiple Local Group Policy Objects
  4. ^ "Group Policy processing and precedence". Microsoft Corporation. 2005-01-21. http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx. "[...] following order: [...] 1. Local Group Policy object[...] 2. Site[...] 3. Domain[...] 4. Organizational units" 
  5. ^ http://www.sevenforums.com/tutorials/151415-group-policy-apply-specific-user-group.html
  6. ^ Group Policy Preference Migration Tool (GPPMIG)
  7. ^ Group Policy Preference Client Side Extensions for Windows XP (KB943729)
  8. ^ Group Policy Preference Client Side Extensions for Windows XP x64 Edition (KB943729)
  9. ^ Group Policy Preference Client Side Extensions for Windows Vista (KB943729)
  10. ^ Group Policy Preference Client Side Extensions for Windows Vista x64 Edition (KB943729)
  11. ^ Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
  12. ^ Group Policy Preference Client Side Extensions for Windows Server 2003 x64 Edition (KB943729)
  13. ^ Microsoft Group Policy Team (2009-12-23). "How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)". http://blogs.technet.com/grouppolicy/archive/2009/12/23/how-to-install-rsat.aspx. 
  14. ^ Microsoft Remote Server Administration Tools for Windows Vista
  15. ^ Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems
  16. ^ Remote Server Administration Tools for Windows 7
  17. ^ http://www.microsoft.com/windows/enterprise/products/mdop/agpm.aspx
  18. ^ Raymond Chen, "Shell policy is not the same as security"
  19. ^ Mark Russinovich, "Circumventing Group Policy as a Limited User

External links

General information
Lists of Group Policy settings and (where applicable) registry equivalents

Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Group Policy — Stratégies de groupe Les stratégies de groupe (ou GPO en anglais, Group Policy Object) sont des fonctions de gestion centralisée de la famille Windows. Elles permettent la gestion des ordinateurs et des utilisateurs dans un environnement Active… …   Wikipédia en Français

  • Group Policy Object — Stratégies de groupe Les stratégies de groupe (ou GPO en anglais, Group Policy Object) sont des fonctions de gestion centralisée de la famille Windows. Elles permettent la gestion des ordinateurs et des utilisateurs dans un environnement Active… …   Wikipédia en Français

  • Group Policy Object — Das Group Policy Object (GPO), auf deutsch Gruppenrichtlinienobjekt, ist ein Begriff aus der EDV. Damit werden in einer Windows Active Directory Domain die Richtlinien gesetzt: Einerseits für einzelne Nutzer bis zu ganzen Nutzergruppen… …   Deutsch Wikipedia

  • group policy object —    Abbreviated GPO. In Microsoft Windows 2000 Server, a collection of group policy settings defined at the local machine, site, domain, or organizational unit level …   Dictionary of networking

  • group policy — A contract of insurance whereby persons, usually employees of a business enterprise, are insured in consideration of a determined payment per period, so long as the person remains in employment and the premiums are paid. The employer holds a… …   Black's law dictionary

  • group policy — A contract of insurance whereby persons, usually employees of a business enterprise, are insured in consideration of a determined payment per period, so long as the person remains in employment and the premiums are paid. The employer holds a… …   Black's law dictionary

  • Group policy — …   Википедия

  • group policy —    In Microsoft Windows 2000 Server, a central point of administration, allowing administrators to install software and apply standard settings to multiple users and computers throughout an organization …   Dictionary of networking

  • group insurance — life, accident, or health insurance available to a group of persons, as the employees of a company, under a single contract, usually without regard to physical condition or age of the individuals. [1910 15] * * *       insurance provided to… …   Universalium

  • Group Life Insurance — Life insurance offered by an employer or large scale entity (i.e. association or labor organization) to its workers or members. Group life insurance is typically offered as a piece of a larger employer or membership benefit package. By purchasing …   Investment dictionary

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”