Group Policy Object

from Wikipedia, the free encyclopedia

A Group Policy Object ( GPO ), German GPO is under Microsoft Windows 2000 and its successors a digital policy for various settings.

In this context, a group policy is a system policy that is limited to certain groups or types of settings . Such a group policy is also called a group policy object.

use

Under Microsoft Windows 2000 Server and all subsequent products, group policies can be created and configured using the Group Policy Management console. The Group Policy Management Console (GPMC) is a snap-in that allows advanced and improved configuration of group policies, but must first be installed locally on the computer (it is always installed on domain controllers with a user interface). It can then also be used as an independent snap-in on client operating systems. However, the GPMC requires at least Windows XP or Windows Server 2003, it cannot run under Windows 2000. However, the domain can be at Windows 2000 level. Apart from standard configurations, you can also create your own configuration options using an administrative template , i.e. H. Files with the suffix * .adm (up to Windows XP) or * .admx (since Windows Vista) can be used. An immediate update can be forced with the command gpupdate.exe / force or from Windows 8 or Server 2012 via the GPMC.

Limitations of different guidelines

Group policies can be linked to various objects:

  • Site (location)
  • Domain
  • OU (Organizational Unit)

In addition, there is always a local policy for each computer. It should be noted that group policies do not affect groups, only computer and user accounts. GPOs contain separate settings for users and computers. The processing order of group policies is Local, Site, Domain, OU. Any subsequent processing overwrites the values ​​of the previously processed policy if there are conflicting settings. Thus, the settings in the local policy have the lowest priority because it is processed first and the policy on the OU has the highest priority because it is processed last. If GPOs are linked at the same level, the linking order decides, with the GPO with the lowest value winning because it is processed last.

Local GPO

In Local (Local), about guidelines for a single computer. If a computer is not a member of a domain, local policy is the only way to use policies.

Active Directory Sites

Active Directory sites are defined by the assigned IP subnets or IPv6 prefixes. For example, a large company may have a seat in Germany, Japan, Korea etc. Now everything in Japan should be tailored to the Japanese: Everything in Japanese etc. Areas can be delimited by sites and then the guidelines can be set according to this area. A major reason for setting up a site is also to control replication traffic.

Active Directory Domains

At the domain level, policies are set for the entire domain. By default, there is a Default Domain Policy (DDP) in which, in particular, security settings are defined. This should be changed as little as possible. Instead, new GPOs should be linked at the domain level. The DDP can be reset to the initial state with the command dcgpofix.exe.

Active Directory Domain Controller

At the level of the OU Domain Controllers, guidelines are set for the domain controllers. By default, there is a Default Domain Controllers Policy (DDCP) in which, in particular, security settings for the domain controllers are defined. Like the DDP, this should be changed as little as possible. The DDCP can also be reset to the initial state with the command dcgpofix.exe.

Security filter

Each GPO can be linked to security groups through security filters. By default, the use of all GPOs is allowed for the Authenticated Users group . This includes both authenticated user accounts and computer accounts. Using the security group filtering, the use of certain GPOs can be allowed or prohibited.

WMI filter

Since Windows XP or Server 2003, every GPO can be linked to a WMI filter (Windows Management Instrumentation). This allows dynamic reaction to states of the object using the GPO during processing. Thus, for. B. the application of certain GPO can be linked to the version of the operating system or other parameters.

Tools

Group Policy Management Console

Management console for creating and linking group policies

Group Policy Editor

Administration console for editing the settings of group policy objects.

Advanced Group Policy Management

Advanced management console for editing group policies with change control, version management, approval procedures, etc. Part of the Microsoft Desktop Optimization Pack (MDOP).

Microsoft Security Configuration Manager (SCM)

Now outdated tool for importing, exporting, merging and comparing group policies.

Microsoft Security Compliance Toolkit

The Security Compliance Toolkit (SCT) contains baselines recommended by Microsoft for configuring Windows 10, Windows Server 2012 R2, Windows Server 2016 and Office 2016. The SCT contains the Policy Analyzer tools for comparing several Group Policy objects or against the resulting Group Policy result on a computer . The results can be exported to Excel for documentation purposes.

Individual evidence