yshisIn this article, you’ll learn all about GPOs (Group Policy Objects) and the fundamental basics of how you can use them to better manage your AD DS Server infrastructure.
Introduction to GPOs
When setting up an IT system, you will normally need to configure dozens if not hundreds of different options and settings. These include how the user will access the system, the folders they can access, the printers they can use, their desktop background, the start page they see, their firewall settings, the applications they can use and even whether they can install programs themselves. This can be pretty tedious just for a single computer, but imagine the enormous task of doing it for hundreds or even thousands of them.
Since Windows Server 2000 arrived with the Group Policy feature, Microsoft systems administrators have been able to define these settings centrally to them deploy them across all their workstations and servers at once.
The main advantage of doing things this way is that the administrator’s interaction with end clients is minimal, which saves them a lot of time.
But this isn’t the only advantage. Establishing centralised settings that can be sent to computers or servers on demand also reduced the risk of implementation errors as you are much more likely to make a mistake if you have to repeat a process 100 times than if you have to do it just once.
Another advantage is that if you have to make changes later, you can make the change just once and then apply it to every computer at the same time, once again saving time and reducing the chance of making a mistake.
When creating a Group Policy Object, you can also define the scope of the settings to be applied. You can decide whether it will be applied to the entire business or just a part of it. You can choose to apply the changes to a specific location, a specific department or even a single user, and this is just another advantage of using GPOs.
In this article, we’ll dive into the concepts involved in GPOs, how they are used and the available tools. Don’t worry, we’ll try to keep things as light as possible, but bear in mind that there are quite a lot of definitions and concepts that need explanation.
NOTE: In this article, we’ll focus on the theory behind GPOs as there are already several tutorials on Jotelulu that explain how to perform specific tasks.
A single tool for managing all your settings
If you have just a single computer or a small group of them, it is possible to configure them manually. However, configuring your computers in a more centralised way makes it easier to apply the same settings to a new computer or when you need to re-install an existing computer for some reason.
This is where Configuration Management comes in. This is an approach to maintaining systems that focuses on managing changes to computers and users in a centralised way. And whilst they’re not the only way of doing it, GPOs are the way that this is usually achieved.
So, when talking about Configuration Management, there are essentially three basic elements, the Setting, the Scope and the Application:
- Setting: this is the desired state for a user, computer or group of users or computers.
- Scope: this is the group of users or computers that the setting is applied to.
- Application: this is the tool or mechanism used to apply the setting to the group.
The most basic element of a Group Policy Object is the Individual Policy Setting, normally referred to simply as a Policy. A Policy defines a specific setting, such as one that prevents the user from opening the Control Panel, seeing the C drive, using the USB drive or installing a program.
As we already mentioned, policies are applied to either computers or users. This means that there are two types of policy depending on who or what they apply to:
- If a policy applies to a computer, it is called a Computer Settings Policy. This is a change to the computer settings that is applied either when the machine starts or is automatically updated every 90-120 minutes.
- If a policy applies to a single user, it is called a User Settings Policy. These settings are applied when the user logs in or are applied automatically every 90-120 minutes.
NOTE: As well as applying settings when the computer is started or when the user logs in, it is also possible to force the application of policies using the command “gpupdate /force”, which applies the GPO to the computer that it is run on. This can be useful for carrying out tests or troubleshooting policy-related issues.
Image. Screenshot of the Group Policy Management Console.
But what exactly is a GPO?
So far, we’ve talked a lot about what a GPO is used for, but we haven’t told you what it is.
A GPO is essentially an object that contains one or more configuration values that apply to a user, computer or group of users or computers. It is basically a container of settings, rules and desired states, but be careful, this container has nothing to do with the AD DS containers mentioned in other articles.
The biggest complication involved in using GPOs is not programming or creating them, nor their administration and maintenance. It’s actually the concept of inheritance, as there are several different levels that GPOs can apply to, and sometimes these can overlap and cause issues if not configured correctly.
This means that it is very important to know about the levels that GPOs can be applied to and how they interact with each other if you want to avoid any issues. This is because there is a hierarchy of levels and when you apply a GPO to a particular level, it will also apply to all lower levels as well.
Take the structure shown in the image below, for example. If we apply a GPO to the Organisational Unit (OU) ZARAGOZA, all the OUs for the different departments will be affected by that GPO, such as the user “Nacho Oller”, who is in the Technical Department at Zaragoza. For example, he will be affected by the printer mapping GPO linked to the ZARAGOZA OU.
Image. Example of inheritance by OUs
GPOs can be deployed at the following levels:
- Domain level.
- Site level.
- OU (Organisational Unit) level.
- Local level.
However, the order that they are processed is as follows:
- Local GPOs.
- Site-level GPOs.
- Domain-level GPOs.
- OU-level GPOs.
How are GPOs used in operations?
When we talk about Group Policies, most people tend to think about basic settings, like mapping network drives or printers or installing applications. But Group Policies can actually do much more than just that.
Firstly, as we’ve already mentioned, we can use them to standardise work environments, defining the background, default browser, start page, what programs users have access to and restricting their use of the operating system.
You can also use GPOs to apply network settings, implementing specific restrictions, such as preventing laptops from connecting to unauthorised wireless networks or only allowing them to connect to SSIDs that are authorised by the company.
Of course, this also means that we can configure network drive sharing for groups, departments and locations and even configure personal drives to prevent the use of old mapping scripts or manual sharing. We can do the same with printers, which can be mapped much faster and more conveniently using GPOs.
Another way that GPOs can be really useful is when deploying software as you can install programs automatically using .msi files or leave it up to the user to install a specific program or not.
GPOs are also incredibly important for applying security settings and protecting your infrastructure. Firewall settings, updates, audit settings, backups and much more can all be applied using GPOs to ensure standard security settings across your infrastructure.
Lastly, it is important to remember that all of this isn’t just limited to deploying policies; it can also be used to deploy PowerShell or cmd scripts, whose potential is limited more or less only by the imagination of the administrator.
What tools are used to manage GPOs?
There is a range of tools available for managing Group Policies. These include tools with a Windows-based graphic interface and command-based tools using the classic command prompt or PowerShell cmdlets.
We also have the Group Policy Management Console, also known as GPMC. This is the console used to launch and apply policies.
Then, we have to Group Policy Management Editor which is accessed through the GPMC and allows you to create policies.
Image. Overview of the Group Policy Management Editor
On the other hand, we have the “GPUpdate” and “GPResult” commands which are used in the command prompt to update or check the implementation of Group Policies. You can find out more about the syntax of these commands at the following links: GPUpdate, GPResult.
Lastly, you can opt to work on policies using the Group Policy module in PowerShell cmdlets. We won’t talk much more about this option in this article as there is too much information to cover, but you can find out more in other articles and tutorials here on our website.
Image. Example of a GPO query run in PowerShell.
Where are GPOs stored?
GPO settings are basically made up of two essential elements: the policy storage containers and the settings templates.
A policy container is one of the objects that make up AD DS and is created to keep GPOs organised in a single space. And, as usual with the elements that make up the AD DS structure, this container has a unique identifier in the directory.
A GPO template is made up of a series of files located in the SYSVOL folder, which is a folder located on each domain controller and is found at %SystemRoot%\SYSVOL\Domains\Policy\GPOGUID, with GPOGUID the container’s GUID.
Image. Filepath of SYSVOL
Similarly, to keep things organised, each GPO is assigned a version number within one of the policy attributes. This is automatically increased whenever a change is made, providing a form of version control to help maintain order and coherence between GPOs.
Conclusion
As we have seen, GPOs or Group Policy Objects are one of the main tools available for managing your business’s IT infrastructure quickly and efficiently, especially if you have a large number of hosts.
With GPOs, you can deploy software automatically or apply standard settings for groups of hosts according to their location within the AD DS structure or the Organisational Unit (OU) that they belong to.
They are relatively simple to use, but there are important things to bear in mind to avoid issues. In particular, it is important to remember the way that GPOs are applied and the inheritance involved for each network element.
We hope that this article has been useful for you and that you now have a better idea about what GPOs are and how to use them.
If you would like to learn more about GPOs, we recommend checking out the following links where you’ll be able to find additional information and examples of the kind of operations you can perform using Group Policies:
- PowerShell Commands for Managing GPO Scripts
- How to Configure a GPO for Shared Drive Mapping
- How to Configure a GPO to Map Printers
- How to Deploy a GPO Script with PowerShell Code
- How to Configure Personal Drives Using a GPO Script
- How to Configure Your Firewall Using a GPO Script
- How to Hide Access to a Disk Drive on Your Server Using the Local Policy Editor
Thanks for reading!
