Group Policies in Windows 2008 Server
Understanding Group policies is a very complex process. Windows 2008 introduces a lot of changes that have also been seen in the service' s configuration and one of them is group policies. Let' s see the major changes that are in Windows 2008 Group policies and configure some policies.
- Support for wired and wireless security policies, many improvements in Windows firewall, USB restriction policies
- Support for the XML based administrative template, which is there for multi languages templates.
- Also it' s very important on how the group policy is evaluated, in which order - Which policy will be given the priority if the policy is the same and applied at different levels as demonstrated below:
Let's understand the above diagram with an example
If you configure the same policy, say disabling of any services at domain level, and the same policy for the same service is enabled and configured at site level, then the site level policy will be processed. That' s how it works when you link group policy objects to two different objects order of precedence occurs. Order of precedence can be set by administrator on how it should process. To see the link order open GPMC tool (i.e. which is used for configuring group policy) and go to Group policy object in the right hand pane. There will be linked group policy object in that you will see the link order. You can specify the order as you want to process the group policies.
How to stop the policy so that they don' t apply in default order
Block inheritance - It means that the policy will be blocked from the top order to lower order, For e.g. if you want to block any policy from site or domain level on the OU than you can block the inheritance. It is denoted by blue exclamation mark on the OU.
How to bypass block inheritance
However if you want to bypass block inheritance and want to apply the policy that is set at any levels then enforce is the option. Again in case of any conflict no other GPO will be processed except for enforce one. It is denoted by lock symbol.
In which sections polices can be configured?
There are two sections where the polices are configured - Computer and user as shown in the below screenshot:
Computer configuration - When computer starts up computer configuration settings are applied.
User Configuration - When user log in to the workstation the policies are applied.
What is loopback processing?
When there is conflict between user and computer settings then Merge and replace option can be used. This setting is available in computer configuration. When Merge option is used the settings are merged for user and computer configuration but when Replace is used the user' s settings are not applied and computer configuration are applied.
Backing/Restore up GPO
To backup GPO you need to backup active directory which will involve the Sysvol folder. In GPMC also the polices can be backed up. Right click on GPO container and say back up all.
Other useful tools
Group policy modeling tool - With this you can see the user or computer is moved from one container to another and what are the changes that are going to be applied.
Group policy results - This tool is used to check what polices are applied for user or computer.
Group policy best practice analyzer - This is a Microsoft tool. As best practice, you can download this and can monitor the parameters for group policy.