Group Policies (GPOs)

Group Policies

General Information

Different Layers of Group Policies

1. local Policies
2. GPOs on Domain level
3. GPOs on OU level
4. GPOs on location level

Restoring of the standard group policies

If something went wrong while editing the standard group policies, it is possible to restore the installation-standard of the group policies. For That, dcgpofix.exe can be used.

dcgpofix [/ignoreschema] [/target:{domain | dc | both}]

/ignoreschema with this parameter the version number of the AD-Schema is ignored.

/target defines which GPO shall be restored:

• domain: Default Domain Policy
• dc: Default Domain Controllers Policy
• both: both standard policies

Administrative Templates

Administrative Termplates are special filex which describe the structure of Policies. A lot of Templates come with Windows Server, but additional Templates for p.e Microsoft Office can be added. There are language neutral versions of templates and the Language specific addons.

GP-Template	Location
ADMX-Dateien (lokal)	%systemroot%\PolicyDefinitions
ADML-Dateien (lokal)	%systemroot%\PolicyDefinitions\[language]
ADMX-Dateien (Domäne)	%systemroot%\SYSVOL\domain\policies\ PolicyDefinitions
ADML-Dateien (Domäne)	%systemroot%\SYSVOL\domain\policies\ PolicyDefinitions\[language]

Templates should always be stored at the central location, which is: %systemroot%\SYSVOL\domain\policies\PolicyDefinition by doing so it can be guaranteed that they are replicated.

Configuration of Group Policies

Group Policies can exist on different levels.

With Userconfiguration policies are defined on an user-level

With Computerconfiguration policies are defined on a computer-level.

Both branches contain mostly the same policies, but may differ in some points. Any configuration done in Computerconfiguration has priority to the same configuration in Userconfiguraion.

Inheritance of Policies

GPOs inherit to subsidary OUs and containers. It is activated by default, but can be deactivated for an OU. Another possibillity is to enforce Policies, which can be set in an GPO. By doing so it can be guaranteed that all subsidary OUs get the Policy, even if they are managed by another administrator.

Different Status of GPOS

Status	explanation
active	The GPO is applied
not configured	The GPO is inherited by an subordinate OU and is applied through it
deactivated	The GPO is not applied

gpresult

The commandline tool gpresult displays the applied GPOs to an object.

gpresult 
[/ s <Computer> [/ u [<Domain> \] 
Benutzername [/ p [<Password>]]]] 
[/ user[<TargetDomain> \] <TargetUser>] 
[/ scope (user | Computer)] 
[/ r |/v |/z] [[/ x |/h] Dateiname [/ f]]

Syntax	Explanation
/s Computer	Specifies the name or IP address of a remote computer. (Do not use backslashes.) The default is the local computer.
/u Domain \ User	Runs the command with the account permissions of the user that is specified by User or Domain\User. The default is the permissions of the current logged-on user on the computer that issues the command.
/p Password	Specifies the password of the user account that is specified in the /u parameter.`
/user TargetUserName	Specifies the user name of the user whose RSOP data is to be displayed.`
/scope { user | computer }	Displays either user or computer results. Valid values for the /scope parameter are user or computer. If you omit the /scope parameter, gpresult displays both user and computer settings.
/v	Specifies that the output display verbose policy information.
/z	Specifies that the output display all available information about Group Policy. Because this parameter produces more information than the /v parameter, redirect output to a text file when you use this parameter (for example, gpresult /z >policy.txt).
/?	Displays help at the command prompt.

Deploying software with group policies

The automated deployment of Softwarte can be realized through the Group Policy Software Deployment.

Quick Overview

• The GP is tied to a GPO an is avaiable for the Users in the correpondig OU.
• The GP defines which Software is going to installed and defines a path to the program data. These need to be exsistend in an .msi paket.
• The Software is that installed without the user noticing.
• It can be deinstalled through the same way.

Prerequisites

1. The installationdata needs to be avaiavle for the Computer/Users through a network share.
2. The Software needs to be avaiable as an .msi Paket
3. An OU must be exsistend which is bound to the GPO.MSiebel

If a Software is deployed through an userconfiguration, there are 2 options through which an user can make use of the Software:

1. Assigned This means that the Software is installed without any interaction of the user
2. Released The user needs to decide if he wants to install the software.

Deplyoing software for certain users

Sometimes a software is deployed for users that are not in same same OU. How do we achieve that only the users, which shall use the software, are actually getting it? This is achieved by using the so-called filtering of the GPOs and enables to apply GPOs only to Members of a certain group. In the Group policies settings is a option called “securityfilter”. Groups, to which the GP applies, can be determined there.

Deploying software for all users in a OU but only if determined circumstances met

This is called a WMI-determination.

What if a Software shall be deployed to a user but the computers does not meet the requierements? P.E. not enough storage.

WMI = Windows Management Instrumation These Special kind of filters useres SQL-commands to specify certain requirements.

select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"

This statement aks for the OS version of Windows. The Filter will only allow pcs that have Win-10.x installed.

Using administrative templates

Administartive templates can be imported in the default domain policy.

Providing drives

Shared network drives can be provided using GPOS.

Providing Data and Folders

Data can be copied through GPOs.

Local users and groups

Local Groups can be managed through GPOs.