Group Policy Infrastructure in Windows: Today and Tomorrow

Kurt Roggen [BE]System Architect, DevoTeam/Guidance

Email: kurt.roggen@devoteam.be Blog: http://tryCatch.be/blogs/roggenk

Today• Group Policies (GP)• Group Policy Preferences (GPP)• Scenarios

Tomorrow• Group Policies (GP)• GPEditor UI• Powershell• New features

• Group Policy Preferences (GPP)• Extensions

Agenda

2

Group Policies: TodayWindows Vista, Windows Server 2008

Group Policy ToolsNew GPOE & GPMC ToolsUse consistent versions!

Group Policy ServiceGP now runs in a shared serviceHardened Service, more reliable

Group Policy Enhancemen

ts

Group Policy SettingsOver 800 new policy changes with Windows VistaExtended GP for new Windows Vista featuresNetwork Location

Awareness (NLA)NLA service provides the latest network informationApplications can query or register with NLA for network change indications Group Policy

LoggingAdministrative logApplications and Services logXML based event logsNew Tools - GPOLogView

Group Policy TemplatesADM Templates now in ADMX files (ADMX, ADML)

Windows Vista/Windows Server

2008

ADM ADMX

Group Policy Central Store

Centralized repository for ADMXContains all ADMX templatesCreated in the SYSVOL on DC in each domain

DC

FRS/DFS-R

SysVol

ADMX

ADML

+ Policies+

+

GUID

ADMPolicy DefinationsADMX, ADML Files

+

Group Policy Features Windows Vista, Windows Server 2008

Multiple Local GPOs LGPO’s

LGPO

Admin

UserUser Specified Group Policy

Admin/Non-Admin Group Policy

Local Computer Policy

Group Policy Preferences

Set initial valueRich Administration UIRich Item-level Targeting

New/Updated Policy settingsWindows Vista, Windows Server 2008

• Up to 1,800+ policy settings in past • +700 in Windows Vista (2500)• Group Policy is a Windows ‘Manageability’ basic requirement

• Policy Settings Greatly Expanded in a Number of Areas

Removable Storage Devices

IPSec/ Windows Firewall

Power Management

Printer Management

Troubleshooting and Diagnostics

Windows Defender

Network Access

Protection

Internet Explorer Tablet PC Windows Error

Reporting

User Account Control (UAC)

Wired and Wireless

PolicyDesktop Shell Globalization Remote

Assistance

GPO FilteringWindows Vista, Windows Server 2008

• Filters a list of settings based on• Text search of setting title, explain text and

comments• Platform and applications “supported on”• Managed (true GP policy setting)• Configured (enabled or disabled)• Results of search is a filtered view in the editor

• Hierarchical list• Flat list

• Only for Group Policies Administrative Template settings• Not Group Policy Preferences

• Available through GPMC 2.0• Windows Server 2008 RSAT & Vista SP1 RSAT

Multiple Local GPOsWindows Vista, Windows Server 2008

• Local GPOs can be created for:• The machine (same LGPO as today)• NEW: Admins or non-Admins local groups• NEW: Individual local users

• Application order is as above (machine LGPO processed first, etc), so individual user GPO “wins”

• Any single user receives either the Admin or the Non-Admin LGPO (not both)

• No change with LGPO vs. Domain GPO priority • Domain-based GPOs still have precedence over

LGPOs

• New policy setting: “Exclude processing of all local GPOs”

ADMX Central StoreWindows Vista, Windows Server 2008

• Domain-wide location for storing ADMX/ADML files

• Default Behavior (without The Central Store)• ADMX files local to the administrative machine are

used by GPMC/GPEdit

• Creating and Using The Central Store• Domain-wide location for storing ADMX files –

[sysvol]\<domain>\policies\PolicyDefinitions• One-time creation and population of central store per

domain• See published ADMX Files Step-by-Step guide

• From then, Windows Vista GPMC/GPEdit use ADMX files in the central store (and ignores the local store)

Starter GPOsWindows Vista, Windows Server 2008

• Create new GPOs based on a Starter GPO (templates)

• Encapsulation of best practices/scenarios• Contains recommended policy settings and values• Administrative template policy settings only

• Available for download by Microsoft

Starter GPOsWindows Vista, Windows Server 2008

• StarterGPO Scenarios• Based on Windows Vista Security Guide

• Windows Vista Enterprise Client (EC)• Windows Vista Specialized Security Limited Functionality (SSLF)

Client

• Based on Windows XP Security Guide • Windows XP Service Pack 2 (SP2) EC• Windows XP SP2 SSLF Client

• StarterGPO types• System Starter GPOs (Read-only)• Custom-made Starter GPOs (Editable)

• Anyone can create and share new custom templates

Group Policy CommentsWindows Vista, Windows Server 2008

• Comments 1. Per Group Policy Object (GPO)2. Per Group Policy setting3. Per Group Policy Preference (GPP) Item

1. 2. 3.

Group Policy PreferencesWindows Vista, Windows Server 2008Windows XP , Windows Server 2003

Group Policy Preferences Functionality Overview• Preference Setting(s)

• Initial value• Not enforced• Not true “Policy”• Not limited to policy aware applications

• Greatly extends number of settings• Computer and User settings

• Using Control Panel and Windows settings

• New functionality for new settings• Rich UI for easier administration• Better (item-level) targeting

• Shipped with Windows Server 2008

Group Policy PreferencesSettings

Control Panel Settings

Windows Settings

• Data Sources• Devices• Folder Options• Internet Options• Local Users and

Groups• Power Options• Printers• Scheduled Tasks• Start menu• Services

• Drive Mappings• Environment• Folders/Files• Ini files• Shares• Shortcuts• Registry• Applications

• Extensible!

Group Policy PreferencesRich User Interface

• Familiar experience• Makes it easy to find• Easy to manage• Better control of individual

settings – Red/Green

• Powerful browsers

Rich User Interface

DEMO

Group Policy PreferencesBetter Targeting• Item-level targeting, not

GPO level• Robust targeting

• 29 types• Boolean logic (And, Or, Not)• Grouping

• Windows APIs – not WMI based

• Intuitive UI• No need to learn query

languages

• Powerful browsers

Item-level Targeting

DEMO

Group Policy Preferences Components (2)

• Snap-in Extensions (GPMC only – not in local policy)

• Client Side Extensions (CSE)Supported Platforms (both x86/x64)

Windows Server 2008

Windows Vista

Windows XP Windows Server 2003

Snap-in Included RSAT N/A N/A

CSEs Included Download Download Download

Remote Server Administration Tools (RSAT)

• New version of WS2003 “Admin Pack”• Available as OOB web download• RSAT public Beta available• RSAT RTW available shortly after WS08

Launch

• Installs WS2008 administration tools on Vista SP1* computers for remote management

• Enables GUI-based remote management for full server and server core installations

Group Policy Preferences are NOT Preferences

• By default, Group Policy Preference is NOT a preference

• By default, (re)set at GP refresh cycle• Manual (gpupdate)• Automatic Computer Configuration User Configuration

DC: 5 min User: 90 min + △30 minMin: 90 min – Max: 120 min (2h)

Non-DC: 90 min + △30 minMin: 90 min – Max: 120 min (2h)

Processing OrderPolicies versus Preferences

• Who wins??! It depends!• Alphabetical order, based on their GUID

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions

• One Exception: Registry CSE (applies first)• Last writer wins

Group Policy PreferencesAction Modes

• Create (once, if not exists)• Replace: Delete & re(create)• Update (default): Modify (attribs), if not exists

“Create”• Delete

Group Policy PreferencesReporting

• GPMC Settings Reports• New extension settings, targeting, etc. show

• Group Policy Results• Item-level Targeting does not show• Shows winning items

• Does not necessarily reflect final settings

• Group Policy Modeling (What-If)• Assumes all targeting return true

Group Policy PreferencesLogging - Troubleshooting

• Configurable per GPP CSE• Application eventlog• Log/Trace files

• Enabled through Group PolicyComputer Configuration\AdmTemplates\System\GroupPolicy\Logging and Tracing

• Located in GPP.admx (%systemroot%\PolicyDefinitions)

Things You Should Know About Group Policy Preferences• GPP has no dependency on Windows

Server 2008 (works fine with Windows Server 2003, Windows 2000 and Windows Server 2008 domains).

• Only dependencies are1. GPMC (from Vista SP1 RSAT or WS2008) is

the GUI2. GPP CSE are required on Vista, Windows XP,

Windows Server 2003• GPP CSE is native included Windows

Server 2008

GPP Scenarios

• Printer Scripts• Environment Variables• Power Schemes• Password Changes• Registry updates

Printer ScriptsExample

Targeting:• User-based• Computer/Server-based• Security Group-based• Departements• Floors

• AD OU-based• AD Site-based

Folder Options & Start menu UIExample

• Targeting: Standard-Users versus Administrators

Changing PasswordsExample

• Local Users and Groups• Encrypted with 256 bit AES

Setting Power SchemeExample

• Power consumption and battery lifetime for desktops/laptops are different

• Targeting: Does NOT Have a Battery

Group Policy: TomorrowWindows 7, Windows Server 2008 R2

Remote Server Administration Tools (RSAT) for Windows 7, Windows Server 2008 R2

• Required to see new GP features!!• Available as OOB web download• RSAT Win7 public Beta available now• RSAT RTW available shortly after

WS08R2 Launch• Installs WS2008R2 administration tools on

Windows 7 computers for remote management

• Enables GUI-based remote management for full server and server core installations

New featuresWindows 7, Windows Server 2008 R2

• Improved GPEditor User Interface• Default Starter Group Policy Objects• Support PowerShell• Support new/updated Windows features

Group Policy EditorWindows Vista, Windows Server 2008

Group Policy EditorWindows 7, Windows Server 2008 R2

• Improved User Interface GP Editor:• Administrative Template Settings only

• Support for extra registry value types • REG_MULTI_SZ (multi-string) value • QWORD value

System Starter GPOsWindows 7, Windows Server 2008 R2

• Included by default• Read-only (System) Starter GPOs• Based on Windows Vista Security Guide

• Windows Vista Enterprise Client (EC)• Windows Vista Specialized Security Limited Functionality (SSLF)

Client

• Based on Windows XP Security Guide • Windows XP Service Pack 2 (SP2) EC• Windows XP SP2 SSLF Client

• Administrative template policy settings only

PowerShell SupportWindows 7, Windows Server 2008 R2

• 25 PowerShell cmdlets for Group Policy scripting

• GPO operations: creation, removal, backup, and import

• GPO link operations: creation, update, and removal• Setting inheritance flags and permissions on Active

Directory organizational units (OUs) and domains• GPO Settings: Creating, update, retrieval, removal

• Only registry-based policy settings (Administrative Templates)

• GPP Settings: Creating, update, retrieval, removal• No Item-Level Targeting

• Starter GPOs operations: creation and update

PowerShell Cmdlets Windows 7, Windows Server 2008 R2

Examples• Import-Module GroupPolicy -verbose• New-GPO “My GPO” –comment “Created with PS”• New-GPStartGPO “My StarterGPO”• Set-GPRegistryValue …• Set-GPPrefRegistryValue …• Backup-GPO –all –path C:\GPO.Backups

• New to PowerShell??• Get-Command *GP* -commandType cmdlet• Get-Help Set-GPRegistryValue –examples•

PowerShell & GPO Scripts Windows 7, Windows Server 2008 R2• PowerShell Scripts supported in GPO

Startup/Shutdown & Logon/Logoff scripts• By default, Windows PowerShell scripts run

after non-Windows PowerShell scripts

New/Updated Policy settingsin Windows 7, Windows Server 2008 R2

• Up to 2,500+ policy settings in past • +300 in Windows 7 (2800)

• Group Policy is a Windows ‘Manageability’ basic requirement

• Policy Settings Greatly Expanded in a Number of Areas

BranchCache BITS Offline Files Biometrics Troubleshooting and Diagnostics

Windows Defender

User Account Control

Internet Explorer Smartcard Windows Error

Reporting

AppLocker System Audit Policies Desktop Shell Bitlocker Drive

EncryptionRemote

Assistance

Windows 7 Solution

Application Control Enhance Security and Control

Eliminate unwanted/unknown applications in your networkEnforce application standardization within your organizationEasily create and manage flexible rules using Group Policy

AppLocker™

Users can install and run unapproved applicationsEven standard users can install some types of softwareUnauthorized applications may:

Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance efforts

Situation Today

AppLocker Policy Elements

• Rule Collections (4 areas)• Executable Rules (.exe)• Windows Installer Rules (.msi, .msp)• Script Rules (.ps1, .bat, .cmd, .vbs, .js)• DLL (.dll, .ocx)

• Rule Permissions• Allow rules (whitelisting) – Approved software• Deny rules (blacklisting) - Declined software

• Rule Conditions (Criteria)• Hash rules• Path rules• Publisher-based rules

• Signed using Digital signature

56

AppLocker

DEMO

AppLocker versus Software Restriction Policies (SRP)

Feature Software Restriction Policies

AppLocker

Policy Scope OU (via GPO scope) OU (via GPO scope), user, groups

Rule Types Hash, Path, Certificate, Internet Zone rules

Hash, Path, Publisher rules

Audit-Only No Yes

Import/Export No Yes

OS Support Windows XP, WS 2003 (R2)Windows Vista, WS 2008Windows 7, WS 2008 R2

Windows 7, WS 2008 R2

59

• Allows setting granular audit policies• Before only through CLI (auditpol.exe)

Advanced System AuditingEnhance Security and Control

Group Policy PreferencesWindows 7, Windows Server 2008 R2

Group Policy PreferencesNew Extensions

• Power Plans (Windows Vista and later)• Create, Change and Set Active

• Scheduled Tasks (Windows Vista and later)• Richer Task Scheduler options

• Immediate Task (Windows Vista and later) • Run immediately upon the GP refresh• Removed afterwards

• Internet Explorer 8

Group Policy PreferencesPower Plans

• Power Plans (Windows Vista and later)• Set current/active Power Plan• Allows custom Power Plans to be set• Allows user to change active Power Plan

Group Policy PreferencesScheduled Tasks

• Scheduled Tasks (Windows Vista and later)• Richer Task Scheduler options

Group Policy PreferencesInternet Explorer 8

Today• Group Policies (GP)• GPO Filtering• MLGPOs• Central Store• Starter GPOs• Comments

• Group Policy Preferences (GPP)• Rich UI• Item-level

Targeting

CONCLUSION

65

Tomorrow• Group Policies (GP)• GPEditor UI• Starter GPOs• Support Powershell• New features

(AppLocker, Granular Audit Policies)

• Group Policy Preferences (GPP)• New Extensions

RESOURCESGroup Policy TechNet page http://www.microsoft.com/technet/grouppolicyGroup Policy Team Bloghttp://blogs.technet.com/grouppolicyGroup Policy Wikihttp://grouppolicy.editme.com

Windows Server 2008 Blog by Kurt Roggen [BE]http://trycatch.be/blogs/roggenk TechNet ChopStickshttp://www.microsoft.com/belux/technet/nl/chopsticks

Group Policy Settings Reference Windows Vista http://go.microsoft.com/fwlink/?LinkId=54020Deploying Group Policy Using Windows Vista http://go.microsoft.com/fwlink/?LinkId=77080 How to troubleshoot Group Policy using Event logs http://go.microsoft.com/fwlink/?LinkId=74139

http://TryCatch.be/blogs/roggenk

Thank you!