Implementing Group Policy in Windows Server 2016
Group
Policy, a feature found in Microsoft Windows NT family of operating systems is
deployed to control the working environment of user accounts and computer
accounts. This feature provides centralized management and configuration of
operating systems, applications and user settings on Active Directory
environments.
A standalone version called Local Group Policy (LGPO or LocalGPO)
allows Group Policy Object management in non-domain computers.
Exploring
Group Policy Objects
Windows
server 2016 installations come with Group Policy Management as default. Perform
a search for the console and launch it. Be aware that just like the past lesson
on Implementing DNS in Windows Server 2016, there are a lot of components that make
up Group Policy implementation and management.
IT
engineers and network administrators stand to benefit from understanding the
concept to streamline user resource allocations, management and enforcement of
security policies across an organization’s domain. Let’s take a closer look at
the console.
Expand
the forest to display the Default Domain Policy, Sites, Group Policy Modelling
and Group Policy Results. Notice the organizational units we created in earlier
lessons appears in this window.
Expand
Domains tree and click on your local domain to inspect the tabs associated with
the object. The Status tab shows the status of Active Directory and SYSVOL
replication for your domain as it relates to Group Policy. If you have other
domain controllers on the network, clicking Detect Now will gather information
from all those domain controllers.
Any
linked Group Policy Objects will be displayed in this tab. Notice the default
policy is linked but not currently enforced.
Any Group Policy Inheritance will be displayed here. The tab contains
the default domain policy.
The
delegation tab displays all users and groups with permissions for containers
and all child containers in the domain. You can add or remove more users or
groups by clicking the button.
Creating Group Policy
Objects in Server 2016
When the Group Policy
Management console is launched, you will see any organizational units available
including the Group Policy Object container. Bear in mind that this object is
not available in Active Directory and any new policies created will have to be
linked to the Domain or Sites as pictured below.
Expand
the Group Policy Object Tree to reveal Default Domain Controller Policies and let’s
begin.
1. Right
Click on the Group Policy Object tab and select New to create a new group
policy.
4. Once the new GPO is created, you have the option to link containers which correspond to the Organizational Units we created in our previous lesson. Right Click on the container you wish to apply group policies to and select Link an Existing GPO.
5. A dialog box should now open specifying the domain you’re looking to apply policies to at the top. Notice the New Demo GPO we created, listed at the bottom. Select and Click OK to apply policy settings to Users or Computers contained in that particular Organizational Container Unit.
6. Bear in mind, there are two ways of creating GPOs. The first is achieved by Right Clicking Group Policy Objects > New, offering administrators the tool to set all the policies before linking them to a container.
The second method involves Right Clicking the specific OU container and selecting ‘Create a GPO in this domain, and Link it here’. As pictured below, all policies are applied immediately to the OU container.
7. We are now ready to edit our newly created New Demo GPO. Right click on the object and Edit.
8. You should see the Group Policy Management Editor window open with two main settings for Computer Configuration and User Configuration. Any changes made can be applied to either users and or computers in your domain. Notice both configurations have editable Policies and Preferences.
9. Becoming familiar with all the settings and what functionality can be configured, is a good idea. Expand the configuration tree and inspect all the tabs.
Below
are elements found in Computer Management > Policies;
Software Settings > Software
installation.
Windows Settings > Name
Resolution Policy, Scripts (Startup/Shutdown), Deployed Printers, Security
Settings, Policy-based QoS.
Administrative Templates > Control
Panel, Network, Printers, Server, Start Menu and Taskbar, System, Windows
Components, All settings.
10. Expand the tree to inspect elements for Computer Management > Preferences. Various configuration settings can be found as elaborated below;
Windows Settings > Environment,
Files, Folders, Ini Files, Registry, Network Shares, Shortcuts.
Control Panel Settings >
Data Sources, Devices, Folder Options, Local Users and Groups, Network Options,
Power Options, Printers, Scheduled Tasks, Services.
11. Very
similar settings tabs can be found under User Configuration, with only a
different in naming of Scripts as Logon/Logoff opposed to Startup/Shutdown for
Computer Configuration Policies. A
Folder Redirection tab can also be found under the User Configuration settings,
which is absent from Computer Configuration settings we inspected above.
Expand the User Configuration
tree > Policies to reveal settings listed below;
Software Settings > Software
installation
Windows Settings > Scripts
(Logon/Logoff), Security Settings, Folder Redirection, Policy-based QoS,
Deployed Printers.
Administrative Templates > Control Panel,
Network, Printers, Server, Start Menu and Taskbar, System, Windows Components,
All settings.
Expand
the User Configuration tree > Preferences to reveal settings listed below;
Windows Settings >
Applications, Drive Maps, Environment, Files, Folders, Ini Files, Registry,
Shortcuts.
Control Panel Settings >
Data Sources, Devices, Folder Options, Internet Settings, Local Users and
Groups, Network Options, Power Options, Printers, Regional Options, Scheduled
Tasks, Start Menu.
Click
on Policies > Administrative Templates > System to see a host of settings
such as Removable Storage Access, Folder Redirection, Prevent Access to
registry editing tools among others.
To
see all available settings at your disposal, Click All Settings.
A Quick Glance at Starter GPOs
On the
main Group Policy Management interface, you will see a tab labelled Starter GPO
which may contain pre-set condition policies that may be applied to users and
or computers in your domain.
Click on
the tab and inspect its properties on the right pane. You may find this folder
has not been created yet. Click to Create Starter GPOs Folder.
Depending
on the server operating system you’re running, a handful of policies should
appear in this window. Further customized policies can be downloaded from Microsoft
or third parties, however this lab will focus on creating and setting our own
policies to affect domain users and computers.
Final
Thoughts
We hope this introductory article was useful at explaining Group Policy Infrastructure in Windows server, how to access it, the various components and settings that make up the editor.
You may want to pin the icon to your taskbar, as we'll be delving deeper into using Group Policy tools, to implement structured restricted access control over resources on our network.
Do leave some
comments on other ways to perform this task to help other students learn more.
Thank you
for investing your time with us.
Written By:
www.codexploitcybersecurity.com Twitter:
@ixploitsecurity Facebook: https://www.facebook.com/icybersecure
Credits to all organisations and development teams at Microsoft
Corporation
0 Comments:
Post a Comment