Robert's Virtual

BIND DNS UbuntuUsing Group Policy Objects with Windows Server 2003

A short (very short) primer on group policies

Domain controllers, member servers and clients are all affected by Microsoft group policy objects, GPO's. Here is what they are and how they work. When a user fires up her machine or logs on to a computer that is part of a Windows domain, in our case Windows server 2003, group policies are applied. Those group policies that are applied to computers are processed before the CTRL+ALT+DEL screen appears and user policies are applied when a user logs in to the domain.

The user's desktop is locked down by setting modifying registry settings and other settings are generally applied using scripts; things such as software installation or mapping network drives. GPO's are applied in a hierarchical fashion and a user and / or computer may have several GPO's assigned. Here are the basics of how GPO are applied.

  • GPO's can be assigned, or linked, to the below objects and are processed in the following order
    • Local GPO - This is the one that resides on your machine
    • Site - An active directory site represents a physical geographical area and serves as a way to map out the physical layout of your AD domain.
    •  Domain - This is the major container for Active Directory folders, users, groups, computers and OU's.
    • Organizational Unit - This is the bread and butter of GPO application and management. OU's kinda look like folders, but are used specifically to group users and machines for GPO management.

If more than a single GPO affects a user or computer, which is almost always the case, they will accumulate with domain settings overriding site and OU overriding domain. If there are two or more GPO's in the same container, i.e. an OU, the ones listed first will be applied and cascade (accumulate).  GPO's can be set with a "block inheritance" or "no override" option with the "no override" option taking precedence.
Active Directory Users and Computers (ADUC)

 Using the GPMC

The group policy management tools that come with Windows Server 2003 suck, and suck bad. The good news is that M$ realized this and gave us the Group Policy Management Console (GPMC), a one stop place to manage your GPO's. They've even gone a step further recently by releasing Advanced Group Policy Management. AGPM is beyond our needs for this how-to. First, Download the GPMC and install the MMC. Once installed start the GPMC by going to Start >> Administrative Tools >> Group Policy Management.

Take a moment to explore the user interface.
Group Policy Management Console

Creating, Linking and Applying a GPO

If you built your network around the lab on this site, you'll have three new OU's. We'll be concentrating on limiting the single user, labrat, that resides in the "Testing" OU.

The scenario is this; labrat is a new hire directly out of high school. She's a sharp programmer and has a bright future. However, she's new to the work place and has some very specific functions for now, namely reviewing code. So, we are going to lock down her desktop until she is past her probation period.

There are tons of GPO settings, into the thousands actually, and we're not going over each and every one. We'll hit on a couple and see the Resultant Set of Policies, RSOP, just to give you a taste on what GPO's can do for you. Let's go.

With the GPMC open, right click on the "Testing" OU and select Create and Link a GPO Here. Name it "Desktop Lockdown". Once created, right-click the new GPO and select  Edit. You'll see two sections "Computer Configuration" and "User Configuration". We'll edit our settings in the user settings.

  • Prevent Windows update access - User Configuration >> Administrative Templates >> Start Menu and Taskbar >> Remove links and access to Windows Update. Enable
  • Prevent labrat from using the run dialog - User Configuration >> Administrative Templates >> Start Menu and Taskbar >> Remove Run menu from Start Menu. Enable
  • Disable command prompt - User Configuration >> Administrative Templates >> System >> Prevent access to the command prompt. Enable
  • Prevent access to Control Panel - User Configuration >> Administrative Templates >> Control Panel >> Prohibit access to the Control Panel. Enable
  • Remove all desktop items and prevent right-click on desktop - User Configuration >> Administrative Templates >> Desktop >> Hide and disable all items on the desktop. Enable

Finally, we want to map a network drive, specifically the share created on our Windows server. In our scenario this is where the programmers will dump their files for labrat to go over. On the GPMC navigate to User Configuration >> Windows Settings >> Scripts (Logon/Logoff) and double-click Logon in the right pane.

When the Logon properties dialog appears click on Show Files. Right-click in the white space of Windows Explorer and select New >> Text Document. Change the name of the file to "mapdrive.bat". Right-click the newly named file and select Edit. Add the following text to ensure the drive will be mapped.

net  use t: /delete
net use t: \\lasker\Public /persistent:yes

Save the "mapdrive.bat" file and close Windows Explorer. You should be back at the Logon properties dialog. Click on the Add button and then browse to your file. Add the file and "OK" your way out.

The script first deletes drive "T" then maps it as persistent, meaning it will map again at next start up. Yes, the script is a bit conflicting, but I don't want to take any chances and this, IMHO is the best solution for mapping a drive for a user. Start or restart the XP machine and logon to the domain with the user "labrat".
Group Policy Object applied

GPO result

That's pretty much it. From this how-to you should have a foundational understanding of GPO's. There is bunch of other info out there. Just Google. Here are some sites to help you expand your knowledge.