Home » Blog » Group Policy and Group Policy Preferences

Group Policy Objects and Group Policy Preferences under Windows Server 2012 R2

In this article I dicsuss various asspects of Group Policy Objects and Group Policy Preferences under Windows Server 2012 R2. Knowing it is important when you have to manage Windows Server.

Group Policy Objects under Windows Server 2012 R2

Default GPO Permissions

  • Full Access
    • Domain Admin
    • Enterprise Admin
    • Creator Owner
    • Local System
  • Read / Apply
    • Authenticated Users

Grant additional GPO permissions

Group Policy Creator Owner Group

To give a user full permission to manage all GPO simply add him to "Group Policy Creator Owner Group"

Granting permissions to Group Policys

Delegate of ControlWizard

To give a user permissions in one OU use the "Delegate of Control" Wizard

Granting permissions to Group Policys
  • Right click on the OU
  • Choose "Delegate Control"
  • Choose "Next"
  • Choose the usser you want give additional access and click "Next"
  • Choose the permissions and end the wizard.
  • Granting permissions to Group Policys

Delegation tab

To give someone specific permissions you can also use the "Delegation" tab in Group Policy Managment. Note that under "Advanced" there are more options

Granting permissions to Group Policys

GPO Security Settings

Audit policy

Create an event any time a object of a certain type is accessed with "Audit Policy".

  • Computer-Configuration
  • Policies
  • Windows Settings
  • Local Policies
  • Audit Policy
Group Policys
Group Policys

That's only half the story:

  • Go to the object you want to audit (here it is a file)
  • Right click on it
  • Properties
  • Security
  • Advanced
  • Audiing
  • Add the objects which access you want to audit
Group Policys

To audit check the security event log

User rights

Assign a user specific rights via Policy under:

  • Computer-Configuration
  • Policies
  • Windows Settings
  • Local Policies
  • User Rights Assignment
Group Policys

Security options

Assign specific security options via Policy under:

  • Computer-Configuration
  • Policies
  • Windows Settings
  • Local Policies
  • Security Options
Group Policys

What is the difference between "Security Options" and "User Rights Assignment"?

"Security Options" are special options concerning Security like "Removable devices are allowed to format" or "Interactive logon require smartcard". "User Rights Assignment" are explicit permissions that you give to a user (or group) like "Restore files and directories" or "Shutdown a system".

Take a special look in the User Account Control: ... section

UAC are the annoying prompt like the following:

User Account Control Prompt

In te "User Account Control" section of the security options you define the behaviour.

Find some more information in the article What is User Account Control?

Enabling Block Inheritance and Enforced option for GPOs

Block Inheritance disables the inheritance of GPO options. The Enforced option enables this even if inheritance is blocked.

Both options should be used carefully because it increases the complexity.

http://itfreetraining.com has published a video which has some good explanations.

 

Processing Order of GPO

Just a reminder: GPOs are processed in the following order:

  • Local
  • Site
  • Domain
  • OU

Group Policy - What are Restricted Groups for?

Restricted Groups is a GPO-Setting that allows you to to define the membership of a local group. I. E. you can set the members of the local administrator group. Any current member not on the Restricted Groups policy will be removed.

You find restricted groups setting under

  • Computer Configuration
  • Policies
  • Windows-Settings
  • Security-Settings
  • Restricted Groups

itfreetraining has made a very good video for this topic.

If you just want to add some users then you should use the preference option. You find it under

  • Computer Configuration
  • Preferences
  • Control Panel Settings
  • Local Users and Groups

Group Policy Preferences under Windows Server 2012 R2

Group Policy Preferences are not Group Policys. Originally this was a 3rd party product PolicyMaker that Microsoft purchased. The goal is to do jobs, that formally was done by traditional login-scripts. From Windows Server 2008 on, the product ist integrated in the "Group Policy Management Editor" under Preferences.

Group Policy Preferences under Windows Server 2012

If you want to use the Group Policy Preferences in Windows XP you have to make shure that "Group Policy Preferences Client Side Extensions for Windows XP" is installed.

itfreetraining has made a good introduction video to GPP.

GPP...

  • ...support applications and operating system features that are not accesible for Group Policy.
  • ...support Item-level targeting (see Tab Common). I. e. you can do things on systems only with OS=Win7.
  • ...settings configured do not disable the related settings in the user interface

Automatically add a user to a local group with Group Policy Preferences

You may want to have the domain administrator as a member of the local administrator group. You can do this by every client again and again or you use GPO

  • Open Group Policy Management Console
  • Edit an existing Group Policy Object or make a new
  • Goto
    • Computer Configuration
    • Preferences
    • Control Panel Settings
    • Local Users and Groups
  • Right-Click and choose New -> Local Group
Automaticall add a user to al local group with GPO
  • Choose the group that should be updated (Administrators)
  • Select the group
  • Members -> Add the desired member
  • Common tab: Check "Apply once and do not reapply."
Memory: 4 mb, MySQL: 0.0010 s, 1 request(s), PHP: 0.1577 s, total: 0.1586 s, document retrieved from cache.