1. What Is Configuration Management?
If you have only one computer in your environment (at home, for
example) and you need to make a change (modify the desktop background,
for example), you have several choices. Most people would probably
open Personalization from Control Panel and make the change using the
Windows interface. That works well for one user, but it becomes
tedious if you want to make the change across multiple users. Say, for
example, that you want the same background for yourself and your
family. You have to make the change multiple times, and then if you
ever change your mind and want to change the background yet again, you
have to return to each user’s profile and make the change.
Implementing the change, and maintaining a consistent environment,
becomes even more difficult across multiple computers.
Configuration management is a centralized
approach to applying one or more changes to one or more users or
computers. If you keep that in mind, everything else will be easier to
understand. The key elements of configuration management are:
-
A centralized definition of a change, also called a
setting. The setting brings a user or a
computer to a desired state of configuration. -
A definition of the users or computers to whom the change
applies, called the scope of the
change. -
A mechanism that ensures that the setting is applied to
users and computers within the scope. This process is called the
application.
2. An Overview and Review of Group Policy
Group Policy is a framework within
Windows—with components that reside in Active Directory, on domain
controllers, and on each Windows server and client—that allows you to
centrally manage configuration in an AD DS domain. As we turn our
attention to Group Policy, which can become very complex, always
remember that everything boils down to these few basic elements of
configuration management.
The most granular component of Group Policy is an individual
policy setting, also known simply as a
policy, that defines a specific configuration
change to apply. For example, a policy setting exists that prevents
a user from accessing registry editing tools. If you
define that policy setting and apply it to the user, the user will be unable to run tools such as
Regedit.exe. Another policy setting is available that allows you to
rename the local Administrator account. You can use this policy
setting to rename the Administrator account on all user desktops and
laptops, for example.
Thousands of policy settings can be managed by Group Policy,
and the framework is extensible, so you can manage just about
anything with Group Policy. You configure policy settings by using
the Group Policy Management Editor (GPME), shown in Figure 1, or by using Windows
PowerShell.
Policy settings such as the setting that prevents access to
registry editing tools affect a user, regardless of the computer to which the user logs on. Such policy
settings are often referred to as user configuration
settings or user settings. Other
policy settings—such as the one that renames the
Administrator account—affect a computer, regardless of which user
logs on to that computer. Such policy settings are referred to as
computer configuration settings or
computer settings. You will also hear policy
settings categorized as either “user policies” or “computer
policies.” The terminology used in the industry is not exact. You
can see in Figure 1 that
policy settings are grouped into Computer Configuration and User
Configuration collections in the left navigation pane.
Configuring Policy Settings
To define a policy setting, double-click the policy setting in the
GPME. The policy setting’s Properties dialog box
appears. An example is shown in Figure 2.
A policy setting can have one of three states: Not Configured,
Enabled, and Disabled. In a new GPO, every policy setting is Not
Configured, as you can see in Figure 1. This means that the GPO
will not modify the existing configuration of that particular
setting for a user or computer. If you enable or disable a policy
setting, a change is made to the configuration of users and
computers to which the GPO is applied. The effect of the change
depends on the policy setting itself. For example, if you enable the
Prevent Access To Registry Editing Tools policy setting, users will be unable to launch
Regedit.exe—the Registry Editor. If you disable the policy setting,
you ensure that users can launch the Registry Editor. Notice the
double negative in this policy setting: You disable a policy that
prevents an action, so you allow the action.
Some policy settings bundle several configurations into one
policy and might require additional parameters. In Figure 2, you can see
that by enabling the policy to restrict registry editing tools, you can also define whether registry
files can be merged into the system silently, using Regedit
/s.
Note
UNDERSTAND AND TEST ALL POLICY
SETTINGS
Many policy settings are complex, and the effect of enabling
or disabling them might not be immediately clear. Also, some
policy settings affect only certain versions of Windows. Be sure
to review a policy setting’s explanatory text in the Group Policy
Management Editor details pane, shown in Figure 1, or in the Help box of
the policy setting’s Properties dialog box seen in Figure 2.
Additionally, always test the effects of a policy setting, and its
interactions with other policy settings, before deploying a change
in the production environment.
Policy settings are defined and exist within a Group
Policy object (GPO). A GPO is an object that contains one
or more policy settings and thereby applies one or more
configuration settings for a user or computer.
Creating and Managing GPOs
You can manage GPOs in Active Directory by using the Group Policy
Management console (GPMC), shown in Figure 3. GPOs are displayed
in a container named Group Policy Objects.
To create a new GPO in a domain, right-click the Group Policy
Objects container, and then click New.
To modify the configuration settings in a GPO, right-click the
GPO and choose Edit. The GPO opens in the Group Policy Management
Editor (GPME) snap-in, formerly known as the Group Policy Object Editor (GPO Editor), in Figure 1.
The GPME displays the thousands of policy settings available
in a GPO in an organized hierarchy that begins with the division
between computer settings and user settings: the Computer
Configuration node and the User Configuration node. The next levels
of the hierarchy are two nodes called Policies and Preferences. You
will learn about the difference between these two nodes as this
lesson progresses. Deeper in the hierarchy, the GPME displays
folders, also called nodes or policy
setting groups. Within the folders are the policy
settings themselves. The Prevent Access To Registry Editing Tools policy
setting is selected in Figure 1.
Configuration is defined by policy settings in Group Policy objects. However, the configuration
changes in a GPO do not affect computers or users in your enterprise
until you have specified the computers or users to which the GPO
applies. This is called scoping a GPO. The
scope of a GPO is the collection of users and
computers that will apply the settings in the GPO.
You can use several methods to manage the scope of GPOs. The first is the GPO link.
GPOs can be linked to sites, domains, and OUs in Active Directory.
The site, domain, or OU then becomes the maximum scope of the GPO.
All computers and users within the site, domain, or OU, including
those in child OUs, are affected by the configurations specified by
policy settings in the GPO. A single GPO can be linked to more than
one site or OU.
You can further narrow the scope of the GPO with one of two
types of filters: security filters that specify
global security groups to which the GPO should or should not apply,
and Windows Management Instrumentation (WMI)
filters that specify a scope, by using characteristics of
a system such as operating system version or free disk space.
Windows Server 2008 introduced a new component of Group
Policy: Group Policy Preferences. Settings that are configured
by Group Policy Preferences within a GPO can be filtered, or
targeted, based on several criteria.
Targeted preferences allow you to further
refine the scope of Preferences within a single GPO.
Group Policy Client and Client-Side Extensions
And how, exactly, are the policy settings applied? When a
Group Policy refresh begins, a service running on all Windows
systems (called the Group Policy Client)
determines which GPOs apply to the computer or user. It downloads
any GPOs that it does not already have cached. Then a series of
processes called client-side extensions (CSEs)
do the work of interpreting the settings in a GPO and making
appropriate changes to the local computer or the currently logged-on
user. Each major category of policy setting has CSEs, such as a
Security CSE that applies security changes, a CSE that executes
startup and logon scripts, a CSE that installs software, and a CSE
that makes changes to registry keys and values. Each version of
Windows has added CSEs to extend the functional reach of Group
Policy. Several dozen CSEs are now in Windows.
One of the more important concepts to remember about Group
Policy is that it is client driven. The Group Policy Client pulls
the GPOs from the domain, triggering the CSEs to apply settings
locally. Group Policy is not a “push” technology.
You can configure the behavior of CSEs by using Group Policy.
Most CSEs apply settings in a GPO only if that GPO has changed. This
behavior improves overall policy processing by eliminating redundant
applications of the same settings. Most policies are applied in such
a way that standard users cannot change the setting on their
system—they are always subject to the configuration enforced by
Group Policy. However, some settings can be changed by standard
users, and many can be changed if a user is an administrator on that
system. If users in your environment are administrators on their
computers, consider configuring CSEs to reapply policy settings even
if the GPO has not changed. That way, if an administrative user
changes a configuration so that it is no longer compliant with
policy, the configuration will be reset to its compliant state at
the next Group Policy refresh.
Note
CONFIGURE CSES TO REAPPLY POLICY
SETTINGS EVEN IF THE GPO HAS NOT CHANGED
You can configure CSEs to reapply policy settings, even if
the GPO has not changed, at a background refresh. To do so,
configure a GPO scoped to computers and define the settings in the
Computer Configuration\Policies\Administrative
Templates\System\Group Policy node. For each CSE you want to
configure, open its policy processing setting—for example,
Registry Policy Processing for the Registry CSE. Click Enabled and
select the check box labeled Process Even If The Group Policy
Objects Have Not Changed.
Settings managed by the Security CSE are an important
exception to the default policy processing settings. Security
settings are reapplied every 16 hours even if a GPO has not
changed.
Note
THE ALWAYS WAIT FOR THE NETWORK AT
COMPUTER STARTUP AND LOGON POLICY SETTING
It is highly recommended that you enable the Always Wait For The Network At Computer Startup And
Logon policy setting for all Windows clients. Without this
setting, by default, Windows clients perform only background
refreshes, meaning that a client might start up and a user might
log on without receiving the latest policies from the domain. This
setting is located in Computer
Configuration\Policies\Administrative Templates\System\Logon. Be
sure to read the policy setting’s explanatory text.
When are policies applied? Policy settings in the Computer
Configuration node are applied at system startup and every 90 to 120
minutes thereafter. User Configuration policy settings are applied
at logon and every 90 to 120 minutes thereafter. The application of
policies is called Group Policy
refresh.
You can also force a policy refresh by using the GPUpdate
command.
Computers and users within the scope of a GPO apply the policy
settings specified in the GPO. An individual user or computer is
likely to be within the scope of multiple GPOs linked to the sites,
domain, or OUs in which the user or computer exists. This leads to
the possibility that policy settings might be configured differently in multiple
GPOs. You must be able to understand and evaluate the Resultant Set Of Policy (RSOP), which determines the
settings that are applied by a client when the settings are
configured divergently in more than one GPO.
Slow Links and Disconnected Systems
One of the tasks that can be automated and managed with Group
Policy is software installation. Group Policy Software Installation
(GPSI) is supported by the software installation CSE. You can
configure a GPO to install one or more software packages. Imagine,
however, if a user were to connect to your network over a slow connection. You would not want large software
packages to be transferred over the slow link because performance
would be problematic.
The Group Policy Client addresses this concern by detecting
the speed of the connection to the domain and determining whether
the connection should be considered a slow link. That determination
is then used by each CSE to decide whether to apply settings. The
software extension, for example, is configured to forgo policy
processing so that software is not installed if a slow link is
detected. By default, a link is considered slow if it is less than
500 kilobits per second (kbps).
If a user is working while disconnected from the network, the
settings previously applied by Group Policy continue to take effect,
so a user’s experience is identical whether he or she is on the
network or working away from the network. This rule has exceptions,
most notably that startup, logon, logoff, and shutdown scripts will
not run if the user is disconnected.
If a remote user connects to the network, the Group Policy
Client wakes up and determines whether a Group Policy refresh window has been missed. If so, it
performs a Group Policy refresh to obtain the latest GPOs from the
domain. Again, the CSEs determine, based on their policy processing
settings, whether settings in those GPOs are applied. This does not
apply to Windows XP or Windows Server 2003 systems—only to Windows
Vista, Windows Server 2008, and later operating systems.
|
