Windows 8 : Configuring User and Computer Policies - Group Policy Essentials

You use policy settings to control the configuration of the operating system and also to disable options and controls in the user interface for settings that Group Policy is managing. Most policy settings are stored in policy-related branches of the registry. The operating system and compliant applications check these branches to determine whether—and how—various aspects of the operating system are controlled.

Two types of Group Policy are available: local Group Policy and Active Directory–based Group Policy. Local Group Policy is used to manage settings only for local machines. Active Directory–based Group Policy is used to manage the settings of computers throughout sites, domains, and organizational units (OUs). Group Policy simplifies administration by giving administrators centralized control over the privileges, permissions, and capabilities of users and computers. Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.

During startup and logon, policies are applied in an exact sequence, which is often important to keep in mind when troubleshooting system behavior. When multiple policies are in place, they are applied in the following order:

By default, if policy settings conflict, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain policies. As you might expect, there are exceptions to the precedence rule that enable administrators to block, oversee, and disable policies.

The Group Policy client service isolates Group Policy notification and processing from the Windows logon process, which reduces the resources used for background processing of policy, increases overall performance, and enables delivery and application of new Group Policy files as part of the update process without requiring a restart. By using Network Location Awareness, the Group Policy client can determine the computer state, the network state, and the available network bandwidth for slow-link detection. As a result, the Group Policy client has a better understanding of the operational environment and can better determine which policies should be applied when.

Group Policy event messages are written to a computer’s System log. In addition, when you are troubleshooting, you have several options. You can use the detailed event messages in the operational log. In Event Viewer, you can access the operational log under Applications And Services Logs\Microsoft\Windows\GroupPolicy\Operational. You also can use Gpupdate.exe to verify that the most current settings have been applied. Although you typically run this command-line tool on the computer you are diagnosing, Windows Server 2012 allows you to schedule Gpupdate.exe to refresh Group Policy on remote computers.

Accessing and Using Local Group Policies

Local Group Policy applies to any user or administrator who logs on to a computer that is a member of a workgroup, as well as to any user or administrator who logs on locally to a computer that is a member of a domain.

As with Windows 7, computers running Windows 8 can have one or more local policy objects associated with it. Local Group Policy is managed through the local Group Policy object (GPO). The local GPO is stored on individual computers in the %SystemRoot%\System32\GroupPolicy folder. Additional user-specific and group-specific local GPOs are stored in the %SystemRoot%\System32\GroupPolicyUsers folder.

When using computers in a stand-alone configuration rather than a domain configuration, you might find multiple local GPOs useful. You can implement one local GPO for administrators and another local GPO for nonadministrators and then no longer have to explicitly disable or remove settings that interfere with your ability to manage a computer before performing administrator tasks. In a domain configuration, however, you might not want to use multiple local GPOs. In domains, most computers and users already have multiple GPOs applied to them, and adding multiple local GPOs to this already varied mix can make it confusing to manage Group Policy.

Windows 8 has three layers of local GPOs:

• Local Group Policy Local Group Policy is the only local GPO that allows both computer configuration and user configuration settings to be applied to all users of the computer.

• Administrators and Non-Administrators local Group Policy Administrators and Non-Administrators local Group Policy contains only user configuration settings. This policy is applied based on whether the user account being used is a member of the local Administrators group.

• User-specific local Group Policy User-specific local Group Policy contains only user configuration settings. This policy is applied to individual users and groups.

These layers of local GPOs are processed in the following order: local Group Policy, Administrators and Non-Administrators local Group Policy, user-specific local Group Policy.

Because the available User Configuration settings are the same among all local GPOs, a setting in one GPO might conflict with a setting in another GPO. Windows 8 resolves conflicts in settings by overwriting any previous setting with the last read and most-current setting. The final setting is the one Windows 8 uses. When Windows 8 resolves conflicts, only the enabled or disabled state of settings matters. A setting of Not Configured does not affect the state of the setting from a previous policy application. To simplify domain administration, you can disable processing of local GPOs on computers running Windows 8 by enabling the Turn Off Local Group Policy Objects Processing policy setting in a domain GPO. In Group Policy, this setting is located under the Administrative Templates policies for Computer Configuration under \System\Group Policy.

Note

If enabled, local GPOs are always processed. However, they have the least precedence, which means their settings can be superseded by site, domain, and OU settings.

The only local policy object that exists on a computer by default is the local GPO. You can create and manage other local policy objects by using the Group Policy Object Editor. Because local Group Policy is a subset of Group Policy, there are many things you can’t do locally that you can do in a domain setting. First, you can’t manage any policy preferences. Second, you can manage only a subset of policy settings. Beyond these fundamental differences, local Group Policy and Active Directory–based Group Policy are managed in much the same way.

To work with local GPOs, you must use an administrator account. The quickest way to access the top-level local GPO on a local computer is to type the following command in the Search box or at a command prompt:

gpedit.msc /gpcomputer: "%ComputerName%"

This command starts the Group Policy Management Editor in a Microsoft Management Console (MMC) with its target set to the local computer.

You can also manage the top-level local GPO on a computer by following these steps:

1. Open the MMC. One way to do this is by pressing the Windows key, typing mmc.exe, and then pressing Enter.

2. In the MMC, tap or click File, and then tap or click Add/Remove Snap-In.

3. In the Add Or Remove Snap-Ins dialog box, tap or click Group Policy Object Editor, and then tap or click Add.

4. In the Select Group Policy Object dialog box, tap or click Finish (because the local computer is the default object). Tap or click OK.

As shown in Figure 1, you can now manage local Group Policy settings by using the options provided. Because local Group Policy does not have policy preferences, you will not find separate Policies and Preferences nodes under Computer Configuration and User Configuration.

Figure 1. Accessing the top-level local GPO.

You can create and manage other local policy objects as necessary. To create or access other local GPOs, follow these steps:

1. In the MMC, tap or click File, and then tap or click Add/Remove Snap-In.

2. In the Add Or Remove Snap-Ins dialog box, tap or click Group Policy Object Editor, and then tap or click Add.

3. In the Select Group Policy Object dialog box, tap or click Browse. In the Browse For A Group Policy Object dialog box, tap or click the Users tab.

4. On the Users tab, shown in Figure 2, the entries in the Group Policy Object Exists column specify whether a particular local policy object has been created. Do one of the following:

   • Select Administrators to create or access the Administrators local GPO. You select Administrators instead of the Administrator user to ensure that the policy is applied to all local administrators.

   • Select Non-Administrators to create or access the Non-Administrators local GPO.

   • Select the local user whose user-specific local GPO you want to create or access.

   

   Figure 2. Accessing additional local GPOs.

5. Tap or click OK. Tap or click Finish, and then tap or click OK again. If the selected object doesn’t already exist, it will be created. Otherwise, you’ll open the object for review and editing.

With Active Directory, each site, domain, and OU can have one or more group policies. When you want to work with Active Directory–based Group Policy, you use the Group Policy Management Console (GPMC) to access and work with GPOs. To work with GPOs, you must use an administrator account.

On a computer running a server edition of Windows, the GPMC is available as part of the standard installation. On a computer running a desktop edition of Windows, the GPMC is included in the Remote Server Administration Tools (RSAT). You can download the RSAT for Windows 8 by visiting the Microsoft Download Center (http://download.microsoft.com/).

Once you install the GPMC as part of the RSAT, you can run the GPMC from Server Manager. In Server Manager, tap or click Tools and then tap or click Group Policy Management.

As shown in Figure 3, the left pane of the GPMC has two upper-level nodes by default: Group Policy Management (the console root) and Forest (a node representing the forest to which you are currently connected, which is named after the forest root domain for that forest). When you expand the Forest node, you see the following nodes:

GPOs found in domain, site, and OU containers in the GPMC are actually GPO links and not GPOs themselves. The actual GPOs are found in the Group Policy Objects container of the selected domain. Notice also that the icons for GPO links have a small arrow at the bottom left, similar to shortcut icons. You can open a GPO for editing by pressing and holding or right-clicking it and then selecting Edit.

Figure 3. Access GPOs for domains, sites, and OUs.

Once you’ve selected a policy for editing or created a new policy, use the Group Policy Management Editor to work with the GPOs. As Figure 4 shows, the Group Policy Management Editor has two main nodes:

Figure 4. Group Policy options depend on the type of policy you’re creating and the add-ons installed.

You will find separate Policies and Preferences nodes under Computer Configuration and User Configuration. When you are working with policy settings, you use the Policies node. The options available under a Policies node depend on the add-ons installed and which type of policy you’re creating. You’ll usually find that both nodes have the following subnodes:

• Software Settings Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.

• Windows Settings Sets policies for folder redirection, scripts, and security.

• Administrative Templates Sets policies for the operating system, Windows components, and programs.