How group policy works in Active directory

How Group Policy works in Active directory or How group policy gets applied to the clients.

->When group policy applies, the system queries the Active directory service for a list of GPOs to process it using net-logon services of client systems. Each GPO is linked to an Active Directory container or OUs in which the computer or user belongs. By default, GPO precedence order is local, site, domain and organizational unit. Then the computer or user receives the policy settings from Active Directory container and then processed.
->When processing the GPO, the system checks the access lists associated with each GPO. If an access-control entry (ACE) denies the computer or user access to the GPO, the system does not apply the policy settings. If the ACE allows access to the GPO, the system applies the policy settings specified by the GPO.
1.What is Group in Active Directory (AD).
 ->Active Directory groups is the best way to control and manage access/permission to resources and enforce a least-privilege model. It also enables you to more easily control permissions to any resource, whether it’s a Windows file server or admin access or remote access,we create a group in AD and add users into members tab of groups to manage user using a group.

2.Types of Group in Active Directory.
-> There are Two Types of Groups in Active Directory
   1. Distribution Group
   2. Security Group

->Distribution Group- Distribution groups are made to be used only for email distribution lists. Distribution lists are use with email applications such as Microsoft Exchange or Outlook or web mail . You can add and remove members from the list, so that they will or will not receive email sent to the distribution group. we can not use any distribution groups to assign permissions to any resources in Active directory like file sharing or admin access or RDP and you can't use them to filter group policy settings in AD.

->Security Group-Security groups can be used to manage user and computer access/permission in AD.Security group simplifies the administration task by allowing us to set permissions once on multiple computers by adding groups, When we add or remove any members then access will automatically takes effect everywhere. we can also use security groups as email distribution lists and we can control the group policy settings.

3. Group scope in Active Directory.
->The Group scope decides who can be member of the group and where the group permission will be applied and can be used. There are the three group scopes.
   1. Domain local Group
   2. Global Group
   3. Universal Group

->Domain local Group
This limits the group scope in to the same domain.  
This group can have any of the following resources assigned.
 •    User Accounts
•    Computer Accounts
•    Universal Groups
•    Domain Local groups from the same domain
•    Global Groups from the forest

->Global Group
Using this you can use the group to assign permission to any resources in the domain- forest. It can be either same domain or different domains. But the group membership are only replicated to domain controllers in same domain.

This group can have any of the followings resources,
•    User Accounts
•    Computer Accounts
•    Other global groups from same domain

->Universal groups
Universal groups are most often used to assign permissions to related resources in multiple domains forest EnvironmentThe membership list of universal groups get updated by Global Catalog (GC) servers. When a member is added or removed from a universal group, GCs must replicate it to all the GCs in the forest. This creates an overhead due to network replication traffic.

This can have the following resources.
•    User accounts
•    Computer accounts
•    Other universal groups
•    Global Groups

4. How to create groups in AD.
->1st open Active Directory users and computer
  ->click on any OU (here we have clicked on Users OU)
   ->Select New group
      ->Now we have to enter name of the group
          ->Now we can select the group scope and group type an click ->ok->group will be created.

types of group,group scopes

5. What is Group Policy.
->Group Policy controls the access/permission of user accounts and computer accounts. Group Policy provides centralized management system to manage operating systems and related applications, and users settings in an Active Directory environment We can limit the access of the system for user by using Group policy to secure the environment.

6.What is Group Policy Object (GPO) in Active Directory.
->Group Policy Object is a collection setting in active directory using that we create/modify setting and same will be applied to users or computers.
->when every we want to create or modify a new set of policy then we need to edit Group policy object and same settings will be applied.

7.What is Group Policy Container in AD.
->Group Policy container is used to store all the policy in Active directory.
  ->Below is the step to check stored policies in group policy container.
  1. Open Active Directory Users and Computers (you can do this by typing DSA.MSC at Start/Run)
  2. Select View from the menu bar and ensure Advanced Features is selected (if not, select it)
  3. Expand the System container and navigate to the Policies container.
Group Policy in AD

-> We can see in above figure, there are three containers, each has a string of numbers and Each of these represents a different GPO . Inside containers we can see a Machine and User container.  These contain specific information related to computer settings and user settings.

8. Types of Group Policy.
  • Local Policy
  • Site Linked Policies
  • Domain Linked Policies
  • Organizational Unit Policies
->Local policies 
    -> Local group policy is based on local computer where we can edit group policy settings by start->run->gpedit.msc  and change it ,but it will be applied locally on specific system.

->Site Linked Policies
   ->Site Linked policy will be linked to Active directory site and all the settings will be applied to only site users and computers.

->Domain Linked policies
   ->Domain linked policy will be linked to a domain and all the settings will be applied to domain users and computers.
->Organizational Unit Policies
  ->OU policies will be linked to OU and all the setting will be applied to OU users and computers.

9. Group policy precedence order.
->LSDOU (Where L-local, S-Site, D-domain, OU-organization unit)
->1st Local group Policies will apply to users and computers.
->2nd Site group policies will apply to users and computer to linked sites, it will overwrite the Local Group policies
->3rd domain group policies will apply to users and computers to that domain, it will over write site ,local group policies.
->4th OU and sub-OU group policies will apply to the users and computers who belong to that OU and it will overwrite all other policies -domain,site,local group policies.

=>If we have linked the GPO to the sites,domain,OUs then it will follow the above GPO precedence order. 
=>If we have Enforced the GPO to the sites,domain,OUs then it will Not follow the above GPO precedence order. Enforced GPO can not be overwritten by any Preceding GPO.

10.What is difference between Linked and Enforced GPO.
->When we have linked any GPO to site,domain and OU  then it will follow the GPO precedence order and it will overwrite the setting accordingly.
->When we have enforced the GPO to the sites,domain,OUs then it will Not follow the above GPO precedence order. Enforced GPO can not be overwritten by any Preceding GPO.

11.What is Inheritance in group policy.
->As we know group policies follow the precedence order and all the setting from site,domain,OU will get applied to user and computer container and if it has any conflict then it will overwrite it as per higher precedence value but if we don't want to get any sitting from other linked GPO (like sites,domain,OU)then we can choose the option to block the group policy inheritance by right click on domain or OU and block the inheritance.

12. What is Starter GPO.
->Starter GPOs is a template ,we can create a starter GPO or modify the existing starter GPO and save it to link and use or create new GPO from it.
 ->Iit is used to save the GPO setting as a template to use or Create new GPOs from settings.

How to create Starter GPO and how to create GPO from starter GPOs.
 1. 1st we need to open group policy management from start->administrative tool->group policy management
2. select start GPOs ->right click->new->enter name
3. Now we can select the newly created GPO and we can edit the setting or we can create GPO as shown in below figures.

Group policy GPO

13.What is Loop back processing in Group policy.
->Group policy Loop back is s setting under GPO which is used to enable when we want to apply to the users or computers based on location on objects in active directory,sometimes users need to get the policies based on computer object then we can use group policy loop back feature.
->We can consider if users require different different  set of polices for laptop and desktop or if another user has logged on to same machine then he will see different setting ,all of that we can configure using loop back processing.

=>How to create Loop Back processing Group policy.
  ->1st we need to link  the GPO to OU where we need to apply this policy.
->once we have identify the OU and linked the GPO then we can right click- edit.
-> Now we need to drag to the below location 
Computer Configuration > Policies > Administrative Templates > System > Group Policy > user Group Policy loopback processing mode.
types of loop back

There are two types of loop back Mode:
->Merge- It will merge the user settings defined in the computers Group Policy objects and the user settings applied to the user, If it will detect any conflict  in settings then user settings in the computer's Group Policy objects will be applied over the users normal settings.

->Replace- it will replace the user normal settings with settings defined in computer group policy object means finally computer group policy object will be applied.

13.What is Group Policy Modeling.
->We use Group Policy Object modeling to troubleshoot GPO settings quickly and easily. We also use Group policy modeling (GPM) to test Group Policy settings before they are applied .
->We run Group Policy modeling to check what setting has been applied to OU users or computers and based on that we can decide which GPO should be linked to OUs. Below figure shows how to see the GPM results and applied settings.

GPM results

14. What is Group policy Results.
->Group policy results is use to troubleshoot Group policy ,we run this wizard to see which setting are applied to a particular logged in users on computers and based on that we decide and troubleshoot Group policy.
->We can get the Group policy results by two methods.
   1. By running group policy results wizards from Group policy management tools from any server or DC.
   2. By running command in client PC->cmd->Gpresult  (it wil shows us applied or denied GPO settings)
 ->we can use Event Viewer to check any error to  troubleshoot the Group policy related issues

->command to forcefully apply group policy.
 ->cmd->Gpupdate /force
  ->cmd ->gpupdate /target:PC1 /force

15. What is Security Filtering in Group policy.
-> By default Group policy is used to apply everyone based in Domain,Sites,OU but using Security filtering in Group Policy we can configure it to apply to a particular users,groups and computers.
-> If we want to apply group policy to a particular users,groups and computers then we can choose security filtering.
Security Filtering in group Policy

16. What is WMI Filtering in Group policy.
->We can define Group Policies to apply based on computer attributes such as operating system, free hard disk space, make and model, and so on.  But we have to use them properly and we should use them sparingly and test the performance of the filters before using them in your production systems as they may cause delays in Group Policy processing if we use too many of them.
For example, we can try to avoid the "select * from" approach when making WMI filter queries and instead try to only include the objects from the WMI class you need to evaluate your filter query.  Thus, instead of using something like this:
Select * From Win32_OperatingSystem where BuildNumber >= 7600 AND ProductType ='1'

17. Default Group policy refresh interval is  90 minutes.

GPT.INIThis file contains the configuration settings for  GPO, which includes its current version number (which is updated every time a change to the GPO is made) and the default GPO display name.

GptTmpl.inf -  file contains the specific information that your client needs to configure its settings.  Because we've configured this GPO so that Event Logs are set at the maximum size, we would expect that this file would contain information directing the client to make this change. 

Group policy file location -  C:\Windows\system32\ domain name\Policies

No comments:

Post a Comment

Quotes About Love