One of the most challenging aspects of working with Group Policy is simply finding what you are looking for—whether it’s a set of policies, a particular Group Policy Object (GPO), or an object that Group Policy is affecting. Some administrators have told us that they’ve gone through every single GPO and every related policy setting in those GPOs and still haven’t found what they were looking for. You can save time and be much more effective by using one of several filtering techniques, including filtering policy settings to streamline the view, and searching for policy objects, links, and configuration settings for various conditions, values, and keywords.
Another type of filter you can apply to GPOs is a security filter to control the security groups to which a policy object is applied. By default, a linked GPO applies to all users and computers in the container to which it is linked. But sometimes you won’t want a GPO to apply to a user or computer in a particular container. For example, you might want to apply a filter so that the Sales Policy GPO is applied to normal users in the Sales organizational unit (OU) but not to administrators in the Sales OU. Or you might want to apply a filter to Sales Policy GPO so that JoeS, a user in the Sales OU, doesn’t get the policy settings from that OU at all.
By default, all policy settings for all administrative templates are displayed in the Group Policy Object Editor. When you are viewing or editing a GPO, finding the policy settings you want to work with can be a daunting task because so many policy settings are available and many of them might not be applicable in your environment or might not be suited to your current needs.
To reduce the policy set and make it more manageable, you can filter the view so that only the policy settings you want to use are shown. Likewise, if you are looking for a particular group of policy settings, such as only those that are configured or those that can be used with computers running Microsoft® Windows® XP Professional with Service Pack 2 or later, you can filter the view to focus in on the policy settings you need.
Handy? You betcha. The one gotcha is that this type of filtering applies only to Administrative Templates policy settings. Anytime you are actively editing a GPO, you can filter the Administrative Templates policy settings in several key ways:
Show only the policy settings that apply to a specific operating system, application or system configuration. For viewing only the policy settings that meet a specific set of requirements. By filtering policy settings in this way, you see only the policy settings that meet your specified operating system or application configuration requirements, such as only the policy settings that are supported by Windows XP Professional with Service Pack 2 or later.
Show only the policy settings that are currently configured. Viewing currently configured policy settings is useful if you want to modify a configured policy setting. By filtering policy settings in this way, you see only policy settings that are either enabled or disabled. You don’t see policy settings that are set as "not configured."
Show only the policy settings that can be fully managed. For ensuring that you are working with nonlegacy policy settings. A legacy policy setting is one that was created in an administrative template written using the Microsoft Windows NT 4.0 administrative template format. Windows NT 4.0 administrative templates and their settings typically modify different sections of the Windows registry than do template settings for Windows 2000 or later. It is therefore recommended that you not use Windows NT 4.0 administrative templates. This filter option is selected by default. If you want to work with Windows NT 4.0 administrative templates and their settings, you must clear this filter option.
In the Group Policy Management Console (GPMC), you can view or edit a GPO and its settings at any time by right-clicking the GPO and choosing Edit. When you work with the policy object, you can filter the related policy settings by completing the following steps.
Note
Filtering of policy settings works only with Administrative Templates. You configure filtering separately for Computer Configuration and User Configuration.
In the Group Policy Editor, expand Computer Configuration or User Configuration as appropriate.
Right-click Administrative Templates and choose View, Filtering to open the Filtering dialog box (Figure 3-1).
By default, all policy settings for all operating systems and application configurations that have Administrative Template files installed are shown in the Group Policy Editor.
To filter by operating system and application configuration, select Filter By Requirements Information and then select or clear the items to be displayed.
If you want to see only policy settings that are set as enabled or disabled, select Only Show Configured Policy Settings.
If you want to use the older-style policy settings from Windows NT 4.0 administrative templates, clear Only Show Policy Settings That Can Be Fully Managed.
Click OK.
When you have multiple policy objects with many configured settings, it can be a challenge to find the policy object or settings you need. The search feature of the GPMC can help. For example, if the Remove Add/Remove Programs policy is causing a problem that is preventing administrators from adding programs on users’ computers and you don’t know in which policy object this policy setting is enabled, the search feature can help. Or if you need to update the Wireless Networking policies but don’t know which policy object has these settings, the search feature saves you from having to go through all the available policy objects in search of the one that has the Wireless Networking Policies. To resolve these types of problems and many others, you can use the search feature of the Group Policy Management Console.
The GPMC search feature allows you to search Group Policy in a currently selected domain or in all the domains of a selected forest. You can search by any of the following criteria:
GPO Name. Allows you to search for a policy object by full or partial name. For example, if you know that a policy object has the word "Sales" in its name but you don’t know in which domain the object exists, you can search for all policy object names that contain this keyword.
GPO Links. Allows you to search for policy objects that are either linked or not linked in a particular domain or in all domains of the current forest. For example, if you want to find all policy objects that are linked in a particular domain, you can search for all policy object links that exist in that domain. Or if you want to find all policy objects that aren’t currently linked to a particular domain, you can search for all policy object links that do not exist in the domain.
Security Groups, Users or Computers. Allows you to search for security groups, users, or computers with specific Group Policy management privileges. For example, you might need to know whether the TechManagers group has explicit permission to edit Group Policy settings or whether the user JoeS has permission to read Group Policy settings in a particular domain or in any domain of the current forest. (Group Policy management privileges are discussed in Chapter 2 under "Delegating Privileges for Group Policy Management" and include Read; Edit Settings; and Edit Settings, Delete, Modify Security.)
Linked WMI Filter. Allows you to search for a linked WMI filter. You can search to find out whether a filter exists.
User Configuration. Allows you to quickly determine whether commonly used User Configuration settings are configured. The areas of User Configuration you can search for are Folder Redirection, Internet Explorer Branding, Internet Explorer Zonemapping, Registry, Scripts, and Software Installation. For example, you might need to find the policy object in a particular domain that has Folder Redirection configured, and you can use this search feature to do this.
Computer Configuration. Allows you to quickly determine whether commonly used Computer Configuration settings are configured. The areas of Computer Configuration you can search for are EFS Recovery, Internet Explorer Zonemapping, IP Security, Microsoft Disk Quota, QoS Pack Scheduler, Registry, Scripts, Security, Software Installation, and Wireless. For example, you might need to find the policy object in a particular domain that has Wireless Networking Policy configured, and you can use this search feature to do this.
GUID. Allows you to search for a policy object by its GUID. This is useful if you already know the full GUID of a policy object you need to locate so that you can work with it. A typical scenario in which you may know the GUID and not know the policy object location is when you are troubleshooting a problem with Group Policy and see errors that reference the GUID of a policy object.
To search Group Policy for any of the previously discussed search criteria, complete these steps:
Start the GPMC. Click Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
If you want to search all the domains in a particular forest, right-click the entry for the forest you want to work with and then select Search. If you want to search a specific domain, expand the related forest node, right-click the domain, and then select Search.
In the Search For Group Policy Objects dialog box (Figure 3-2), use the Search Item list to choose the area of Group Policy to search, such as User Configuration.
Use the Condition list to set the search condition. Conditions include:
Contains/Does Not Contain. Allows you to search based on specific values that are either contained or not contained in the search item. For example, if you are sure the policy object you are looking for doesn’t have the word Current in its name (while most other policy objects you’ve created do), you can search for a GPO Name that does not contain the value Current.
Is Exactly/Equals. Allows you to search for an exact value associated with a search item. For example, if you are sure the policy object you are looking for is named Engineering Policy, you can search for a GPO Name that has that exact value.
Exist In/Does Not Exist In. Allows you to search for GPO links that either exist in or do not exist in the selected domain or forest; it is used with GPO links.
Has This Explicit Permission/Does Not Have This Explicit Permission. Allows you to search for security groups, users, and computers that have or do not have an explicit permission in Group Policy. Explicit permissions are directly assigned. For example, if JohnS has been delegated permission to Edit Settings of the Engineering Policy GPO, he has explicit Edit Settings permission with regard to this object.
Has This Effective Permission/Does Not Have This Effective Permission. Allows you to search for security groups, users, and computers that have or do not have an effective permission in Group Policy. Effective permissions are indirectly assigned. For example, a member of the Domain Administrators group has the effective permission to apply settings.
Select or enter a search value in the Value field.
As necessary, repeat steps 3 through 5 to add additional search criteria. Keep in mind that additional search criteria further restrict the result set. A policy object must match all search criteria to be displayed in the search results. Click Add to add the search criteria.
Click Search to search for policy objects that meet your search criteria. You can directly edit any policy object listed by selecting it in the Search Results list and clicking Edit.
You’ll often need to determine or control whether and how Group Policy applies to a particular security group, user, or computer. By default, GPOs apply to all users and computers in the container to which a particular GPO is linked. A linked GPO applies to all users and computers in this way because of the security settings on the GPO. Two GPO permissions determine whether a policy object applies to a security group, user, or computer:
Read. If this permission is allowed, the security group, user, or computer can read the policy for the purposes of applying it to other groups, users, or computers (not for the purposes of viewing policy settings; View Settings is an explicit permission that must be granted).
Apply Group Policy. If this permission is allowed, the GPO is applied to the security group, user, or computer. The settings of an applied GPO take effect on the group, user, or computer.
A security group, user, or computer must have both permissions for a policy to be applied. By default, all users and computers have these permissions for all new GPOs. They inherit these permissions from their membership in the implicit group Authenticated Users. An authenticated user is any user or computer that has logged on to the domain and been authenticated.
Note
Additional permissions are also assigned to administrators and the operating system. All members of the Enterprise Admins and Domain Admins groups as well as the LocalSystem account have permission to edit or delete GPOs and manage their security.
When you’ve delegated Group Policy management permissions to users or have administrators whose accounts are defined at the domain or OU level, you might not want a policy object to be applied. Consider the following scenario: You’ve delegated administrator privileges and Group Policy management permissions to Sue. You want her to be able to install programs and perform other tasks that normal users cannot do because of restrictions in Group Policy. In this case, you must take special steps to ensure that Group Policy isn’t applied to Sue. Rather than allowing Group Policy to be applied to Sue, you must configure permissions so that she is denied the Apply Group Policy Permission. This will ensure that the policy object isn’t applied to Sue’s account. If Sue should have permission to apply the Group Policy to other groups, users or computers, she must still have Read permission.
To view or change GPO permissions for a security group, user, or computer, complete these steps:
Start the GPMC. Click Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, expand the related Domains node, expand the Group Policy Objects node, and then select the policy object you want to work with.
Click the Delegation tab to see a list of users and groups who have some level of permissions for the selected policy object.
Click Advanced to open the Security Settings dialog box (Figure 3-3).
Select the security group, user, or computer you want to work with. Or click Add to add a new security group, user, or computer. Then do one of the following:
If the policy object should be applied to the security group, user, or computer, the minimum permissions should be set to allow Read and Apply Group Policy.
Caution
Don’t change other permissions unless you are sure of the consequences. A better way to manage other permissions is to follow the techniques discussed in Chapter 2, in the section titled "Delegating Privileges for Group Policy Management."
If the policy object should not be applied to the security group, user, or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.
Click OK to return to the GPMC.
