Before you can move on to more advanced Group Policy topics, you must understand two fundamental concepts: GPO links and default GPOs. GPO links affect the way policy is applied. Default GPOs are special-purpose policy objects that Active Directory depends on to establish baseline security settings for domain controllers and domains.
As you know, the two types of Group Policy are Local Group Policy and Active Directory–based Group Policy. Local Group Policy applies to a local machine only, and there is only one Local GPO (LGPO) per local machine. Active Directory–based Group Policy, on the other hand, can be implemented at the site, domain, and OU levels, and each site, domain, or OU can have one or more GPOs associated with it. The association between a GPO and a site, domain, or OU is referred to as a link. For example, if a GPO is associated with a domain, the GPO is said to be linked to that domain.
All GPOs you create in Active Directory are stored in a container called Group Policy Objects. This container is replicated to all domain controllers in a domain, so by default all GPOs are also replicated to all domain controllers in a domain. The link (association) between a domain, site, or OU is what makes a GPO active and applicable to that domain, site, or OU.
Linking can be applied in two ways:
You can link a GPO to multiple levels in Active Directory. For example, a GPO can be linked to a site, a domain, and multiple OUs. In this case, the GPO applies to each of these levels within Active Directory.
You can link a GPO to a specific site, domain, or OU. For example, if a GPO is linked to a domain, the GPO applies to users and computers in that domain.
Tip
When you work with GPOs, never forget about inheritance and its effects. In the two examples above, the linked GPO would also be inherited by lower-level objects because of inheritance. For example, the settings of the GPO linked to a domain would be inherited by any OUs in that domain. The reason for linking a GPO to multiple levels within Active Directory, then, is to create direct associations between a GPO and multiple sites, domains, or OUs or any combinations of sites, domains, and OUs.
You can also unlink a GPO from a site, domain, or OU. This removes the direct association between the GPO and the level within Active Directory from which you’ve removed the link. For example, if a GPO is linked to a site called First Site and also to the cpandl.com domain, you can remove the link from the cpandl.com domain. Unlinking the GPO from the domain removes the association between the GPO and the domain. The GPO is then linked only to the site. If you later remove the link between the site and the GPO, the GPO is completely unlinked. A GPO that has been unlinked from all levels within Active Directory still exists within the Group Policy Objects container, but it is completely inactive.
Several tools are available for working with Group Policy. The interfaces for these tools are very similar. When you want to work with security settings in Local Group Policy (for example, the Computer ConfigurationSecurity Settings portion), you can use the Local Security Policy tool (which you can access by clicking Start, Programs or All Programs, Administrative Tools, and then Local Security Policy). When you want full access to Local Group Policy or want to work with Active Directory–based Group Policy, you can use the Group Policy Object Editor, which is included with a standard installation of Windows Server 2003, or the Group Policy Management Console (GPMC), which is available as a free download from the Microsoft Download Center (http://www.microsoft.com/downloads).
When you create a domain, two GPOs are created by default:
Default Domain Controllers Policy GPO. A default GPO created for and linked to the Domain Controllers OU that is applicable to all domain controllers in a domain (as long as they aren’t moved from this OU). This GPO is used to manage security settings for domain controllers in a domain.
Default Domain Policy GPO. A default GPO created for and linked to the domain within Active Directory. This GPO is used to establish baselines for a wide variety of policy settings that apply to all users and computers in a domain.
Whether you are working with the Group Policy Object Editor or the GPMC, you’ll have access to the linked Default Domain Policy GPO. For example, in GPMC, you simply select the Default Domain Policy node in the console root. The Default Domain Controllers Policy GPO, on the other hand, is accessed separately. On a domain controller, you can access the security settings for the Default Domain Controllers Policy GPO (for example, the Computer ConfigurationSecurity Settings portion) by using the Domain Controller Security Policy console. (Click Start, Programs or All Programs, Administrative Tools, and then Domain Controller Security Policy.) If you want full access to the Default Domain Controllers Policy GPO, you can use Group Policy Object Editor or GPMC.
The default GPOs are essential to the proper operation and processing of Group Policy. By default, the Default Domain Controllers Policy GPO has the highest precedence among GPOs linked to the Domain Controllers OU, and the Default Domain Policy GPO has the highest precedence among GPOs linked to the domain. As you’ll learn in the sections that follow, the purpose and use of each default GPO is a bit different.
Tip
The Default GPOs are so important for proper Group Policy operation that Microsoft created a recovery utility called DCGPOFIX that lets you easily restore the Default Domain Policy GPO, the Default Domain Controllers Policy GPO, or both. Simply run DCGPOFIX fix from the command line with the following options:
/Target:Domain To restore the Default Domain Policy GPO
/Target:DC To restore the Default Domain Controllers Policy GPO
/Target:Both To restore the Default Domain Policy GPO and the Default Domain Controllers Policy GPO
Under Windows 2000 or later, you create a domain by establishing the first domain controller in that domain. This typically means logging on to a standalone server as a local administrator, running DCPROMO, and then specifying that you want to establish a new forest or domain. When you establish the domain and the domain controller, the Default Domain Controllers Policy GPO and the Default Domain Policy GPO are created at the same time. The Default Domain Controllers Policy GPO is linked to the Domain Controllers OU, which is also automatically created for the new domain. The Default Domain Policy GPO is linked to the domain.
The Default Domain Policy GPO is a complete policy set that includes settings for managing the many policy areas we’ve discussed previously, but it isn’t meant for general management of Group Policy. As a best practice, you should edit the Default Domain Policy GPO only to manage the default Account Policies settings and three specific areas of Account Policies:
Password Policy. Determines default password policies for domain controllers, such as password history and minimum password length settings
Account Lockout Policy. Determines default account lockout policies for domain controllers, such as account lockout duration and account lockout threshold
Kerberos Policy. Determines default Kerberos policies for domain controllers, such as maximum tolerance for computer clock synchronization
To manage other areas of policy, you should create a new GPO and link it to the domain or an appropriate OU within the domain.
Note
Wondering why configuring policy in this way is a recommended best practice? Well, there are two reasons. First, if Group Policy becomes corrupted and stops working, you can use DCGPOFIX to restore the Default Domain Policy GPO to its original state (which would mean that you would lose all the customized settings you’ve applied to this GPO). Second, some policy settings can only be configured at the domain level and configuring them in the Default Domain Policy GPO makes the most sense. However, no specific restrictions require you to follow this practice.
You can access the Default Domain Policy GPO in several ways. If you are using the GPMC, you’ll see the Default Domain Policy GPO when you click the domain name in the console tree. Then right-click the Default Domain Policy node and select Edit to get full access to the Default Domain Policy GPO. If you want to work only with security settings in the Default Domain Policy GPO, you can use the Domain Security Policy console. In this case, follow these steps:
Log on to a domain controller as a Domain Administrator.
Access the Domain Security Policy console by clicking Start, Programs or All Programs, Administrative Tools, and then Domain Security Policy.
Any setting changes you make affect the entire domain.
Note
Account Policies should be configured in the highest precedence GPO linked to a domain. By default, the highest precedence GPO linked to a domain is the Default Domain Policy GPO, and this is why most documentation tells you to configure Account Policies in the Default Domain Policy GPO. While this is a good practice, the bottom line is this: If you define Account Policies in multiple GPOs linked to a domain, the settings will be merged according to the link order of these GPOs. The GPO with a link order of 1 will always have the highest precedence.
Four policies are exceptions to the rule that the Default Domain Policy GPO (or the highest precedence GPO linked to the domain) is used only to manage Account Policies. These policies (located in Group Policy under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options) are as follows:
Accounts: Rename Administrator Account Renames the built-in Administrator account on all computers throughout the domain and sets a new name for the account so that it is better protected from malicious users. Note that this policy affects the logon name of the account, not the display name. The display name remains Administrator or whatever you set it to. If an administrator changes the logon name for this account through Active Directory Users And Computers, it automatically reverts to what is specified in this policy setting the next time Group Policy is refreshed.
Accounts: Rename Guest Account Renames the built-in Guest account on all computers throughout the domain and sets a new name for the built-in Guest account so that it is better protected from malicious users. Note that this policy affects the logon name of the account, not the display name. The display name remains Guest or whatever else you set it to. If an administrator changes the logon name for this account through Active Directory Users And Computers, it automatically reverts to what is specified in this policy setting the next time Group Policy is refreshed.
Network Security: Force Logoff When Logon Hours Expire Forces users to log off from the domain when logon hours expire. For example, if you set the logon hours as 8 AM to 6 PM for the user, the user is forced to log off at 6 PM.
Network Access: Allow Anonymous SID/Name Translation Determines whether an anonymous user can request security identifier (SID) attributes for another user. If this setting is enabled, a malicious user could use the well-known Administrators SID to obtain the real name of the built-in Administrator account, even if the account has been renamed. If this setting is disabled, computers and applications running in pre–Windows 2000 domains may not be able to communicate with Windows Server 2003 domains. This communication issue specifically applies to Windows NT 4.0–based Remote Access Service servers, Microsoft SQL Servers that are running on Windows NT 3.x–based or on Windows NT 4.0–based computers, Remote Access Services that are running on Windows 2000–based computers that are located in Windows NT 3.x domains or in Windows NT 4.0 domains, SQL Servers that are running on Windows 2000–based computers that are located in Windows NT 3.x domains or in Windows NT 4.0 domains, and users in a Windows NT 4.0 resource domain who want to grant permissions to access files, shared folders, and registry objects to user accounts from account domains that contain Windows Server 2003 domain controllers.
You typically manage these four policy settings through the GPO that is linked to the domain level and has the highest precedence. As with Account Policies, this is the Default Domain Policy GPO by default.
Under Windows 2000 or later, you establish a domain controller by running DCPROMO and promoting a member server to domain controller status. When you do this, the server’s computer object is moved to the Domain Controllers OU. As long as domain controllers remain in this Domain Controllers OU, they are affected by the Default Domain Controllers Policy GPO.
The Default Domain Controllers Policy GPO is designed to ensure that all domain controllers in a specified domain have the same security settings. This is important because all domain controllers in an Active Directory domain are equal, and if they were to have different security settings, they might behave differently and this would be bad, bad, bad. If one domain controller has a specific policy setting, this policy setting should be applied to all domain controllers to ensure consistent behavior across a domain.
Caution
Moving a domain controller out of the Domain Controllers OU can adversely affect domain management. It can also lead to inconsistent behavior during logon and authentication. If you move a domain controller out of the Domain Controllers OU, you should carefully manage its security settings thereafter. For example, if you make security changes to the Default Domain Controllers Policy GPO, you should ensure that those security changes are applied to domain controllers stored in OUs other than the Domain Controllers OU.
You can access the Default Domain Controllers Policy GPO in several ways. If you are using the GPMC, you’ll see the Default Domain Controllers Policy GPO when you click the Domain Controllers node in the console tree. Then right-click the Default Domain Controllers Policy and select Edit to get full access to the Default Domain Controllers Policy GPO. If you want to work only with security settings in the Default Domain Policy GPO, you can use the Domain Security Policy console. In this case, follow these steps:
Log on to a domain controller as a Domain Administrator.
Access the Domain Controller Security Policy console by clicking Start, Programs or All Programs, Administrative Tools, and then Domain Controller Security Policy.
You can now manage security settings for domain controllers. Any changes you make to settings will affect all domain controllers in the domain.
Because all domain controllers are placed in the Domain Controllers OU by default, any security setting changes you make will apply to all domain controllers by default. The key security areas that you should manage consistently include:
Local Policies:
Audit Policy. Determines default auditing policies for domain controllers, such as logging event success, failure, or both
User Rights Assignment. Determines default user rights assignment for domain controllers, such as the Log On As Service and Allow Log On Locally rights
Security Options. These include the Domain Controller: Allow Server Operators To Schedule Tasks option
Event log settings such as
Maximum log size for domain controllers
Preventing guest access of domain controller logs
Whether logs are retained and the retention method used