This chapter focuses mainly on modifying the default behavior of Group Policy objects (GPOs) in custom environments, such as when a user’s computer is connecting to the network in a unique manner or needs special configurations. We will investigate the GPO settings that allow you to control, secure, and configure these environments to ensure a functional but secure environment.
The scenarios we will examine here may include the use of loopback processing, and this is reviewed first. Loopback processing is a unique and flexible option that allows for control of user settings through computer configurations. You can thus have control over the settings for all users who use a particular computer. We will next discuss Terminal Services sessions, which require special security and functionality control. Finally, we will look at slow link detection and how to control the GPO settings for slow link clients differently from those GPOs that typically affect all computers.
Active Directory Design and Normal GPO Processing
To design and implement custom environments, you need a good understanding of the basics of Group Policy, including how to design Active Directory® to facilitate deploying GPOs. Here are some basic and important concepts to remember with regard to designing Active Directory and deploying GPOs:
You must design GPOs with consideration of delegation of administration in mind.
Group Policy applies only to user and computer accounts, not group accounts.
GPOs affect the container at which they are applied, as well as all subordinate containers through inheritance.
GPOs affect all objects at the container at which they are deployed, including domain controllers, administrative groups, and administrative user accounts.
An administrator can limit a GPO’s scope of influence by configuring inheritance blocking, security filtering, and WMI filters.
Keep your (organizational unit) OU structure to a maximum of 10 levels deep.
To design and implement custom environments, you also need a good understanding of how Group Policy is applied. Here is a quick summary of the order and precedence rules for how GPOs are normally processed.
When the computer starts, network connectivity also starts.
The computer account communicates with DNS and Active Directory.
The computer obtains an ordered list of GPOs that apply to the computer.
Computer policies under Computer Configuration are applied.
Computer-based startup scripts run.
The user is validated against Active Directory.
The user’s profile loads.
The computer obtains an ordered list of GPOs that apply to the user.
User policies under User Configuration are applied.
User-based logon scripts run.
The user is presented with her desktop interface, as configured by Group Policy.
For more information on designing Active Directory and deploying GPOs, see Chapter 4. For more information on how Group Policy is applied, see Chapter 2 and Chapter 13.