A quick assortment of useful Group Policy concepts starting with a quick review of what Group Policies are, how they work, what they can do (in general). Sections on the following concepts are included: * Software Restriction Policies * Group Policy Preferences * Loopback Preferences * Backing up your GPO's with PowerShell I only had about 45 minutes to go through this, so the topics are glanced over, but it gives the viewer a decent idea of the various aspects of Group Policy.

1. USEFUL
GROUP
POLICY
CONCEP
TS
A random collection of some helpful tips. Let’s
start with a review!

2. Review: What is Group Policy?
Group Policy provides the centralized management and configuration
of Operating Systems, Apps, and user settings via Active Directory.
Set
Screensaver
timeout

3. Review: What are GPO’s good
for?
You can tweak things like:
Password complexity settings
Screensaver timeouts
File/Folder Permisisons
Web browser settings
WiFi profiles
Application-specific settings
What a user can and cannot access (regedit.exe, cmd.exe, OS
features)
Networking characteristics
Windows Update settings
And much, much more!

4. Managing Group Policies
Open Group Policy Management Console (GPMC) from your Domain
Controller
Or
Install the Remote Server Administration Toolkit (RSAT) on your Windows
client OS
Windows 10 build >= 9926: http://www.microsoft.com/en-
us/download/details.aspx?id=45520
Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39296
Windows 8: http://www.microsoft.com/en-us/download/details.aspx?id=28972
Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887
Windows Vista: http://www.microsoft.com/en-us/download/details.aspx?id=21090

5. Managing Group Policies

6. Review: What exactly are Group
Policy Objects?
 Group Policy Objects (GPO’s) are settings & definitions which
reside on your domain controllers and replicate via DFS and FRS,
stored in the sysvol folder.
 These GPO’s contain settings which can manipulate a computer’s
or user’s configuration/experience – as such, the settings are
broken into ‘Computer Configuration’ and ‘User Configuration.’
 GPO’s are then associated (aka ‘linked’) to Organizational Units
(OU’s) in Active Directory. Any user or computer object in the OU
tree will apply the settings from those GPO’s by default.
 You can link one GPO to many OU’s if desired.
 You can allow or disallow GPO application per user/computer/group
by way of Security Filtering.

7. Review: The order in which GPO’s
are applied
1. Local computer policy (gpedit.msc)
2. Site
3. Domain
4. OU
5. Child OU (highest priority)
Things change a bit if you right-click and ‘enforce’ group
policies – The order of precedence now favors the
enforced policy.

8. Review: When Group Policies are
Applied
 By default they refresh at around 90 minutes for workstations
and 5 minutes for domain controllers.
 They are also processed at bootup/logon.
 You can force a refresh by running GPUpdate /force from an
elevated command prompt
 You can also force a refresh from the GPMC or ADUC if you
are running Windows 8 or Server 2012 (SpecOps makes a
tool for this as well that works with Windows 7).
http://www.specopssoft.com/product/specops-gpupdate/

9. Review: Getting started with Group
Policy?
1. Create a new OU
2. Move a computer/user object into the OU
3. Create a new GPO, make a change
4. Link the new GPO to your test OU.
Starter tips:
 Don’t modify the default domain policy (DDP) –
use only for account security settings.
 Don’t move your domain controllers out of the
‘Domain Controllers’ OU
Nifty online reference for GPO settings: http://gpsearch.azurewebsites.net

10. SOFTWARE
RESTRICTIONS
Yes, you don’t need to open that email from
george32426@earthlink.com. Really.

11. Stopping your users from running
“junk”
Software Restriction
Policies
 Allow or disallow
certain programs from
being run on your
domain computers
 Users will receive a
“helpful” popup telling
them that their
application has been
blocked
 Event log entry 866 is
generated

12. Software Restriction Policies:
How they work
Block or approve applications based on file
hash, path, or folder name. Decent start for
preliminary defense against malware like
Cryptolocker.
AppLocker is the next generation of SRP, found
on Windows Ultimate & Enterprise (and Server).

13. Software Restriction Policies:
Blacklist or Whitelist?
You maintain a list of applications that
are not OK to run. Everything else is
allowed to execute.
Good for when you need to block one or
two problem apps in your environment.
Easier to introduce/implement.
This is tedious.
Configure under
Computer
ConfigurationPoliciesWindows
SettingsSoftware Restriction
PoliciesUnrestricted
You maintain a list of applications that
are approved* to run. Everything else is
not allowed to execute.
The whitelist will set up a default set of
applications that Windows needs to
operate.
Requires extensive testing to make sure
everything works as expected.
Best for overall system security.
Configure under
Computer
ConfigurationPoliciesWindows
SettingsSoftware Restriction
PoliciesDisallowed
Blacklisting Whitelisting

14. Software Restriction Policies -
where to find them
In your GPMC, head to:
Computer or User ConfigurationPoliciesWindows SettingsSecurity
SettingsSoftware Restriction Policies

15. GROUP POLICY
PREFERENCES
Do you have a moment to talk about our savior,
Group Policy Preferences?

16. Group Policy Preferences (GPP)
 Printers & Mapped Drives
 ODBC Data Sources
 Modify local user groups
 Power Plans
 Scheduled Tasks & Services
 Copy, Update or Remove Files/Folders
 Application Shortcuts
 Registry Entries
 Etc.

17. Group Policy Preferences – where
to find them
 Head to ‘Computer’ or ‘User Configuration’Preferences in your
GPMC.

18. Item Level Targeting: Granular
Preferences
Deployment of preferences and configs to
computers & users based upon very specific
criteria:
Examples:
 If a computer has a battery
 If a user is or is not a member of a security group
 If a computer has a specific IP address
 If an object is a member of a particular OU Etc.
 Or a combination of the above!

20. Group Policy Preferences
Console Shortcuts
• F5 – applies all visible options
(green)
• F6 – applies only the option
that currently has focus
(green)
• F7 – does not apply the option
that currently has focus
(dashed red)
• F8 – does not apply all visible
options (dashed red)
Extremely useful if you only want
to configure a single preference
out of a large grouping.

21. LOOPBACK
POLICIES
Perfect for Terminal/Citrix servers…

22. What do Loopback Policies do?
 These are policies where you can configure
user based configurations on computer
objects.
 I.e. lock out user access to certain items or
perhaps set application specific settings only
when they log into a particular computer.
 Great for Kiosk/Terminal/Citrix other shared
computers where every user must have the
same experience on a specific computer.

23. How to set up a Loopback
Policy
1. Set up a group policy as you normally would, configuring items
under ‘User Configuration.’ A good start would be to lock out
certain desktop items.
2. Under ‘Computer Configuration,’ modify ‘Configure user Group
Policy loopback processing mode’ under Windows
SettingsAdministrative TemplatesSystemGroup Policy.
3. Enable ‘Replace’ mode to start with. ‘Merge’ takes longer to
process and may produce unexpected results if you’re just starting
out.
4. Link group policy to OU where computer object resides.
5. Log in and enjoy!

24. POWERSHELL
AND GROUP
POLICY

25. Working with GPOs in
PowerShell: What you need
 Windows 7 or better: RSAT
(Remote Server Administration
Tools)
-or-
 Server 2008 R2 member server
or better: with the GPMC (Group
Policy Management Console)
installed
-or-
 Server 2008 R2 Domain
Controller or better
At least PowerShell 2.0 (this
comes with Windows 7/Server
2008 R2)
Must Have AND

26. When performing ‘administrative-like’ duties
in PowerShell, always right-click and run
PowerShell as an administrator.
The more you know…

27. Starter cmdlets
 Get-GPO
 Get-GPOReport
 Backup/Restore-GPO
 Get-GPResultantSetOfPolicy (like ‘GPResult
/h’)
 Set-GPLink

28. Backup your GPO
Example of output:
DisplayName : Computer Policy - Test
GpoId : a4bafa8d-a66d-4b08-a433-01e79086e08b
Id : 004c5691-45a3-47f5-a556-77b5fb7d4109
BackupDirectory : c:temp
CreationTime : 4/28/2015 10:44:26 PM
DomainName : lnrdomain.local
Comment :
Backup-GPO –All –Path c:temp | out-file c:tempgpo-backups.txt

29. The ID from the Backup-GPO cmdlet output corresponds to the GPO directory
names contained the backup folder.
Backup your GPO

30. Restore your GPO
This will restore the specified GPO via the ID back to your domain
from the c:temp path.
A couple things to note:
 If you are restoring a GPO that was previously deleted, the
restored GPO will NOT retain its original links in AD.
 Restoring a GPO will restore the original GPO ID. However,
when you run Backup-GPO again against this GPO, a new
BackupID will be generated.
Restore-GPO –BackupID 004c5691-45a3-47f5-a556-77b5fb7d4109 –Path c:temp

31. Get an output of all your Policy
settings
You can use the following PowerShell cmdlet to export the
settings for all your domain policies:
This is great for a reviewing all GPOs (grab a pot of coffee!),
and looks similar to the ‘GPResult.exe’ HTML output.*
You can also run this against a single policy:
*Note that RSoP PowerShell cmdlet is Get-
GPResultantSetOfPolicy
Get-GPOReport –All –ReportType Html –Path “c:tempgpo-output.html”
Get-GPOReport -Name “Computer Policy – Test” –Path “c:tempcp-
test.html”

32. For more information relating to
PowerShell and GPO’s…
Use PowerShell to find more cmdlets relating to Group Policy…
Want to know more about a specific cmdlet? Type the following:
If you have PowerShell 3.0 or better, you can do this…
Get-Help Get-GPO #<-- Or whatever cmdlet you want to know about
Get-Help Get-GPO -ShowWindow
Get-Command –Noun “GP*”