Anatomy of a GPO Mark Cribben Senior Consultant Microsoft Consulting Services MGT320.
-
Upload
amberlynn-blair -
Category
Documents
-
view
218 -
download
1
Transcript of Anatomy of a GPO Mark Cribben Senior Consultant Microsoft Consulting Services MGT320.
Anatomy of a GPOAnatomy of a GPO
Mark CribbenMark CribbenSenior ConsultantSenior Consultant
Microsoft Consulting ServicesMicrosoft Consulting Services
MGT320MGT320
AgendaAgenda
Server side architecture of a GPOServer side architecture of a GPO
Client side architecture of a GPOClient side architecture of a GPO
Processing a GPOProcessing a GPO
My first engineering project…..My first engineering project…..
Creating and applying a GPOCreating and applying a GPO
DemoDemo
Group Policy ArchitectureGroup Policy Architecture
Client
WinLogon
WMI
Group Policy Engine
Client Side Extension
RSOP
File System
Registry
Event Log
Local GPOAD Replication
File System Replication for SysVol
DC
GPO
DC
GPO
Server ArchitectureActive Directory
FILE SYSTEM
Group Policy Container
CN=Policies, CN=System, DC=Domain, DC=comContains all GPO’s in this hierarchy
OU to which policies are linked
OU=My OU, DC=Domain, DC=comgpLinks – List of GPO Guid linked to OUgpOptions – Inheritance Property
Active Directory Users and Computers – DSA.msc
Group Policy Management- GPMC.msc
Group Policy Object Editor – GPEdit.msc
SysVol Share – Group Policy Template (GPT)
%windir%\ sysvol\ sysvol\ FQDN\ Policies\ {Policy GUID}ADMMachineUserGPT.ini
DC Replication as applicable
FRS for SysVol to keep machines in sync after DC replication
Examining the Server sideExamining the Server side
DemoDemo
Server side componentsServer side components
The GPC (Active Directory storage)The GPC (Active Directory storage)Located in system\policies containerLocated in system\policies container
Attributes:Attributes:FlagsFlags
gPCFileSysPathgPCFileSysPath
gPCMachineExtensionNamesgPCMachineExtensionNames
gPCUserExtensionNamesgPCUserExtensionNames
versionNumberversionNumber
The GPT (Domain controller storage)The GPT (Domain controller storage)Located on SYSVOLLocated on SYSVOL
Components:Components:AdmAdm
MachineMachine
UserUser
Gpt.iniGpt.ini
Registry.polRegistry.pol
Additional AD componentsAdditional AD components
AD container attributesAD container attributes
GPOs linked to Site, Domain, OUGPOs linked to Site, Domain, OU
GpLink: GpLink: List of all GPOs linked to the containerList of all GPOs linked to the container
status flag for each linked GPO.status flag for each linked GPO.
Link order specifies rank or precedence. Link order specifies rank or precedence.
GpOptions:GpOptions:Where block inheritance is configuredWhere block inheritance is configured
IPSec PolicyIPSec Policy
Not stored in the GPC. Stored in System\IP SecurityNot stored in the GPC. Stored in System\IP Security
Link created in the GPC to reference the IPSec policyLink created in the GPC to reference the IPSec policy
WMI filtersWMI filters
Also not stored in the GPC. Stored in System\WMIPolicy.Also not stored in the GPC. Stored in System\WMIPolicy.
The DN to the WMI query is stored in the attribute The DN to the WMI query is stored in the attribute gPCWQLFiltergPCWQLFilter
Understanding the GP versionUnderstanding the GP version
Seems incomprehensible!!Seems incomprehensible!!
Computer Configuration changes increment by 1Computer Configuration changes increment by 1
User configuration changes increment by 65536User configuration changes increment by 65536
Work out the current version by doing an XOR or Calculator Work out the current version by doing an XOR or Calculator (hex view) or GPMC!(hex view) or GPMC!
ADM Template filesADM Template files
The majority of GP settings are configured through ADM template The majority of GP settings are configured through ADM template filesfiles
Registry based settingsRegistry based settings
Stored in SYSVOLStored in SYSVOL
Default .adm files:Default .adm files:
System.admSystem.adm
Inetres.admInetres.adm
Wuau.admWuau.adm
Wmplayer.admWmplayer.adm
Conf.admConf.adm
No role in GPO processing ~ purely admin benefitNo role in GPO processing ~ purely admin benefit
Cannot be used to control REG BINARY valuesCannot be used to control REG BINARY values
Client Side architectureClient Side architecture
Client Architecture & CSEClient Architecture & CSEWinLogon.exe
UserEnv.dllGroup Policy Engine
GPText.dllUserEnv.Log
FDeploy.dllFDeploy.Log
Scecli.dllWinLogon.Log
DskQuota.dllUerEnv.dll
UserEnv.LogIEdkos32.dll
APPMgmts.dllAppMgmt.Log
Scripts
IP Security
QoS Packet Scheduler
Wireless Network Policies
Folder Redirection
Security Settings
Disk Quotas
IE Maintenance
Software Installation
Administrative Templates
Software Restriction
Policies
Public Key Policies
Custom.dll
CSE – HKLM\ Software\ Microsoft\ Windows NT\ CurrentVersion\ WinLogon\ GPExtension
CSE IdentificationCSE IdentificationGUIDGUID ComponentComponent Log fileLog file25537BA6-77A8-11D2-9B6C-0000F8080861 25537BA6-77A8-11D2-9B6C-0000F8080861 Folder Redirection Folder Redirection Fdeploy.logFdeploy.log
3610eda5-77ef-11d2-8dc5-00c04fa31a663610eda5-77ef-11d2-8dc5-00c04fa31a66 Microsoft Disk Quota Microsoft Disk Quota Userenv.logUserenv.log
42B5FAAE-6536-11D2-AE5A-0000F87571E3 42B5FAAE-6536-11D2-AE5A-0000F87571E3 Scripts Scripts Userenv.logUserenv.log
827D319E-6EAC-11D2-A4EA-00C04F79F83A 827D319E-6EAC-11D2-A4EA-00C04F79F83A Security Security Winlogon.logWinlogon.log
B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A EFS Recovery EFS Recovery Winlogon.logWinlogon.log
c6dc5466-785a-11d2-84d0-00c04fb169f7 c6dc5466-785a-11d2-84d0-00c04fb169f7 Software Installation Software Installation Appmgmt.logAppmgmt.log
A2E30F80-D7DE-11d2-BBDE-00C04F86AE3BA2E30F80-D7DE-11d2-BBDE-00C04F86AE3B Internet Explorer Branding Internet Explorer Branding Userenv.logUserenv.log
4CFB60C1-FAA6-47f1-89AA-0B18730C9FD34CFB60C1-FAA6-47f1-89AA-0B18730C9FD3 Internet Explorer Zone Internet Explorer Zone MappingMapping
Userenv.logUserenv.log
35378EAC-683F-11D2-A89A-00C04FBBCFA2 35378EAC-683F-11D2-A89A-00C04FBBCFA2 Registry Settings Registry Settings Userenv.logUserenv.log
e437bc1c-aa7d-11d2-a382-00c04f991e27e437bc1c-aa7d-11d2-a382-00c04f991e27 IP Security IP Security Userenv.logUserenv.log
0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE630ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63 Wireless Group PolicyWireless Group Policy Userenv.logUserenv.log
426031c0-0b47-4852-b0ca-ac3d37bfcb39426031c0-0b47-4852-b0ca-ac3d37bfcb39 QoS Packet SchedulerQoS Packet Scheduler Userenv.logUserenv.log
C631DF4C-088F-4156-B058-4375F0853CD8C631DF4C-088F-4156-B058-4375F0853CD8 Microsoft Offline filesMicrosoft Offline files Userenv.logUserenv.log
Key CSE policy optionsKey CSE policy options
Allow processing across a slow network connectionAllow processing across a slow network connection
Security policy will always applySecurity policy will always apply
Network considerations in enabling thisNetwork considerations in enabling this
Do not apply during periodic background processingDo not apply during periodic background processing
Certain CSEs follow this because it is potentially unsafe to apply in Certain CSEs follow this because it is potentially unsafe to apply in the background eg software installationthe background eg software installation
Process even if the Group Policy Objects have not changedProcess even if the Group Policy Objects have not changed
Default is to not processDefault is to not process
Removed GPOs are considered a change and will therefore “process”Removed GPOs are considered a change and will therefore “process”
Carefully consider implications before changing this option!Carefully consider implications before changing this option!
Registry locations for policyRegistry locations for policy
True policy for computers will be written to:True policy for computers will be written to:
HKLM\Software\Microsoft\Windows\CurrentVersion\PoliciesHKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKLM\Software\PoliciesHKLM\Software\Policies
True policy for users will be written to:True policy for users will be written to:
HKCU\Software\Microsoft\Windows\CurrentVersion\PoliciesHKCU\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\PoliciesHKCU\Software\Policies
Anything else is preference and tattoos the registryAnything else is preference and tattoos the registry
Examining the client sideExamining the client side
DemoDemo
Processing a GPOProcessing a GPO
Client Architecture
Client
LDAP query to AD to get all gpLinks and gpOptions associated with AD hierarchy
Client Side Extension
Use the LDAP query in gpLink and get GPO.
Revert to SYSTEM and apply GPO
Use gpOptions, Link order, precedence, Enforce etc and form an ordered list of gpLinks
GP impersonate from SYSTEM to USER
Check previous version and current version
If any version is different, then apply all GPO’s for this CSE
Make SMB call to DC (SysVol) and process policy
Send notification to registered callers
WMI Repository
LDAP Calls to AD on DC SysVol access
Prune No Read, No Apply, WMI filters and Version 0 GPO
Processing a GPO – Get GPOsProcessing a GPO – Get GPOsStart
Get GPO list from DC
Retrieve GPCs
Slow link detection
Order the links
For each link
Retrieve GPT.ini
Link disabled?
Yes.Throw link away
Find “nearest” link with block
inheritance set
Discard all links which are not
enforced
Link enforced?Yes
Add to enforced list
NoAdd to non enforced list
For each link
Is settings portion
disabled?
Is version number 0?
Permission to apply GPO?
WMI filter evaluate to
TRUE?
GPO list ready for processing
YesDiscard GPO
NoDiscard GPO
Process WMI Filter if linked
Processing a GPO – Invoke CSEProcessing a GPO – Invoke CSEGet list of
registered CSEs from Winlogon
For each CSE
Startup or logon?
Slow network link?
noBackground = 1
Yes
noSlowLink = 1?
No
No
YesStop CSE
NoStop CSE
Yes No
GPO changed or removed?
Removed.Add to removed list
ChangedAdd to changed list
Call CSE
Process Changed list
Process deleted list
Update registry with status
Write notice to eventlog if configured
Any more extensions?
NoFinish processing
YesNext CSE
Yes
GPO HistoryGPO History
Important to maintain a history and state for GPO processingImportant to maintain a history and state for GPO processing
Speeds up processing in futureSpeeds up processing in future
Enables each of the CSEs to know what has changedEnables each of the CSEs to know what has changed
Computer policiesComputer policies
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
User policiesUser policies
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
StatusStatus
Machine policiesMachine policiesHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\GPExtensions\
User policiesUser policiesHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\GPExtensions\
Processing differencesProcessing differences
ForegroundForeground
Typically on machine startup and user logonTypically on machine startup and user logon
Usually synchronousUsually synchronous
Software Installation and Folder redirection CSEs are Foreground Software Installation and Folder redirection CSEs are Foreground Only processingOnly processing
BackgroundBackground
AsynchronousAsynchronous
Periodic refreshesPeriodic refreshes
IntervalsIntervals
Clients: Every 90 minutes + offset (up to 30 minutes)Clients: Every 90 minutes + offset (up to 30 minutes)
DCs: Every 5 minutesDCs: Every 5 minutes
CSE max no refresh period eg Security every 16 hoursCSE max no refresh period eg Security every 16 hours
Advanced FeaturesAdvanced Features
Inheritance, Block, Enforce and Disable optionsInheritance, Block, Enforce and Disable options
AD, Security and WMI filteringAD, Security and WMI filtering
Loopback ProcessingLoopback Processing
Slow Link Policy ApplicationSlow Link Policy Application
Logging settingsLogging settings
InheritanceInheritance
InheritanceInheritanceThe default behaviour of GPOsThe default behaviour of GPOs
The closer to GPO to the object the higher the precedenceThe closer to GPO to the object the higher the precedence
Block InheritanceBlock InheritanceA lower level authority in AD explicitly blocks inheritance and does not A lower level authority in AD explicitly blocks inheritance and does not want to inherit everything from a higher authoritywant to inherit everything from a higher authority
Enforced (No override)Enforced (No override)A higher level authority wants to force his policy even if a lower A higher level authority wants to force his policy even if a lower authority has blocked inheritanceauthority has blocked inheritance
Fully Disabled or Partially Disabled GPO’sFully Disabled or Partially Disabled GPO’sA GPO is either fully disabled or the machine or user part of the GPO A GPO is either fully disabled or the machine or user part of the GPO is disabledis disabled
Security & WMI FilteringSecurity & WMI Filtering
Security FilteringSecurity Filtering
Control who will process any given GPO in an OUControl who will process any given GPO in an OU
Better approach is to permit users to apply GPO rather than deny Better approach is to permit users to apply GPO rather than deny those who shouldn’tthose who shouldn’t
Make sure the targeted users have picked up group membershipMake sure the targeted users have picked up group membership
WMI FilterWMI Filter
For a GPO with a WMI filter it must evaluate to TRUE to processFor a GPO with a WMI filter it must evaluate to TRUE to process
Windows 2000 machines do not understand WMI filters. Evaluate to Windows 2000 machines do not understand WMI filters. Evaluate to FALSEFALSE
Consider their use sparingly. A WMI filter may not take up much CPU Consider their use sparingly. A WMI filter may not take up much CPU to run but it will run every time the policy is processedto run but it will run every time the policy is processed
Loopback processingLoopback processing
One of the most misunderstood featuresOne of the most misunderstood features
Take care as it changes the way policies are processedTake care as it changes the way policies are processed
Two modes:Two modes:
ReplaceReplace
MergeMerge
Replace modeReplace mode
Ignores all GPOs in user pathIgnores all GPOs in user path
Applies user settings from GPOs in machine pathApplies user settings from GPOs in machine path
Merge modeMerge mode
Collects user policies from user path and machine pathCollects user policies from user path and machine path
Machine path policies with user settings override user policiesMachine path policies with user settings override user policies
Slow Link GPOSlow Link GPO
Scripts, Folder redirection and Software Installation are Scripts, Folder redirection and Software Installation are disabled on slow linksdisabled on slow links
Security and Administrative templates cannot be Security and Administrative templates cannot be disabled for slow linksdisabled for slow links
Client relies primarily on ICMP ping for slow link Client relies primarily on ICMP ping for slow link detection. If ICMP is blocked, policy processing on client detection. If ICMP is blocked, policy processing on client will stop for some extensionswill stop for some extensions
Either disable slow link processing for user and Either disable slow link processing for user and computer or enable ICMP on servercomputer or enable ICMP on server
Use Slow Link Limit threshold policy or registry keyUse Slow Link Limit threshold policy or registry key
Log Location & Settings - 1Log Location & Settings - 1
ComponentComponent Location of LogLocation of Log Key and ValueKey and Value Location in RegistryLocation in Registry
GPMC Error Logging OnlyGPMC Error Logging Only %temp%\GpMgmt.log%temp%\GpMgmt.log GpMgmtTraceLevel=1GpMgmtTraceLevel=1 HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\DiagnosticsCurrentVersion\Diagnostics
GPMC Error and Verbose GPMC Error and Verbose LoggingLogging
%temp%\GpMgmt.log%temp%\GpMgmt.log GpMgmtTraceLevel=2GpMgmtTraceLevel=2 HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\DiagnosticsCurrentVersion\Diagnostics
GPMC Output only to log file GPMC Output only to log file and not to debuggerand not to debugger
%temp%\GpMgmt.log%temp%\GpMgmt.log GpMgmtLogFileOnly=1GpMgmtLogFileOnly=1 HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\DiagnosticsCurrentVersion\Diagnostics
GP Edit Core Specific entriesGP Edit Core Specific entries %windir%\Debug\UserMode\GPEdit.log%windir%\Debug\UserMode\GPEdit.log GPEditDebugLevel DWORD GPEditDebugLevel DWORD 0x100020x10002
HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogonCurrentVersion\WinLogon
GPEdit CSE specific EntriesGPEdit CSE specific Entries %windir%\Debug\UserMode\GPText.log%windir%\Debug\UserMode\GPText.log GPTextDebugLevel DWORD GPTextDebugLevel DWORD 0x100020x10002
HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogonCurrentVersion\WinLogon
Log Location & Settings - 2Log Location & Settings - 2
ComponentComponent Location of LogLocation of Log Key and ValueKey and Value Location in RegistryLocation in Registry
GP Core UserEnv and Registry GP Core UserEnv and Registry CSECSE
%windir%\Debug\UserMode\UserEnv.log%windir%\Debug\UserMode\UserEnv.log UserEnvDebugLevel DWORD UserEnvDebugLevel DWORD 3000230002
HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinlogonCurrentVersion\Winlogon
Security CSESecurity CSE %windir%\Security\Logs\WinLogon.log%windir%\Security\Logs\WinLogon.log ExtensionDebugLevel ExtensionDebugLevel DWORD 2DWORD 2
HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\CurrentVersion\Winlogon\GPExtensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a}{827d319e-6eac-11d2-a4ea-00c04f79f83a}
Folder Redirection CSEFolder Redirection CSE %windir%\Debug\UserMode\FDeploy.log%windir%\Debug\UserMode\FDeploy.log FDeployDebugLevel DWORD FDeployDebugLevel DWORD 0x0B0x0B
HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\DiagnosticsCurrentVersion\Diagnostics
Software Installation CSESoftware Installation CSE %windir%\Debug\UserMode\AppMgmt.log%windir%\Debug\UserMode\AppMgmt.log AppMgmtDebugLevel AppMgmtDebugLevel DWORD 0x9bDWORD 0x9b
HKLM\Software\Microsoft\Windows NT\HKLM\Software\Microsoft\Windows NT\CurrentVersion\DiagnosticsCurrentVersion\Diagnostics
Windows Installer (Deployment Windows Installer (Deployment Related Actions)Related Actions)
%windir%\Temp\MSI*.log%windir%\Temp\MSI*.log Logging=VoiceWarmUpLogging=VoiceWarmUp
Debug DWORD 0x3Debug DWORD 0x3
HKLM\Software\Policies\Microsoft\Windows\HKLM\Software\Policies\Microsoft\Windows\InstallerInstaller
Windows Installer (User Windows Installer (User Initiated Actions)Initiated Actions)
%temp%\MSI*.log%temp%\MSI*.log Logging=VoiceWarmUpLogging=VoiceWarmUp
Debug=0x3Debug=0x3
HKLM\Software\Policies\Microsoft\Windows\HKLM\Software\Policies\Microsoft\Windows\InstallerInstaller
ReferenceReference
LinksLinks
http://www.microsoft.com/technet/grouppolicyhttp://www.microsoft.com/technet/grouppolicy
http://www.microsoft.com/grouppolicyhttp://www.microsoft.com/grouppolicy
http://www.grouppolicywiki.com http://www.grouppolicywiki.com
BooksBooks
Microsoft Windows Group Policy Guide – Darren Mar-Elia, Derek Microsoft Windows Group Policy Guide – Darren Mar-Elia, Derek Melber and William Stanek with Microsoft GP TeamMelber and William Stanek with Microsoft GP Team
DownloadDownload
GPMC: GPMC: hhttp://www.microsoft.com/windowsserver2003/gpmc/default.msttp://www.microsoft.com/windowsserver2003/gpmc/default.mspxpx
SummarySummary
Hope you have a better understanding of how GPOs are Hope you have a better understanding of how GPOs are constructedconstructed
We have looked at:We have looked at:
Server side architectureServer side architecture
Client side architectureClient side architecture
Processing of GPOsProcessing of GPOs
Community ResourcesCommunity Resources
Community ResourcesCommunity Resources
http://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)Most Valuable Professional (MVP)
http://www.microsoft.com/communities/mvphttp://www.microsoft.com/communities/mvp
NewsgroupsNewsgroups
Converse online with Microsoft Newsgroups,Converse online with Microsoft Newsgroups,including Worldwideincluding Worldwide
http://communities2.microsoft.com/communitieshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx/newsgroups/en-us/default.aspx
User Groups - Meet and learn with your peersUser Groups - Meet and learn with your peers
http://www.microsoft.com/communities/usergroupshttp://www.microsoft.com/communities/usergroups/default.mspx/default.mspx
Microsoft Learning ResourcesMicrosoft Learning Resources
Come and talk to Microsoft Learning to find out more about developing your skills, you can kind us in the ‘Ask the Experts’ area
Special offers on Microsoft Certification from Microsoft Learning
Click here to access free Microsoft Learning Assessments http://www.microsoft.com/learning/assessment/ind/default.asp
and FREE elearning for Microsoft Visual Studio 2005 and Microsoft SQL Server 2005 with free Assessments and E-Learninghttp://www.microsoft.com/learning/mcp/
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.