About GPO

How to use

Σύνδεση καινούργιου gpo με το domain

Το gpo που θα δημιουργήσουμε πρέπει να γίνει στο domain και όχι κάπου αλλού

Δεξί κλικ πάνω στο mazars-gr.local -> Create a GPO in this domain,.... -> Το ονομάζουμε-> OK

Apply GPO to a client and check what has been done

To apply the configuration:

gpupdate /force

Για να δεις ποια policies εφαρμοστήκανε υπάρχουν 2 τρόποι:

1) Μέσω γραφικού περιβάλλοντος πάμε στην έναρξη και γράφουμε rsop.msc.Μας εμφανίζει μια κονσόλα που μοιάζει ακριβώς σαν την κονσόλα του gpo. Η μόνη διαφορά είναι ότι εδώ μπορούμε να δούμε ποια gpo είναι ενεργοποιημένα. ΔΕΝ μπορούμε να τα αλλάξουμε.

2) Από command line (με δικαιώματα administrator)
Για να δούμε ο χρήστης αν έχει κάποιο gpo πληκτρολογούμε gpresult /Scope User /v
Για να δούμε αν ο υπολογιστής αν έχει κάποιο gpo πληκτρολογούμε gpresult /Scope Computer /v

Apply a group policy to indivitual users or/and computer

Step 1. click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Select the “Authenticated Users” security group and and un-tick the “Allow” from the “Apply Group Policy”

Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select this group and tick the “Allow” permission on the "Apply group policy”

Intersting configurations

Deactivate dropbox and googledrive

Κατεβάζουμε το .exe αρχείο -> δεξί κλικ -> properties -> Digital Signatures. Διαλέγουμε ένα από τα 2 certificate ->Details -> View Certifiacte -> Details ->Copy to File..->Next ->Next -> Browse -> Γράφουμε το όνομα του αρχείου και το αποθηκεύουμε.
Το ίδιο κάνουμε και για το άλλο certificate
Πηγαίνουμε στο Domain Controler -> Server Manager -> Tools -> Group Policy Management
Δημιουργούμε ένα καινούργιο gpo.
User Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules.
Δεξί κλικ -> New Certificate Rule -> Browse για το SHA certificate -> Security Level is Disallow -> OK
Αν δημιουργούμε για πρώτη φορά τέτοιο rule στο Enforcement Properties στο τέλος του παραθύρου τσεκάρουμε το Enforce certificate rules. Επαναλαμβάνουμε το ίδιο βήμα και για το άλλο certificate.

Silently move Windows known folders to OneDrive

Αρχικά κάνουμε εγκατάσταση το onedrive στον υπολογιστή μας. Πηγαίνουμε στο %localappdata%\Microsoft\OneDrive πηγαίνουμε στον φάκελο της έκδοσης μας, μετά στο adm και κάνουμε αντιγραφή τα αρχεία OneDrive.adml και OneDrive.admx.
Πηγαίνουμε στον domain control και κάνουμε επικόλληση τα αρχεία εδώ \\domain\sysvol\domain\Policies\PolicyDefinitions (όπου domain το domain μας) ΠΡΟΣΟΧΗ ΘΕΛΟΥΜΕ ΝΑ ΤΑ ΒΑΛΟΥΜΕ ΣΤΟ "ΔΙΚΤΥΑΚΟ" PATH ΚΑΙ ΟΧΙ ΜΕΣΑ ΑΠΟ ΤΟ PATH ΤΟΥ C:\
Πηγαίνουμε στο Domain Controler -> Server Manager -> Tools -> Group Policy Management
Δημιουργούμε ένα καινούργιο gpo.
Computer Configuration -> Policies -> Administrative Templates -> Onedrive
Ενεργοποιούμε τα "Prevent users from redirecting their Windows know folders to their PC" και το "Silently move Windows known Folders to Onedrive".
Αυτό το gpo για να λειτουργήσει σωστά θα πρέπει στο delegation να βάλουμε τα ονόματα των υπολογιστών.
Για περισσότερες πληροφορίες πατήστε εδώ.

Other tips

Q: I have a GPO startup/logon script that needs to write to a share.

A: Startup scripts run in the context of the machine. You need to grant "Domain Computers" R/W permissions on the share (Or "Authenticated Users" which includes both "Domain Computers" and "Domain Users").

GPO Best Practices

Read this post by Robert Allen (especially not the party about creating OUs and linking policies to the OUs) and then also read the following comments by others and the author.

Robert Allen May 2019: https://activedirectorypro.com/group-policy-best-practices/
George Guck on May 9, 2019 at 11:48 am: I deal with GPO management on a daily basis, in a very large environment. I agree with everything you’ve said. Here are a few things that have helped me tremendously:

1. If you don’t want a GPO to apply to specific users or computers or groups for that matter, you can edit that GPO, go properties security and add the user, computer or group and select “DENY” apply group policy.
2. Make sure you take advantage of adding comments to your GPO’s (especialy if you use the above DENY trick). Some GPO’s are doing alot and commenting them out will help you remember what they do and if there are any special nuance’s you need to take into consideration.

Robert Allen: Great tip George! This is a great way to apply GPOs to very specific groups! Baard: but I find the practice of using Deny to be horrible! As soon as there is more than one administrator, or a change of admin employees (new person taking over), that kind of structure becomes rather confusing. Robert Allen: I agree that if it is not documented or communicated it can be a nightmare. But it can also be extremely useful for targeting specific users and computers and to deny it from all users. For example, I have a blanket firewall GPO that all users get for the basic FW settings. I have some users that need FTP on, I create a new security group and only apply this GPO to these users and deny it to all other users. I want to keep all the users in their department OU so moving to another OU is not a good option for this. Targeting a GPO to a security group is great but try not to let it get out of control

Robert Allen: If you have a GPO which contains settings for both Users and Computers split it into 2 different GPOs one with just user settings and one with just the computer settings. Then you can disable the section that is not used

Limitations, Issues, best practices for GPO SW Deployment

Software GPOs install on bootup, and only when a connection to AD exists (it works well only when computers are in-house when turned on from a powered off state or restarted throughout the day. Laptops that are offsite, or are started up at home, put into suspend and then brought into the office and started up, do not get the software.)

Without additional software there is no easy way to find out if the GPO install succeded (SW like e.g. Spiceworks)

The software has to be in an MSI format as well, although you can sometimes get an MSI out of an EXE with 7zip.

It sounds ridiculus but are you sure you can install the software manually?

If you are deploying the software via the "Computer Configuration" (vs the user configuration) section of the GPO, then the Computer AD object (e.g. rps0123-pc$) and not the user AD object (e.g. n.demou) is what needs access to the UNC path with the installer. It's better to give read access to special security group "authenticated users" which includes domain users and domain computers. Run the Effective Permissions using the computer object or user object respectively to make sure it has access to the installer.

Τhe issue I've had is people complain, as they have to wait for the install to complete/check either at boot or logon for the software to install, we have Verbose status messages enabled, so it shows what it is doing rather than just please wait,

Oh, another thing. I had to enable a few things via GPO to allow Windows 10 to always follow the GPO and install software. The top 2 are most important. The 3rd one is for user experience.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue
Value type REG_DWORD, Value data 0x3C (60)

Computer Configuration > Policies >Administrative Templates > System > Logon > Always wait for the network at computer startup and logon
Enabled

Computer Configuration > Policies >Administrative Templates > System > Display highly detailed status messages (or Verbose vs normal status messages)
Enabled

The biggest thing I can tell you is test, test, and test with a limited number of workstations/laptops before deploying software out across the board. We had some issues where .msi files would deploy great through group policy but some of the .dll files wouldn't register or some options that were needed didn't install correctly. i would have to use Orca to fix the installer before I could deploy it across the company. It's easier to fix/undo a few workstations/laptops vs. every device in the company if an install goes wrong.

It is recommended to setup a Distributed File Naming Service to point to an installation source file share whether you use Group Policy or not to install software. This is because the original host name may not last forever. I have had corrupted installation unserviceable because the installation path is so often hard coded into the local servicing store that the application is unable to repair itself complaining about the source files to a host that no longer exists.

If you are getting errors during installation you can also enable verbose loging of MSI installations.

Error 1612 in event log: The install package was named 'Software.Installer.msi' and renaming to 'SoftwareInstaller.msi' fixed the issue. Also if the software exists on the machine already, it may create this error too.