Repairing Group Policy Objects and Links

The following example shows a Group Policy named ‘Full Control Policy’ linked at the domain level that has the ‘Change Settings’ rights delegated to the ‘Han Solo’ (Server Administrator) account. You can enable it on all corporate computers at the same time by using Active Directory to change the Group Policy settings for domains. Again, if more than one policy is attached to a domain, it will be applied in a predefined order determined by the respective administrator. Finally, you change the name of the GPO, change policy settings, and create links to sites, domain, and organisational units.

Remember that this will back up any modified and unmodified GPOs that you created for the domain. Other configuration, such as linked objects, setting and locking inheritance in domain organisational units, will not be copied. Full configuration backup just performed a full system backup using Windows Backup Services.

If you need to restore a GPO, simply go to the GPOs node in the GPMC, right-click the node and choose Manage Backups from the menu. After you check out the correct GPO to restore, when you restore, the GPO will be placed back in Active Directory, and it will reappear under the GPO node in the Group Policy Management Console. At this point, you need to restore links to sites, domains, and organisational units, and check links to WMI filters and IPSec policies.

Another option that GPMC supports is the ability to import policy settings from one GPO to another. This is useful for merging GPO policy settings and moving GPOs across domains. After changing the Group Policy, this GPO will now add scheduled tasks to every computer in the domain, allowing you to perform any type of task the attacker wants. The Group Policy Management Console (GPMC) is the main tool for managing Group Policy. There is also a PowerShell module (GroupPolicy), which is very useful for reporting and backing up GPOs using Backup -GPO (please back up the domain GPO regularly).

The Group Policy Client service then contacts the domain controller to log on to the computer and check for new GPOs or updates to existing GPOs. If the Group Policy Client service detects new or locally changed GPOs using gpedit.msc, the process processes all Client Extensions (CSEs), starting with Computer Settings, followed by User Settings.

By default, gpupdate works smartly; compares all current settings with any new ones and applies only them. But you can also force gupdate to reapply all settings using the / force option. You can force gpupdate to return control to the command window after a specified amount of time and to pass policy processing to the background using the / wait parameter. After testing, change the default GPO setting to reapply GPO settings on every update (process even if GPOs have not changed).

But if you want to restore the policy object, select the GPO and click the Restore button. If the GPO link is not removed in the Group Policy Management Console, you can easily find the GUID by following these simple steps. In Server 2008, simply use the Search Programs and Files from the Start menu.

In the left pane right-click the domain name and select ‘Create and link a GPO here’ from the context menu and enter the name of the GPO. In the Group Policy Management Console, open your GPO details and check the link section.

Note that the Computer Configuration GPOs must be linked to an OU with Computer Objects, and User Configurations must be linked to an OU with User Objects. If you have both, you need to associate it with multiple organisational units, or place your computers and users in the same organisational unit. The only exception is closed-loop GPOs, but they must be explicitly enabled.

If your policy is listed here, it means the client has processed the GPO and the problem is elsewhere. Check the list of GPOs for client extensions on the computer that can handle the settings. GPOs that do not have a corresponding client-side extension are removed from the list of processed GPOs.

When a GPO is applied to a client computer, the client component is responsible for applying the previously configured policies. Policy GPO files are stored in a GPO named GPO GUID. The distinguished name policy object of the GPO is added to the “gPLink” attribute of the organisational unit (OU) to which the GPO is associated. You can pass the name, owner, domain, and other settings to the new GPO.

Represents one pair of GPO extensions, which is actually [{Client Side Extension} {Administrative Tool Extension}]. Some criteria will not be expanded, so you may see NULL values for this attribute. For more information on extension pairs, see this excellent article from Microsoft. Click or browse Microsoft documentation to view all of them.

After you download the Office Policy Templates, you need to install them before you can use them. In addition to installing policy templates for versions of Office, you need Remote Server Administration Tools (RSAT) to edit and install policies.

Administrators can configure password requirements, run programs, and define applications or settings that users can change. If the user is a local administrator of their Windows computer, they have full control over the process of bypassing the GP engine, and can change the local policy, which can override the policy set through the GPO, including what should not be changed on the system. In an Active Directory network environment, you can set up Outlook policies to apply the settings to a specific or group of users or computers. For example, as a home user, you may want to set policies for what your children can and cannot do in Outlook.

For example, IT pros trying to set policies specific to the Windows operating system will want to run the Group Policy Management tool from their administrator account and make certain changes using the Group Policy Editor and / or Group Policy Management Console. Administrative templates can be used by technicians to create policies that go beyond the Windows GPO rules and make them extensible to other applications. In many cases, there are GPOs that should have most of the settings found in another GPO, with minor policy differences.

Historically, an administrator had to recreate a new GPO from scratch (containing almost the same set of settings), configuring all of the policy settings as the original GPO, including duplicate settings. This means that you can override a setting imposed by a GPO through the computer’s registry (usually with administrator rights), and the unauthorised setting is retained until the GPO is changed, after which the GPO settings are reapplied. Running gpupdate when the user is logged in immediately grants Windows the new GPO settings (assuming the domain controller has replicated the GPO information, of course). It usually takes 90 to 120 minutes to apply a new GPO, but you need to apply the new settings at this time, and you cannot tell your users to log out and log back in to apply them.