Top 5 GPO Trouble-Causing Settings

Group Policy settings control almost every aspect of a computer from a central location, but incorrect settings can cause serious problems for clients and servers within the domain. We explain how to avoid problems from these error-prone settings.

Group Policy is an amazing tool for configuring, controlling, securing, and maintaining all user and computer accounts within Active Directory. The entire Active Directory design revolves around the deployment of Group Policy, which reinforces the value that Group Policy adds to any Active Directory enterprise.

Even the best-intentioned Group Policy settings can cause more problems than they are worth. I have heard plenty of stories of administrators and users getting caught in the back draft of poor Group Policy implementations. In this discussion I'll explain how poorly designed and executed Group Policy settings can be avoided so you can stop the problems before they occur.


Problem #1: Restricted Groups

The Restricted Groups section in a Group Policy allows the administrator to control the local groups that exist on clients and member servers within Active Directory. This setting controls the Administrators, Power Users, Backup Operators, and Network Configuration Operators local groups on clients and member servers.

You will find this setting at the following location in a standard Group Policy object (GPO):

   Computer Configuration / Windows Settings / Security Settings / Restricted Groups

Once you open this policy in the GPO, you will have the option to add in a group that you want to control. For example, let’s pick the Administrators group. Once the Administrators group has been added, you can edit the configuration for this group. You can configure two relationships within the group: members and group membership. For the group membership, you can configure the group to have membership in other groups if the group nesting rules permitting it. Since local groups can’t be nested in other local groups (or any other group, for that matter), this won’t be an issue for our example.

The "Members of this group" setting is important. It allows you to list the users and groups that will have membership in the group, as shown in Figure 1.

Figure 1. Restricted Groups interface for adding users and groups to have membership in the group
Click to enlarge

Consider how Restricted Groups controls the existing user and group members. When you configure the Restricted Groups setting, existing users and groups that have membership in the group, are removed, replaced by those that are configured in the GPO. It is not an appending action.

Of course, if you just want to ensure that all local Administrators groups include the local Administrator and the Domain Admins accounts, you will need to also include the users and groups that need to have membership in the Administrators group so the computer functions properly.

If you have already configured a Restricted Group, but did not document the existing user and group accounts before applying the GPO , there is no way to get those initial user and group accounts back into the group automatically. You will need to either reinstall the computer and the applications, or you will need to restore the computer from a tape backup.


Problem #2: User Rights

Another key GPO suite of settings that you need to configure properly are those for user rights. User rights provide administrative access to different parts of the computer. Tasks such as logging in locally, backing up files, restoring files, and changing the system time, are included under user rights.

You will find this setting at the following location in a standard Group Policy object (GPO):

   Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment

The big "gotcha" with this setting is that the user rights don’t append to one another from GPO to GPO. Also, the last GPO to modify the user rights wins over all user rights assigned in other GPOs, including the existing users and groups listed for the user right on the computer.

This means that you should ideally configure user rights in a GPO that is linked directly to the OU where the computer account resides. This will reduce confusion and any misinterpretation as to which GPO should control the computer accounts.


Problem #3: Password Restrictions

Password restrictions control the password rules for user accounts. This is not a single setting but a suite of settings. They fall under the Password Policies section in a GPO, as shown in Figure 2. You can find these settings at the following location in a standard GPO:

   Computer Configuration / Windows Settings / Security Settings / Local Policies / Account Policies / Password Policies

Figure 2. Password Policies settings in a standard GPO
Click to enlarge

These settings take immediate effect for all passwords that are changed within the Active Directory domain. If you configure a new set of password restrictions without informing the users in your company, they will not be aware of the new rules and won’t be able to change their passwords when they are required to. This will have two devastating effects. First, it will prohibit the user from using the network until they can change their password. Second, it will cause the call volume to the help desk to escalate.

Before these changes are made, you should have end-user training and full documentation made up to help transition users from a simple to complex password policy.


Problem #4: User Functionality

This is not a single GPO setting, nor a single GPO section. This section deals with all areas of the user environment the GPO can alter. Of course, all of the settings that I am talking about exist in two locations in the GPO:

  • User Configuration / Windows Settings
  • User Configuration / Administrative Templates

There are over 500 settings in these sections that allow you to control all aspects of the user environment. The following is just a sampling of what you can control:

  • Internet Explorer (basically any button, configuration, or menu option)
  • Windows Explorer
  • Desktop icons
  • My Computer
  • Screen Saver
  • Control Panel (all aspects and applets)
  • Start Menu (all aspects)

Now, imagine that you configure these GPO settings without informing the user, or getting feedback on what users need to perform their jobs. I am sure it is clear that this will cause work stoppages and calls to the help desk beyond your comprehension.

Before you configure any GPO setting that restricts access to the computer functions, make sure that users don’t need the functions to perform their job and that users are made aware of what to do if they no longer have access to a function that they once had access to.


Problem #5: Software Functionality

Since Windows XP you have had the option to control which applications a user or computer can run using Software Restrictions settings. These software restrictions are extremely powerful and can’t easily be dodged by users. This setting is located under both the computer and user nodes in a standard GPO. Under each of these nodes, you will follow this path to get to the Software Restrictions setting:

   Windows Settings / Security Settings / Software Restriction Policies

You can control whether a user or computer can run ANY application using this GPO setting. This means that you can restrict even core operating system applications. This could cause serious problems with the computer, maybe even prohibiting it from booting successfully.

For this setting, make sure that you test all policies in a lab first, to ensure that all applications and the operating system will still function after the policy is implemented. Full documentation of installed applications and configurations for the target computer should also be completed, to ensure that you can restore the computer to working order in case you make a mistake.


Summary

Small changes can have big impacts. As you've seen, some of the GPO settings can have serious adverse effects on your users' computing environment. When changing GPO settings:

  • Know what the GPO setting is designed to do
  • Know how to properly configure the GPO setting
  • Test the GPO setting before affecting a production computer
  • Document initial settings on the target computers before deploying the GPO
  • Make good backups of clients and servers before deploying the GPO
  • Educate end users

If you follow this advice and approach GPO configurations with caution and respect, it will be hard for you to make any of these mistakes in your environment.