Group Policy Management Overview

As organizations invest more heavily in their IT infrastructure, managed services providers (MSPs) and administrators should consider how they can keep digital environments secure and organized. By taking the time to reduce organizational IT complexity and align end-user behavior with business goals, network professionals can do their part to provide a unified IT experience, support overall objectives, and—most importantly—prevent potentially crippling data breaches.

For MSP customers across a wide range of industries, the importance of taking these steps has never been more pronounced or more immediate. In fact, a report from Juniper Research found that cybercrime will cost businesses more than $2 trillion in 2019. While many of these costs will come from external bad actors carrying out brute force attacks on organizations and infecting networks with malware, some breaches come from within. In fact, Verizon’s 2019 Data Breach Investigations report concludes that insiders caused 34% of all data breaches carried out in 2018—although many were inadvertent.

Ultimately, it’s up to network administrators to do what they can to make these kinds of attacks more difficult for bad actors to carry out and less crippling for organizations when they do occur. These IT professionals can also organize business networks in such a way that end-users are less likely to accidentally cause a data breach or inadvertently leave an opening for cybercriminals. By setting consistent standards for all users and governing by the principle of least privilege—that is, letting employees access only the resources they need to successfully execute their roles—administrators can better keep networks protected and organized.

With effective Group Policy Management, MSPs and other IT professionals can make the critical changes necessary to properly configure operating systems, applications, and end-user settings. However, to understand how to create group policies and apply them throughout businesses, it’s important to learn more about their uses in Active Directory and what tools administrators have at their disposal.

---

Set your sights on the future of the MSP industry with the first ever MSP Horizons Report, jointly produced by N‑able and international MSP-focused research firm, Canalys…

---

What is Group Policy Management?

The primary use of Group Policy Management is organizational security. Group policies, which are commonly called Group Policy Objects (GPOs), make it possible for decision-makers and IT professionals to effectively apply necessary cybersecurity controls across their business from a centralized location. Doing so allows network administrators to push best practices to end-user workstations based on specific organizational needs—without having to apply them on a local basis. This effectively saves hours of IT labor that can be better spent monitoring activity for data breaches, repelling cyberattacks, or making qualitative improvements throughout their network.

To go into greater detail, administrators can use Group Policy Management to enforce and encode organizational cybersecurity practices beyond the default security settings that come with Windows and other applications. For example, Group Policy Management tools allow IT professionals to mandate password requirements that meet complexity standards. By applying these rules through GPOs, organizations can easily make their entire network more secure and do so in a streamlined, unified way.

Depending on organizational needs, GPOs can be much more granular than password specifications. As discussed earlier, administrators can set up GPOs to enforce the principle of least privilege, controlling which users have access to what resources. These policies can ensure that only users who need access to a business’s most sensitive files are authorized to open them. This method of organizational cybersecurity minimizes the potential damage that internal bad actors can cause and also prevents cybercriminals from hacking a single end-user’s account to access an entire network.

Additionally, administrators can set up folder redirections to secure valuable proprietary information and mandate necessary updates. For example, IT staff can use Group Policy Management tools to redirect user folders to the organization’s NAS, helping to keep them as protected as possible in a consolidated and monitored digital environment. They can also push security patches and similar software updates through regularly without having to do so on a case-by-case basis, making it easier to apply security best practices across the board.

What is Group Policy in Active Directory?

While Active Directory isn’t the only directory service that administrators can use to create GPOs, it’s by far the most popular. In a digital environment in which at least one server has installed Active Directory Domain Services, Group Policy Management tools exist to help centralize computer management from a single administrator account. Without using Group Policy—especially in larger organizations that rely on Active Directory—managing individual computer settings would be almost impossibly time-consuming for IT staff.

To set up GPOs using Active Directory, IT professionals have a number of tools at their disposal, the most popular of which is the Group Policy Management Console (GPMC). IT professionals previously used a whole array of tools to set up and manage GPOs, including the Active Directory Users and Computers snap-in, the Active Directory Sites and Services snap-in, the Resultant Set of Policy snap-in, the GPMC Delegation Wizard, and the ACL Editor. The GPMC now serves as a consolidated tool that delivers the many necessary capabilities into one streamlined experience.

In addition to the capabilities of these tools, the GPMC simplifies group policy security functionalities and makes it easier to backup restore, import, and copy GPOs. It also improves reporting for specific GPO settings and Resultant Set of Policy (RsoP) data while granting programmatic access to preceding GPO operations. Programmatic access through the GPMC now includes the new Microsoft Management Console (MMC) snap-in and additional programmable interfaces.

With GPMC in Active Directory, administrators have access to a comprehensive view of their respective GPOs, organizational units, domains, and sites throughout organizations. This kind of end-to-end visibility makes it easier for MSPs to understand what GPOs are in effect across their digital environment and make individual changes accordingly. If necessary GPOs are not currently in effect, MSPs can easily use the GPMC to set new GPOs and push them across applicable end-user accounts as needed.

How Does Group Policy Management Work?

It’s likely multiple GPOs are enforced simultaneously in any given organization. Figuring out how each GPO works in conjunction with others is worth explaining, especially as rules exist to govern which GPOs take precedence over others and which GPOs are mandated vs. up for customization.

The GPO hierarchy follows a set pecking order. Local GPOs are applied first—these policies are the unique settings governing a specific computer. With Windows Vista and later versions, these local policies can be broken down into individual user accounts. Next, Active Directory group policies tied to a unique site are applied. An Active Directory site is a logical collection of computers based on their physical proximity within an organization. If there is more than one site policy, they’ll be enacted based on an order determined by the administrator.

Next, Windows group policies tied to a specific domain are executed—these are domains in which the computer operates. Again, if a domain has more than one policy linked to it, it will be enacted based on a preset order determined by the appropriate administrator. Finally, the last GPOs to be applied will be those set up for an Active Directory organizational unit in which the computer or user operates. Organizational units refer to the logical groupings that make it easier to set policies for and manage groups of network objects, ranging from users to computers. Again, multiple policies in this tier will be carried out per an administrator’s instructions.

How Do I Change Group Policy Management?

The way you change Group Policy Management will depend on what type of GPO you’re trying to design and enforce. For example, IT professionals attempting to set policies that are specifically related to the Windows operating system will want to launch the Group Policy Management tool from their administrator account and make specific changes through the Group Policy Editor and/or GPMC. To create policies beyond GPO Windows rules and make them extensible for other applications, tech staff can use administrative templates. These contain an ADMX file with the policy settings and an ADML file that encodes the policy settings in a language chosen by the administrator.

It’s also worth noting when GPO updates will be pushed out. Typically, these policies will be updated randomly every 90 minutes to 120 minutes—or whenever a computer is restarted. While this timing can be changed depending on organizational needs (it’s possible to push them every 45 days at the most infrequent), updating GPOs too often can slow down other network traffic. Accordingly, IT professionals will need to prioritize mission-critical updates over more routine changes.

Getting the most out of Group Policy Active Directory can take some time. For your own business and for your MSP customers, however, it’s important that you fully understand the critical role these policies can play in keeping an organization secure from the full range of digital threats.