Windows 7 Security Features
Security Policies
Group Policy Objects and Active Directory
Most Windows 7 computers reside within a Windows Server 2000, Windows Server 2003, or Windows Server 2008 domain. GPOs are applied through Active Directory by using the Group Policy Management Console (GPMC). It is much easier to globally manage GPOs through the GPMC than applying LGPOs at local levels of each Windows 7 machine.
Active Directory Overview
Active Directory is a database that contains all your usernames and passwords, groups, and other objects within the domain.
Within that Active Directory database, you have several levels of a hierarchical structure. A typical structure consists of domains and organizational units (OUs). Other levels exist within Active Directory, but this overview focuses on domains and OUs in the context of using GPOs.
The domain is the main unit of organization within Active Directory. Within a domain are many domain objects including security objects such as user and group accounts. Each domain security object can then have permissions applied that specify what rights that security object can have when it accesses resources within the domain.Understanding GPO Inheritance
When GPOs are created within the Active Directory using the GPMC, there is a specific order of inheritance. That is, the policies are applied in a specific order within the hierarchical structure of the Active Directory. When a user logs onto the Active Directory, depending on where within the hierarchy GPOs have been applied, the order of application is as follows:
- Local
- Site
- Domain
- OU
Each level of the hierarchy is called a container. Containers higher in the hierarchy are called parent containers; containers lower in the hierarchy are called child containers. Settings from these containers are inherited from parent container to child container. By default, child container policy settings override any conflicting settings applied by parent containers.
The local policy is, by default, applied first when a user logs on. Then the site policies are applied, and if the site policy contains settings that the local policy doesn't have, they are added to the local policy. If there are any conflicts, the site policy overrides the local policy. Then the domain policies are defined.
Again, if the domain policy contains additional settings, they are incorporated. The domain policy overrides the site policy or the local policy when settings conflict. Finally, the OU policies are applied. Any additional settings are incorporated; for conflicts, the OU policy overrides the domain, site, and local policies. If any child OUs exist, their GPOs are applied after the parent OU GPOs.
Using the Group Policy Result Tool
When a user logs on to a computer or domain, a resulting set of policies to be applied is generated based on the LGPOs, site GPOs, domain GPOs, and OU GPOs. The overlapping nature of group policies can make it difficult to determine what group policies will actually be applied to a computer or user.
To help determine what policies will actually be applied, Windows 7 includes a tool called the Group Policy Result Tool, also known as the Resultant Set of Policy (RSoP). You can access this tool through the GPResult command-line utility. The gpresult command displays the resulting set of policies that were enforced on the computer and the specified user during the logon process.
The gpresult command displays the RSoP for the computer and the user who is currently logged in.