Someone tell me about GPO - Group Policy Objects



    1. If there's a domain GPO, is there any way to get my computer to ignore it and look at the Local Computer or Local User GPO instead? For testing purposes.
    2. If there's a domain GPO and a Local Computer GPO, are the values of the two supposed to be concatenated? Or does one override the other? If an application does the latter behavior, does that mean the application is buggy or the GPO is set up wrong?


    1. Can I test GPO configurations on a computer that isn't on a domain? For example, since I'm having trouble testing this GPO configuration on the work computer because the Domain GPO (seems to?) override it, could I bring in my home laptop, download Windows Server Tools, and test it there?


  • @blakeyrat
    If the domain GPO applies to your user account (for User Configuration settings) or computer, its settings will be applied and override any conflicting local settings. If the local GPO is editing settings that aren't configured by a domain GPO, both policies will be merged.

    The recommended way to test domain GPOs is to use Organizational Units or security filtering to restrict the GPO to only apply to your test machine, until you're ready to apply them at a broader level.



  • @izzion said in Someone tell me about GPO - Group Policy Objects:

    The recommended way to test domain GPOs is to use Organizational Units or security filtering to restrict the GPO to only apply to your test machine, until you're ready to apply them at a broader level.

    Do you have an article or more information on how to do that?

    I don't have a "test machine" is part of the problem here. I don't have access to any machine not part of the company's domain, except possibly my own personal laptop (see question 3.)



  • @blakeyrat

    From a potentially premature optimization standpoint, organizing your AD structure so that users and computers are within a hierarchy of Organizational Units, and using those to control inheritance for GPOs is the recommended way to do it, rather than using Security Filtering. Security Filtering does a bunch of WMI calls to determine if the user or computer is eligible for the policy, whereas OU membership is effectively a recursive LDAP call and is more efficient.

    tl;dr: For testing, Security Filtering is fine. For long term "give Developers one set of policies and Finance people a different, more restrictive set", use Organizational Units.


  • Garbage Person

    1. No. That'd defeat the purpose.
    2. Domain overrides local
    3. Yes. The group policy snap in can be directed to the local machine.


  • @weng said in Someone tell me about GPO - Group Policy Objects:

    No. That'd defeat the purpose.

    How would that defeat the purpose? The purpose is "I want to test my GPO change before rolling it out to dozens of computers".

    @weng said in Someone tell me about GPO - Group Policy Objects:

    Yes. The group policy snap in can be directed to the local machine.

    The problem is the GPO is to install a Chrome extension and Chrome has a specific policy to say it doesn't work unless the computer's on a domain. I just looked it up. So I think that idea's out. Still worth a try in case Chrome's documentation is a lying liar, which I already know it is in several areas.


  • Garbage Person

    @blakeyrat Never managed Chrome via GP, but I'd assume they're just being stupid. A group policy setting basically corresponds to a registry setting. So this would make a registry entry that tells Chrome to install a given extension.

    Chrome would have to intentionally check whether it's on a domain before choosing whether to honor such a registry setting. Which would both be stupid and a thing I'd expect Chrome to do.



  • @weng said in Someone tell me about GPO - Group Policy Objects:

    Chrome would have to intentionally check whether it's on a domain before choosing whether to honor such a registry setting. Which would both be stupid and a thing I'd expect Chrome to do.

    The reason for checking if the machine is domain-joined is to stop malware from force-installing an add-on which siphons off your personal information to Bumfuckistan.



  • @alexmedia said in Someone tell me about GPO - Group Policy Objects:

    The reason for checking if the machine is domain-joined is to stop malware from force-installing an add-on which siphons off your personal information to Bumfuckistan.

    Right, which means it circles all around to, "there's no way to actually test any of this GPO stuff without actually doing it and waiting for it to not-work." Sigh.


  • Garbage Person

    @alexmedia They're root. They don't need a chrome extension to send your sexual preferences to bumfuckistan.



  • @blakeyrat said in Someone tell me about GPO - Group Policy Objects:

    I don't have a "test machine" is part of the problem here.

    What about virtual machines? I a Windows environment, I (almost) never do things on the bare metal OS. Even my Surface has multiple virtual machines [typically 3-5 of them on the internal SSD with 2-3 of then actively running].

    Then you put the different VM's into different OU's [I can provide some Active Directory information if you need that] and set the GPO to initially target the [virtual] machine(s) in the "test OU", once validated in that OU, it is (usually) safe to roll it out to wider parts of the organization [by OU].



  • @thecpuwizard VMs is a possibility but I can virtually guarantee I don't have permissions to create my own "OUs", AFAIK I'd have to create a Active Directory from scratch.

    The other problem is even if I test it that way, I don't know for sure it'll work when it's co-existing with the other GPO that alters the same value now.


  • Garbage Person

    @blakeyrat said in Someone tell me about GPO - Group Policy Objects:

    @alexmedia said in Someone tell me about GPO - Group Policy Objects:

    The reason for checking if the machine is domain-joined is to stop malware from force-installing an add-on which siphons off your personal information to Bumfuckistan.

    Right, which means it circles all around to, "there's no way to actually test any of this GPO stuff without actually doing it and waiting for it to not-work." Sigh.

    Basically. Best practice is to run a separate lab setup, but you don't give lowly developers access to that.



  • @blakeyrat
    Assuming you can get support from your AD administrator to put your machine into a Test OU that's a sub-unit under its current OU location, and they create and link a new GPO in that Test OU and give you edit permissions to the new GPO, then yes, you could.

    GPO inheritance is that the policies "closest" to the user or computer win over polices from further up the tree.

    So, if your tree looked like:

    Computers OU
    -> Master GPO 
    * All of the company's machines are members of this OU
    | -- Test OU
    | -- -> Test GPO
    | -- * Blakey's machine is a member of this OU
    

    Then any settings changes you made in the Test GPO would override conflicting settings in the Master GPO (but your computer would still be subject to all other settings in the Master GPO). Once you've confirmed your proof of concept, you can then move the setting from the Test GPO into the Master GPO, and potentially remove the Test GPO, move your computer back into the main Computers OU, and remove the Test OU.



  • @weng The dumbest thing is they have a self-service form to request the GPO be created. I asked if they had a test environment I could use, and they said "nope". Whaaa?

    And that's not even considering the sheer inefficiency of making GPO changes self-service in the first place. Why not let me just engage one of their team's experts who could finish this whole task in 5 minutes? Nope! That'd be too quick for everybody involved. Much better to have a guy who was hired as a C# developer also learn network administrator from scratch.



  • @blakeyrat said in Someone tell me about GPO - Group Policy Objects:

    @thecpuwizard VMs is a possibility but I can virtually guarantee I don't have permissions to create my own "OUs", AFAIK I'd have to create a Active Directory from scratch.

    Those types of problems are unfortunately far too pervasive. Basically the company environment is TRWTF. Like any type of software, there should be a proper development, staging, production environment. In cases where my firm (yeah, I am expecting your snide comment, even though I am trying to help) gets involved in such scenarios, having such environments (with appropriate permissions) is written into the contract - I realize an employee is far more constrained....

    The other problem is even if I test it that way, I don't know for sure it'll work when it's co-existing with the other GPO that alters the same value now.

    IF you can get the environment, then you would include the "production" GPOs into the "test" environment so that interactions were also tested.



  • @thecpuwizard said in Someone tell me about GPO - Group Policy Objects:

    Those types of problems are unfortunately far too pervasive. Basically the company environment is TRWTF. Like any type of software, there should be a proper development, staging, production environment. In cases where my firm (yeah, I am expecting your snide comment, even though I am trying to help) gets involved in such scenarios, having such environments (with appropriate permissions) is written into the contract - I realize an employee is far more constrained....

    For all I know they have all that. I just don't have the ability to use it.


Log in to reply