Checklist: Creating Group Policy Objects

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a computer into a membership group.

The checklists for firewall, domain isolation, and server isolation include a link to this checklist.

About membership groups

For most GPO deployment tasks, you must determine which computers must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows® 7, Windows Vista®, Windows Server® 2008, and Windows Server® 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, you must create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a computer, you make that computer's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.

About exclusion groups

A Windows Firewall with Advanced Security design must often take into account domain-joined computers on the network that cannot or must not apply the rules and settings in the GPOs. Because these computers are typically fewer in number than the computers that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception computers into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a computer that is a member of both the membership group and the exception group is prevented from applying the GPO. Computers typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.

You can also use a membership group for one zone as an exclusion group for another zone. For example, computers in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.

You might also use an exclusion group if some of the computers on your network are running Windows 2000, which does not support WMI filters. You create an exclusion group that contains all of the Windows 2000 computer accounts, and then deny that group permission to apply the GPOs for the other operating systems. Because deny permissions take precedence over allow permissions, a computer that is a member of both the membership group and the Windows 2000 exclusion group is prevented from applying the GPO. Only the GPO with settings for Windows 2000 does not have the exclusion group listed in its security group filter, so those computers can apply the GPO. WMI filters on the GPO for Windows 2000 prevent the other operating systems from applying it.

Checklist: Creating Group Policy objects

  Task Reference

Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.

Identifying Your Windows Firewall with Advanced Security Deployment Goals

Planning Group Policy Deployment for Your Isolation Zones

Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.

If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.

Create a Group Account in Active Directory

Create a GPO for each version of Windows that has different implementation requirements.

Create a Group Policy Object

Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.

Assign Security Group Filters to the GPO

Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.

Create WMI Filters for the GPO

If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.

Modify GPO Filters to Apply to a Different Zone or Version of Windows

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Link the GPO to the Domain

Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.

Add Test Computers to the Membership Group for a Zone