Active Directory - Gestion des GPO sur les contrôleurs de domaine

managing GPOs on the Domain Controllers OU

I. Presentation

In this tutorial, we will talk about good practices on the use of GPOs at the domain controller level. As we all know, GPOs allow settings to be applied automatically to directory objects. Poor management can impact the operation of our infrastructure and jeopardize its security. We will see together how to avoid this on domain controllers which play a very important role in a Microsoft environment.

This article was written in collaboration with Mehdi DAKHAMA, and this is feedback from several customers. The goal is to improve and optimize the management of GPOs for domain controllers.

Proofreading by Florian BURNEL.

II. Reminder on the application of GPOs

A. Update application hierarchy

As a reminder, the OU application hierarchy is as follows: local policy > site >> domain >> OU. In the previous hierarchy, the symbol “>>” means that inheritance is applied.

LSDOU model

Two group policies are created by default when installing the domain:

  • Default Domain Policy linked to domain root
  • Default Domain Controller Policy bound on the OR”Domains Controllers

B. Potential Risks

In view of the hierarchy presented above, we can see that if a GPO is applied at the site level or at the root of a domain, it will also be applied to domain controllers via the “Domain controllers” container.

Is this good or bad practice? Let’s see this together.

Let’s look at the following two scenarios:

  • A first machine GPO is created and linked to the root of the domain
  • A second GPO linked to an organizational unit including a domain administrator account

C. Example #1 – Root-Linked GPO

We will create a GPO that disables UAC (User Account Control) on Windows. You know, UAC is the confirmation window that appears when you need to perform an action that involves elevated privileges (administrator).

For this, we create a GPO at the root of the domain by naming it “Disabled UAC“, we will then modify it via a right click “Modifier“.

Editing group policy
Editing Group Policy

In the game Computer Configuration > Windows Settings > Security Settings > Local Policies > User Account Control we changed the parameter “User Account Control: Elevation Prompt Behavior for Admins in Admin Approval Mode“, as shown in the images below:

User Account Control: Elevation Prompt Behavior for Admins in Admin Approval Mode

Once it’s done, we apply the GPO with the command gpupdate /force on the Active Directory domain controller. By its positioning, the GPO applies to domain controllers and other machines in the domain.

Application de la GPO via gpupdate /force
Application de la GPO via gpupdate /force

We see that the settings have been applied and changed on the domain controller.

UAC disabled on domain controller!
UAC disabled on domain controller!

It is clear that this parameter is dangerous for a domain controller! Therefore, we should avoid linking GPOs to the root in order to limit the consequences of such an action! We can consider that there was a poor analysis of the impact on all the objects concerned. However, this recommendation is not enough, let’s see why…

D. Example #2 – GPO to map a network drive

Let’s do the second example based on mapping a network drive in a session and analyze the result.

On the OU IT-Connect, we will create a GPO named “mapper_drive_user“. Like this :

We change the settings to map a shared folder on the DC as the custom “Z:” drive. Which give :

GPO - Network Drive

As a reminder, our OU contains domain admins:

Comptes de l'OU IT-Connect
Comptes de l’OU IT-Connect

After applying the GPO, we find that the network drive goes up when logging on to the domain controller with an account from this OU. This is because user settings follow the user and apply where they log on.

Network drive mapped to user profile at domain controller
Network drive mapped to user profile at domain controller

Imagine that this drive contains a suspicious file and that the latter corresponds to a ransomware?! Was it necessary to have this “Perso” network drive when connecting to the domain controller? This case can apply to many parameters of the GPOs, sometimes a parameter is applied by recursion to a remote group, which increases the risk of malfunction or error on the DCs.

Now let’s look at the recommendations.

III. Recommendations for the “Domain Controllers” OU

The objective will be to block inheritance on the “Domain Controllers” OU of our Active Directory to isolate, in a way, the domain controllers since they are grouped together in this OU. In addition, to better control the user settings that apply on domain controllers, the user settings linked to the GPOs linked to the OU “Domains Controllers” take precedence over the rest. Microsoft has provided this configuration: callback processing.

The diagram below summarizes the steps:

Group Policy Compliance Steps on Domain Controllers
Group Policy Compliance Steps on Domain Controllers

Our recommendations are as follows:

  • Recommendation n°1: block inheritance on the “Domain Controllers” OU : this will avoid all configurations from the root. To prevent user configurations from logging in administrators from being applied, this recommendation should be made
  • Recommendation n°2: duplicate the “Default Domain Policy” GPO and apply it to the “Domain Controllers” OU: for the purpose of maintaining and enforcing password and Kerberos settings

To block inheritance, right-click on the “Domain Controllers” OU, and choose “Block inheritance“.

Block inheritance on the OU "Domain Controllers"
Block inheritance on the “Domain Controllers” OU

Which give :

Inheritance blocked on OU "Domain Controllers"
Inheritance blocked on OU “Domain Controllers”

Note : be careful if you “Appliqué” (Forced in English) a GPO at the root, this will force inheritance and the settings will be configured on the Domain Controllers. Unfortunately, this parameter is too often misused.

GPO with the option "apply" activated
GPO with “Enforced” option enabled
  • Recommendation n°3: activate processing by loopback

To configure this setting, follow the following path in a new GPO: Computer Configuration > Administrative Templates > System > Group Policy

Here, choose the parameter named “Configure User Group Policy loopback processing mode” and tick “Enabled” as well as “Replace”.

  • Recommendation n°4: rename the GPOs applied on the domain controllers

We must assume that the GPOs applied on the “Domain Controllers” OU should not be used on another OU. To identify them, you should use a different name respecting a specific nomenclature for your domain controllers. Thus, for the same GPO, you can differentiate between the version that applies to computers and other servers, and the version for domain controllers.

To learn more about these different notions, you can consult these pages:

IV. Conclusion

Domain controllers must be extremely protected, blocking inheritance and user settings is a solution. This must be accompanied by monitoring, this will be the focus of our next article.

Active Directory,Stratégie de groupe,GPO,Sécurité,

#managing #GPOs #Domain #Controllers

Leave a Comment

Your email address will not be published. Required fields are marked *