Using Group Policy and Active Directory with SCW
Updated: March 28, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2
This topic is about using Group Policy and Active Directory with SCW.
SCW is not a replacement for the security settings available in Group Policy; it is a security tool to supplement Active Directory and its policy infrastructure, and to make the familiar Active Directory tools such as the Active Directory Users and Computers snap-in more useful to you.
Active Directory best practices include using Active Directory Users and Computers to group computer objects into organizational units (OUs) for convenient administration. This helps you deploy SCW policies by using Group Policy objects (GPOs). You can create an SCW security policy by prototyping a server with the SCW user interface, convert it into a GPO by using scwcmd.exe, and link the GPO to an OU. If all the functionally similar servers are in the OU, they all receive your SCW-authored security policy.
Group Policy Object Editor
The Group Policy Object Editor is the user and computer configuration management tool that is included with Active Directory. Group Policy settings include security settings in the Group Policy Object Editor even though security settings are displayed and processed differently from most of the other Group Policy settings. For example, security settings are persistent in the registry, whereas Group Policy administrative templates settings are rewritten whenever policy is refreshed.
The Group Policy Object Editor is used to edit all Group Policy objects, including those converted from SCW format. So SCW makes the Group Policy Object Editor more useful by supplying GPOs tailored to server types.
Group Policy Management Console
Group Policy Management Console (GPMC) answered the need for easier analysis, planning, and backup of policy in an Active Directory environment, where multiple GPOs frequently apply to the same system and custom OU arrangements affect inheritance. GPMC is made available as a free download. It supports all enterprise-wide Group Policy tasks with the exception of editing individual GPOs, which is still done with Group Policy Object Editor.
In particular, GPMC is used for linking GPOs to OUs. Linking is the mechanism by which GPOs are applied to the users and computers within the OUs.
If you use Group Policy Object Editor to edit a GPO that includes SCW security policies, be aware that security settings authored manually in Group Policy Object Editor take precedence over the same settings applied using SCW.
If SCW-authored settings are transformed into a GPO, the decision as to which settings take precedence is determined by ordinary GPO inheritance rules.
Security Templates and Precedence
In addition to using SCW to author security policies, you can also apply security settings by using security templates. Security templates are .inf files such as securedc.inf that are located by default in %systemroot%\security\templates\. You can see the security template settings in Group Policy Object Editor and GPMC in the following location:
GPO_Name\Computer Configuration\Windows Settings\Security Settings\
The configuration changes that can be made by using the SCW user interface without the use of security templates partially overlap the configuration changes available by using security templates alone. Neither set of configuration changes totally includes the other. For example, the SCW user interface includes IIS settings that are not included in any security template. Conversely, security templates can include such items as Software Restriction policies, which are not configurable through SCW user interface. Some configuration changes, such as IP Security (IPsec) policies, can be set by using the SCW user interface, or by attaching a security template to the native SCW policy file (.xml file), or by using both methods. If you use both methods, however, conflicting policy settings are resolved by using the precedence rules explained later in this section.
In addition, the scwcmd.exe command-line tool with its transform option supports the creation of new, unlinked GPOs from SCW policies. This means that there are, in effect, three ways to use security templates:
If you are familiar with Group Policy, and have used the Group Policy Object Editor and GPMC, then you are familiar with attaching a security template to a GPO by right-clicking Security Settings, clicking Import Policy, and then browsing to the .inf file.
A second way is to include a security template in an SCW policy from the Security Policy File Name page of SCW by clicking Include Security Templates, and then clicking Add. As with the Group Policy method, you then browse to an .inf file.
The third way is to attach a template to a .xml policy file (as just described) and then type at the command line scwcmd transform /p:policyfile.xml /g:GPOdisplayname to create a GPO, which you then link using GPMC.
In an environment utilizing Group Policy, SCW, and multiple security templates, use the following guidelines to anticipate the precedence of security settings:
Security policy applied through Active Directory-based GPOs has higher precedence than security policy applied through SCW policy files (.xml files).
Precedence among GPOs is unaffected by whether each GPO was created by scwcmd.exe or not: Only the standard Active Directory inheritance rules (in which local, site, domain, and organization unit GPOs are applied in succession) and link order determine precedence for GPOs.
Security policy set in the SCW user interface has higher precedence than conflicting policy set in .inf security templates that are attached to the .xml policy file.
If multiple security templates are attached to the .xml security template, a template that is listed higher in the Include Security Templates dialog box has precedence over a template that appears lower in the list.
Always test security policy in a lab before deploying it to your live production servers.