Overview
Group Policy Objects (GPOs) are administrative policies defined within an Active Directory environment to enforce certain settings for users and computers. itopia CAS creates a number of GPOs in every new CAS deployment to ensure the deployment is configured to a particular baseline, and also to control certain configurations made in the CAS Admin Console for deployments and Collection Pools.
CAS creates these GPOs regardless of the Active Directory model you select for your deployment. For deployments configured to use an Existing AD Domain, the GPOs will be created within the target domain; for all other AD models, the GPOs are created in the AD domain created by CAS. For deployments using Managed AD, certain GPO settings are slightly altered to support that environment.
Depending on when your CAS deployment was created, you may have a slightly different set of GPOs defined within your AD domain. Most policies are unchanged between iterations of GPO versions, however the location of the policy within the GPOs and the scope of the GPOs may differ. CAS will automatically upgrade your GPOs to the latest version when: you edit a Collection Pool setting that requires a newer GPO version, or; automatically after several months of the new GPO version being released.
Loopback Processing
Group Policy Objects (GPOs) contain two categories of policies: user configuration and computer configuration. When you link a GPO to an organizational unit, the user policies apply to all descendant user accounts and the computer policies to all descendant computer accounts.
However, in some cases you may want user policies to be applied based on the OU of the computer object rather than the user object. In these cases, administrators can enable loopback processing mode for GPOs. When loopback processing is enabled, any GPOs that are scoped to the location of the computer account will also apply policies in the user configuration for any user that logs on.
Within CAS, loopback processing is enabled in order to enforce certain user policies for any user that logs on to a User Session Server (USS) VM, regardless of what OU (or, in the case of a Trusted AD deployment, what domain) their user account is located in.
If you plan to define custom GPOs, it is important to consider loopback processing in your design to ensure that policies are not accidentally applied when they are not meant to. When configuring GPOs, you can disable either the user configuration or computer configuration sections entirely; doing so also helps speed up GPO processing during system boot and user logon.
itopia GPOs version 3
The following table provides a brief overview of the Group Policy Objects that are created and managed by itopia CAS. Administrators should not edit or remove these GPOs; if any setting needs to be changed, it is recommended to create a new GPO with the desired settings and assign it a higher priority than the itopia GPO that it is amending.
GPO Name | Description | Scope | Permissions |
itopia-v3-CommandShell-Disabled | This GPO disables end-user access to the Command Prompt and PowerShell consoles. This GPO is automatically linked and unlinked from Collection Pool OUs based on the Collection Pool configuration in the CAS Admin Console | Computer settings disabled
Applied to specific Collection Pool OUs | Domain Admins and Cloud Service Admins are excluded from applying this GPO |
itopia-v3-DisableAdminTools | This GPO hides the Server Manager and several other "administrative tools" from end-user desktops and Start menus | Computer settings disabled
Applied to the User Session Servers OU (applies to all Session Hosts) | Domain Admins and Cloud Service Admins are excluded from applying this GPO |
itopia-v3-EnableCredSSP | This GPO is used to enforce the use of CredSSP on all servers in the CAS deployment. CredSSP is used to securely execute remote management commands on the servers. | User settings disabled
Applied to the root deployment OU | Default |
itopia-v3-SessionHostPolicies | This GPO configures a base level of settings to secure and optimize all Session Hosts in the deployment, including the enablement of GPO loopback processing. | User settings disabled
Applied to the User Session Servers OU (applies to all Session Hosts) | Default |
itopia-v3-SessionHostPolicies-Server | This GPO removes some server-specific items from Session Hosts to make them more user-friendly for end users | User settings disabled
Applied to the OU of Collection Pools running Windows Server-based operating systems | Domain Admins and Cloud Service Admins are excluded from applying this GPO |
itopia-v3-SessionHostPolicies-Win10 | This GPO defines a number of optimizations for Windows 10, including: disabling unnecessary system services, disabling certain background processes, optimizing visual rendering performance, and minimizing Microsoft telemetry | Applied to the OU of Collection Pools running Windows 10-based operating Systems | Default |
itopia-v3-TaskManager-Disabled | This GPO removes the ability for end users to launch the Task Manager. This GPO is automatically linked and unlinked from Collection Pool OUs based on the Collection Pool configuration in the CAS Admin Console | Computer settings disabled
Applied to the OU of specific Collection Pools | Domain Admins and Cloud Service Admins are excluded from applying this GPO |
itopia-v3-UserRestrictions | This GPO prohibits certain end user actions such as shutting down a VM, defining Internet proxy settings, or changing access control lists (ACLs) on file objects from File Explorer. | Computer settings disabled
Applied to the User Session Servers OU (applies to all Session Hosts) | Domain Admins and Cloud Service Admins are excluded from applying this GPO |