Implementing Group Policies in Windows Server 2003

Group policies are collections of user and computer configuration settings that specify how programs, network resources, and the operating system work for users and computers in an organization.

Group Policy can be set up for computers, sites, domains, and OUs.

Example: Using group policies, you can determine the programs that are available to users, the programs that appear on the user's desktop, and Start menu options.

In general Group Policy is groupings of policy settings that are linked to computers, sites, domains, and OUs.

Through Group Policy, administrators can take advantage of policy-based management to do the following: Enable one-to-many management of users and

computers throughout the enterprise. Automate enforcement of IT policies. Simplify administrative tasks, such as system updates

and application installations. Consistently implement security settings across the

enterprise. Efficiently implement standard computing

environments for groups of users.

Administrators use Group Policy to define specific configurations for groups of users and computers by creating Group Policy settings.

These settings are specified through the Group Policy Object Editor tool and contained in a Group Policy object (GPO), which is in turn linked to Active Directory containers, such as sites, domains, or OUs

Site

Domain

OU1 OU2

GPO1

GPO2

GPO3

GPO4

Registry-based Policy Security Settings Software Restrictions Software Distribution and Installation Computer and User Scripts Roaming User Profiles and Redirected Folders Offline Folders Internet Explorer Maintenance

The most common and the easiest way to provide policy for an application or operating system components is to implement registry-based policy.

With the new Group Policy Management Console (GPMC) and the Group Policy Object Editor, administrators can define registry-based policies for applications, the operating system, and its components.

Example: an administrator can enable a policy setting that removes the Run command from the Start menu for all affected users.

Registry based policy edit the operating system registry setting.

Group Policy provides options for administrators to set security options for computers and users within the scope of a GPO.

Local computer, domain, and network security settings can be specified.

For added protection, administrators can apply software restriction policies that prevent users from running files based on the path, URL zone, or publisher criteria.

Administrators can make exceptions to this default security level by creating rules for specific software.

To defend against viruses, unwanted applications, and attacks on computers running Windows XP and Windows Server 2003, Group Policy includes new software restriction policies.

Administrators can use policies to identify software running in a domain and control its ability to execute.

Administrators can manage application installation, updates, and removal centrally with Group Policy.

Because organizations can deploy and manage customized desktop configurations, they spend less money supporting users on an individual basis.

Software can be either assigned to users or computers (mandatory software distribution) or published to users (allowing users to optional install software through Add/Remove Programs in the Control Panel).

Users get the flexibility they need to do their jobs without having to spend time configuring their system on their own.

Administrators can use scripts to automate tasks at computer startup and shutdown and user logon and logoff.

Any language supported by Windows Scripting Host can be used, including the Microsoft Visual Basic® development system, Scripting Edition (VBScript); JavaScript; PERL; and MS-DOS®-style batch files (.bat and .cmd).

Roaming user profiles provide the ability to store user profiles centrally on a server and load them when a user logs on.

Through folder redirection, important user folders, such as the My Documents and Start menu, can be redirected to a server-based location.

Folder redirection allows centralized management and the capability to easily backup and restore these folders.

When a network is unavailable, the Offline Folders feature provides access to network files and folders from a local disk.

Users are assured access to critical information even when network connections are unstable or nonpermanent or when using a mobile computer.

When users reconnect to their network, the client files and server files are synchronized, thereby keeping versions consistent and up-to-date.

Administrators can manage and customize the configuration of Microsoft Internet Explorer on computers that support Group Policy.

The Group Policy Object Editor includes the Internet Explorer Maintenance node, which administrators use to edit Internet Explorer security zones, privacy settings, and other parameters on a computer.

Group Policy Operations are collection of Group Policy settings.

To create a specific desktop configuration for users, you create Group Policy Operations.

Each computer running Microsoft Windows Server 2003 has:

One Local GPO

Any number of Non-Local GPOs

One local GPO is stored on each computer (regardless of the condition that it is on a network or not).

A local GPO affects only the computer on which it is stored.

The local GPO settings can be overridden by nonlocal GPOs in networked environment and vice versa.

Default store location: %Systemroot%\System32\GroupPolicy.

Nonlocal GPOs are created in Active Directory and must be linked to a site, domain, or OU in order to be applied to either users or computers.

By Default two nonlocal GPOs are created:

Default Domain Policy

Default Domain Controllers Policy

Default Domain Policy

This GPO is linked to the domain.

it affects all users and computers in the domain

Default Domain Controllers Policy

This GPO is linked to the Domain Controllers OU.

It generally affects only domain controllers

You use the Group Policy Object Editor to organize and manage the Group Policy settings in each GPO.

Group Policy settings are contained in a GPO and determine the user's desktop environment.

You can view the Group Policy settings for a GPO in the Group Policy Object Editor.

There are two types of Group Policy settings: Computer Configuration Settings

User Configuration Settings. They are contained in the Computer

Configuration and the User Configuration nodes in a GPO.

The Computer Configuration node contains the settings used to set group policies applied to computers, regardless of who logs on to them.

Computer configuration settings are applied when the operating system initializes.

The User Configuration node contains the settings used to set group policies applied to users, regardless of which computer the user logs on to.

User configuration settings are applied when users log on to the computer.

Both these nodes include settings for installing software, settings for installing and accessing the Windows Server 2003 operating system, and registry settings.

In both the Computer Configuration and the User Configuration nodes, the Software Settings node contains only the Software Installation extension by default.

The Software Installation extension helps you specify how applications are installed and maintained within your organization.

It also provides a place for independent software vendors to add settings.

In both the Computer Configuration and the User Configuration nodes, the Windows Settings node contains the Scripts extension and the Security Settings node.

The Scripts extension allows you to specify two types of scripts: startup/shutdown (in the Computer Configuration node) and logon/logoff (in the User Configuration node).

In both the Computer Configuration and the User Configuration nodes, the Administrative Templates node contains registry-based Group Policy settings.

There are more than 550 of these settings available for configuring the user environment.

As an administrator, you might spend a significant amount of time manipulating these settings.

Each of the settings in the Administrative Templates node can be:

Not Configured: The registry is not modified.

Enabled: The registry reflects that the policy setting is selected.

Disabled: The registry reflects that the policy setting is not selected.