Professional Documents
Culture Documents
Group Policies
Group policies are collections of user and computer configuration settings that specify how
programs, network resources, and the operating system work for users and computers in an
organization.
Group Policy can be set up for computers, sites, domains, and OUs. For example, using group
policies, you can determine the programs that are available to users, the programs that appear
on the user's desktop, and Start menu options. Although the name "Group Policy" suggests that
you might set policies for global, domain local, or global groups, this is not the case. Instead,
think of Group Policy as groupings of policy settings that are linked to computers, sites,
domains, and OUs.
1|Page
Administrators can configure the users’ work environment once and rely on the system to
enforce the policies as defined.
GPO1
GPO2
Domain
Site
GPO3
OU1 OU2
GPO4
Figure 1: GPOs are applied to sites, domains, and the OUs beneath them. Here, OU1 is affected by GPO1,
GPO2, and GPO3. OU2 is affected by all four GPOs.
Registry-based Policy
The most common and the easiest way to provide policy for an application or operating system
components is to implement registry-based policy. With the new Group Policy Management
Console (GPMC) and the Group Policy Object Editor, administrators can define registry-based
policies for applications, the operating system, and its components. For example: an
administrator can enable a policy setting that removes the Run command from the Start menu
for all affected users.
Security Settings
Group Policy provides options for administrators to set security options for computers and
users within the scope of a GPO. Local computer, domain, and network security settings can be
specified. For added protection, administrators can apply software restriction policies that
prevent users from running files based on the path, URL zone, hash, or publisher criteria.
Administrators can make exceptions to this default security level by creating rules for specific
software.
Software Restrictions
To defend against viruses, unwanted applications, and attacks on computers running Windows
XP and Windows Server 2003, Group Policy includes new software restriction policies.
2|Page
Administrators can use policies to identify software running in a domain and control its ability
to execute.
These features allow mobile users or those not assigned to a particular computer see a familiar
desktop when they log on and locate needed folders. Administrators also can take advantage of
roaming user profiles to replace computers more easily. When a user logs on to a new
computer for the first time, the server copy of the user's profile is copied to the new computer.
In addition, administrators can redirect users’ My Documents folder to their home directory, a
new feature.
Offline Folders
When a network is unavailable, the Offline Folders feature provides access to network files and
folders from a local disk. Users are assured access to critical information even when network
connections are unstable or nonpermanent or when using a mobile computer. When users
reconnect to their network, the client files and server files are synchronized, thereby keeping
versions consistent and up-to-date.
3|Page
Internet Explorer Maintenance
Administrators can manage and customize the configuration of Microsoft Internet Explorer on
computers that support Group Policy. The Group Policy Object Editor includes the Internet
Explorer Maintenance node, which administrators use to edit Internet Explorer security zones,
privacy settings, and other parameters on a computer running Windows 2000 and later.
Local GPOs
One local GPO is stored on each computer whether or not the computer is part of an Active
Directory environment or a networked environment. A local GPO affects only the computer on
which it is stored. However, because the local GPO settings can be overridden by nonlocal
GPOs, the local GPO is the least influential if the computer is in an Active Directory
environment. In a non-networked environment the local GPO's settings are more important
because they are not overridden by nonlocal GPOs. By default the local GPO is stored in
%Systemroot%\System32\GroupPolicy.
Nonlocal GPOs
Nonlocal GPOs are created in Active Directory and must be linked to a site, domain, or OU in
order to be applied to either users or computers. To use nonlocal GPOs, you must have a
Windows 2000 or Windows Server 2003 domain controller installed. By default, when Active
Directory’s directory service is set up, two nonlocal GPOs are created:
Default Domain Policy This GPO is linked to the domain, and it affects all users and
computers in the domain (including computers that are domain controllers) through
Group Policy inheritance.
Default Domain Controllers Policy This GPO is linked to the Domain Controllers OU, and
it generally affects only domain controllers, because computer accounts for domain
controllers are kept exclusively in the Domain Controllers OU.
4|Page
Figure 2: Default Domain Policy Group Policy Object Editor
To open the MMC for the local GPO, complete the following steps:
2. On the MMC's menu bar, click File, and then click Add/Remove Snap-In.
3. In the Add/Remove Snap-In dialog box, in the Standalone tab, click Add.
4. In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then click
Add.
5. In the Select Group Policy Object dialog box, ensure that Local Computer appears in the
Group Policy Object box.
6. Click Finish, and then click Close in the Add Standalone Snap-In dialog box.
5|Page
To open the Group Policy Object Editor from the Active Directory Sites And Services console,
complete the following steps:
1. Click Start, point to Administrative Tools, and then click Active Directory Sites And Services.
2. In the console tree, right-click the site you want to set Group Policy for, and then click
Properties.
3. Click the Group Policy tab, click an entry in the Group Policy Object Links list to select an
existing GPO, and then click Edit. (Or, click New to create a new GPO, and then click Edit.)
The Group Policy Object Editor for the site GPO is now available.
To open the Group Policy Object Editor from the Active Directory Users And Computers
console, complete the following steps:
1. Click Start, point to Administrative Tools, and then click Active Directory Users And
Computers.
2. In the console tree, right-click the domain or OU you want to set Group Policy for, and then
click Properties.
3. Click the Group Policy tab, click an entry in the Group Policy Object Links list to select an
existing GPO, and then click Edit. (Or, click New to create a new GPO, and then click Edit.)
The Group Policy Object Editor for the domain or OU GPO is now available.
The User Configuration node contains the settings used to set group policies applied to users, regardless
of which computer the user logs on to. User configuration settings are applied when users log on to the
computer.
6|Page
Both the Computer Configuration and the User Configuration nodes include settings for installing
software, settings for installing and accessing the Windows Server 2003 operating system, and registry
settings. These settings are contained in the Software Settings, Windows Settings, and Administrative
Templates nodes.
When you configure settings in the Software Installation extension, you can manage an application
within a GPO that, in turn, is associated with an Active Directory site, domain, or OU. Applications can be
managed in one of two modes: assigned or published. You assign an application to a computer when
you want computers or users managed by the GPO to have the application. You publish an application
when you want the application to be available to users managed by the GPO, should a user want the
application. You cannot publish an application to computers.
The Scripts extension allows you to specify two types of scripts: startup/shutdown (in the Computer
Configuration node) and logon/logoff (in the User Configuration node). Startup/shutdown scripts run at
computer startup or shutdown. Logon/logoff scripts run when a user logs on or off the computer. When
you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, Windows Server
2003 executes the scripts from top to bottom. You can determine the order of execution for multiple
scripts in the Properties dialog box. When a computer is shut down, Windows Server 2003 first
processes logoff scripts, followed by shutdown scripts. By default, the timeout value for processing
scripts is 10 minutes. If the logoff and shutdown scripts require more than 10 minutes to process, you
must adjust the timeout value with a software policy. You can use any ActiveX scripting language to
write scripts. Some possibilities include Microsoft Visual Basic Scripting Edition (VBScript), Microsoft
JScript, Perl, and MS-DOS style batch files (.bat and .cmd).
7|Page
Figure 3: Contents of Administrative Templates node
To assist you with the settings, a description of each policy setting is available in three locations:
In the Explain tab in the Properties dialog box for the setting. In addition, the Setting tab in the
Properties dialog box for the setting lists the required operating system for the setting.
In Administrative Templates Help (a new feature of Windows Server 2003). The required
operating system for each setting is also listed.
In the Extended tab (a new feature of Windows Server 2003, selected by default) in the Group
Policy Object Editor. The Extended tab provides a description of each selected setting in a
column between the console tree and the settings pane. The required operating system for each
setting is also listed.
8|Page