Chapter 6: Implementing Group Policy

Group Policies
Group policies are collections of user and computer configuration settings that specify how
programs, network resources, and the operating system work for users and computers in an
organization.

Group Policy can be set up for computers, sites, domains, and OUs. For example, using group
policies, you can determine the programs that are available to users, the programs that appear
on the user's desktop, and Start menu options. Although the name "Group Policy" suggests that
you might set policies for global, domain local, or global groups, this is not the case. Instead,
think of Group Policy as groupings of policy settings that are linked to computers, sites,
domains, and OUs.

Through Group Policy, administrators can take advantage of policy-based management to do

the following:

 Enable one-to-many management of users and computers throughout the enterprise.

 Automate enforcement of IT policies.
 Simplify administrative tasks, such as system updates and application installations.
 Consistently implement security settings across the enterprise.
 Efficiently implement standard computing environments for groups of users.

Group Policy Overview

Administrators can manage computers centrally through Active Directory and Group Policy.
Using Group Policy to deliver managed computing environments allows administrators to work
more efficiently because of the centralized, one-to-many management, it enables. Because
Group Policy defines the settings and allowed actions for users and computers, it can create
desktops that are tailored to users’ job responsibilities and level of experience with computers.

Defining Group Policy

Administrators use Group Policy to define specific configurations for groups of users and
computers by creating Group Policy settings. These settings are specified through the Group
Policy Object Editor tool and contained in a Group Policy object (GPO), which is in turn linked to
Active Directory containers, such as sites, domains, or OUs as Figure 1 shows. In this way, Group
Policy settings are applied to the users and computers in those Active Directory containers.

1|Page
Administrators can configure the users’ work environment once and rely on the system to
enforce the policies as defined.

GPO1

GPO2
Domain

Site

GPO3

OU1 OU2
GPO4

Figure 1: GPOs are applied to sites, domains, and the OUs beneath them. Here, OU1 is affected by GPO1,
GPO2, and GPO3. OU2 is affected by all four GPOs.

Key Features of Group Policy

Through Group Policy, administrators define the policies that determine how applications and
operating systems are configured and keep users and systems secure. The following sections
describe the key features of Group Policy:

Registry-based Policy
The most common and the easiest way to provide policy for an application or operating system
components is to implement registry-based policy. With the new Group Policy Management
Console (GPMC) and the Group Policy Object Editor, administrators can define registry-based
policies for applications, the operating system, and its components. For example: an
administrator can enable a policy setting that removes the Run command from the Start menu
for all affected users.

Security Settings
Group Policy provides options for administrators to set security options for computers and
users within the scope of a GPO. Local computer, domain, and network security settings can be
specified. For added protection, administrators can apply software restriction policies that
prevent users from running files based on the path, URL zone, hash, or publisher criteria.
Administrators can make exceptions to this default security level by creating rules for specific
software.

Software Restrictions
To defend against viruses, unwanted applications, and attacks on computers running Windows
XP and Windows Server 2003, Group Policy includes new software restriction policies.

2|Page
Administrators can use policies to identify software running in a domain and control its ability
to execute.

Software Distribution and Installation

Administrators can manage application installation, updates, and removal centrally with Group
Policy. Because organizations can deploy and manage customized desktop configurations, they
spend less money supporting users on an individual basis. Software can be either assigned to
users or computers (mandatory software distribution) or published to users (allowing users to
optional install software through Add/Remove Programs in the Control Panel). Users get the
flexibility they need to do their jobs without having to spend time configuring their system on
their own.

Computer and User Scripts

Administrators can use scripts to automate tasks at computer startup and shutdown and user
logon and logoff. Any language supported by Windows Scripting Host can be used, including the
Microsoft Visual Basic® development system, Scripting Edition (VBScript); JavaScript; PERL; and
MS-DOS®-style batch files (.bat and .cmd).

Roaming User Profiles and Redirected Folders

Roaming user profiles provide the ability to store user profiles centrally on a server and load
them when a user logs on. As a result, users experience a consistent environment no matter
which computer they use. Through folder redirection, important user folders, such as the My
Documents and Start menu, can be redirected to a server-based location. Folder redirection
allows centralized management of these folders and gives an IT group the capability to easily
backup and restore these folders on behalf of users.

These features allow mobile users or those not assigned to a particular computer see a familiar
desktop when they log on and locate needed folders. Administrators also can take advantage of
roaming user profiles to replace computers more easily. When a user logs on to a new
computer for the first time, the server copy of the user's profile is copied to the new computer.
In addition, administrators can redirect users’ My Documents folder to their home directory, a
new feature.

Offline Folders
When a network is unavailable, the Offline Folders feature provides access to network files and
folders from a local disk. Users are assured access to critical information even when network
connections are unstable or nonpermanent or when using a mobile computer. When users
reconnect to their network, the client files and server files are synchronized, thereby keeping
versions consistent and up-to-date.

3|Page
Internet Explorer Maintenance
Administrators can manage and customize the configuration of Microsoft Internet Explorer on
computers that support Group Policy. The Group Policy Object Editor includes the Internet
Explorer Maintenance node, which administrators use to edit Internet Explorer security zones,
privacy settings, and other parameters on a computer running Windows 2000 and later.

Group Policy Operations

To create a specific desktop configuration for users, you create Group Policy Operations, which
are collections of Group Policy settings. Each computer running Microsoft Windows Server 2003
has one local GPO and can, in addition, be subject to any number of nonlocal (Active Directory-
based) Group Policy Operations.

Local GPOs
One local GPO is stored on each computer whether or not the computer is part of an Active
Directory environment or a networked environment. A local GPO affects only the computer on
which it is stored. However, because the local GPO settings can be overridden by nonlocal
GPOs, the local GPO is the least influential if the computer is in an Active Directory
environment. In a non-networked environment the local GPO's settings are more important
because they are not overridden by nonlocal GPOs. By default the local GPO is stored in
%Systemroot%\System32\GroupPolicy.

Nonlocal GPOs
Nonlocal GPOs are created in Active Directory and must be linked to a site, domain, or OU in
order to be applied to either users or computers. To use nonlocal GPOs, you must have a
Windows 2000 or Windows Server 2003 domain controller installed. By default, when Active
Directory’s directory service is set up, two nonlocal GPOs are created:

 Default Domain Policy This GPO is linked to the domain, and it affects all users and
computers in the domain (including computers that are domain controllers) through
Group Policy inheritance.
 Default Domain Controllers Policy This GPO is linked to the Domain Controllers OU, and
it generally affects only domain controllers, because computer accounts for domain
controllers are kept exclusively in the Domain Controllers OU.

Group Policy Object Editor

You use the Group Policy Object Editor to organize and manage the Group Policy settings in each GPO.
The Group Policy Object Editor for the Default Domain Policy GPO is shown in Figure 2.

4|Page
 Figure 2: Default Domain Policy Group Policy Object Editor

To open the MMC for the local GPO, complete the following steps:

1. Open the Microsoft Management Console (MMC).

2. On the MMC's menu bar, click File, and then click Add/Remove Snap-In.

3. In the Add/Remove Snap-In dialog box, in the Standalone tab, click Add.

4. In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then click
Add.

5. In the Select Group Policy Object dialog box, ensure that Local Computer appears in the
Group Policy Object box.

6. Click Finish, and then click Close in the Add Standalone Snap-In dialog box.

7. In the Add/Remove Snap-In dialog box, click OK.

The MMC for the local GPO is now available.

5|Page
To open the Group Policy Object Editor from the Active Directory Sites And Services console,
complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Sites And Services.

2. In the console tree, right-click the site you want to set Group Policy for, and then click
Properties.

3. Click the Group Policy tab, click an entry in the Group Policy Object Links list to select an
existing GPO, and then click Edit. (Or, click New to create a new GPO, and then click Edit.)

The Group Policy Object Editor for the site GPO is now available.

To open the Group Policy Object Editor from the Active Directory Users And Computers
console, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users And
Computers.

2. In the console tree, right-click the domain or OU you want to set Group Policy for, and then
click Properties.

3. Click the Group Policy tab, click an entry in the Group Policy Object Links list to select an
existing GPO, and then click Edit. (Or, click New to create a new GPO, and then click Edit.)

The Group Policy Object Editor for the domain or OU GPO is now available.

Group Policy Settings

Group Policy settings are contained in a GPO and determine the user's desktop environment. You can
view the Group Policy settings for a GPO in the Group Policy Object Editor. There are two types of Group
Policy settings: computer configuration settings and user configuration settings. They are contained in
the Computer Configuration and the User Configuration nodes in a GPO.

Computer and User Configuration Nodes

The Computer Configuration node contains the settings used to set group policies applied to computers,
regardless of who logs on to them. Computer configuration settings are applied when the operating
system initializes.

The User Configuration node contains the settings used to set group policies applied to users, regardless
of which computer the user logs on to. User configuration settings are applied when users log on to the
computer.

6|Page
Both the Computer Configuration and the User Configuration nodes include settings for installing
software, settings for installing and accessing the Windows Server 2003 operating system, and registry
settings. These settings are contained in the Software Settings, Windows Settings, and Administrative
Templates nodes.

Software Settings Node

In both the Computer Configuration and the User Configuration nodes, the Software Settings node
contains only the Software Installation extension by default. The Software Installation extension helps
you specify how applications are installed and maintained within your organization. It also provides a
place for independent software vendors to add settings.

When you configure settings in the Software Installation extension, you can manage an application
within a GPO that, in turn, is associated with an Active Directory site, domain, or OU. Applications can be
managed in one of two modes: assigned or published. You assign an application to a computer when
you want computers or users managed by the GPO to have the application. You publish an application
when you want the application to be available to users managed by the GPO, should a user want the
application. You cannot publish an application to computers.

Windows Settings Node

In both the Computer Configuration and the User Configuration nodes, the Windows Settings node
contains the Scripts extension and the Security Settings node.

The Scripts extension allows you to specify two types of scripts: startup/shutdown (in the Computer
Configuration node) and logon/logoff (in the User Configuration node). Startup/shutdown scripts run at
computer startup or shutdown. Logon/logoff scripts run when a user logs on or off the computer. When
you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, Windows Server
2003 executes the scripts from top to bottom. You can determine the order of execution for multiple
scripts in the Properties dialog box. When a computer is shut down, Windows Server 2003 first
processes logoff scripts, followed by shutdown scripts. By default, the timeout value for processing
scripts is 10 minutes. If the logoff and shutdown scripts require more than 10 minutes to process, you
must adjust the timeout value with a software policy. You can use any ActiveX scripting language to
write scripts. Some possibilities include Microsoft Visual Basic Scripting Edition (VBScript), Microsoft
JScript, Perl, and MS-DOS style batch files (.bat and .cmd).

Administrative Templates Node

In both the Computer Configuration and the User Configuration nodes, the Administrative Templates
node contains registry-based Group Policy settings. There are more than 550 of these settings available
for configuring the user environment. As an administrator, you might spend a significant amount of time
manipulating these settings.

7|Page
 Figure 3: Contents of Administrative Templates node

To assist you with the settings, a description of each policy setting is available in three locations:

 In the Explain tab in the Properties dialog box for the setting. In addition, the Setting tab in the
Properties dialog box for the setting lists the required operating system for the setting.
 In Administrative Templates Help (a new feature of Windows Server 2003). The required
operating system for each setting is also listed.
 In the Extended tab (a new feature of Windows Server 2003, selected by default) in the Group
Policy Object Editor. The Extended tab provides a description of each selected setting in a
column between the console tree and the settings pane. The required operating system for each
setting is also listed.

Each of the settings in the Administrative Templates node can be:

 Not Configured: The registry is not modified.

 Enabled: The registry reflects that the policy setting is selected.
 Disabled: The registry reflects that the policy setting is not selected.

8|Page