Implementing Group Policies in Windows Server 2003

 Group policies are collections of user and

computer configuration settings that specify
how programs, network resources, and the
operating system work for users and
computers in an organization.
 Group Policy can be set up for computers,
sites, domains, and OUs.
 Example: Using group policies, you can
determine the programs that are available to
users, the programs that appear on the user's
desktop, and Start menu options.
 In general Group Policy is groupings of policy
settings that are linked to computers, sites,
domains, and OUs.
 Through Group Policy, administrators can take
advantage of policy-based management to do
the following:
 Enable one-to-many management of users and
computers throughout the enterprise.
 Automate enforcement of IT policies.
 Simplify administrative tasks, such as system updates
and application installations.
 Consistently implement security settings across the
enterprise.
 Efficiently implement standard computing
environments for groups of users.
 Administrators use Group Policy to define
specific configurations for groups of users
and computers by creating Group Policy
settings.
 These settings are specified through the
Group Policy Object Editor tool and
contained in a Group Policy object (GPO),
which is in turn linked to Active Directory
containers, such as sites, domains, or OUs
 GPO1

GPO2
Domain

Site

GPO3

OU1 OU2
GPO4
 Registry-based Policy
 Security Settings
 Software Restrictions
 Software Distribution and Installation
 Computer and User Scripts
 Roaming User Profiles and Redirected Folders
 Offline Folders
 Internet Explorer Maintenance
 The most common and the easiest way to
provide policy for an application or operating
system components is to implement registry-
based policy.
 With the new Group Policy Management
Console (GPMC) and the Group Policy Object
Editor, administrators can define registry-
based policies for applications, the operating
system, and its components.
 Example: an administrator can enable a
policy setting that removes the Run
command from the Start menu for all
affected users.
 Registry based policy edit the operating
system registry setting.
 Group Policy provides options for
administrators to set security options for
computers and users within the scope of a
GPO.
 Local computer, domain, and network
security settings can be specified.
 For added protection, administrators can
apply software restriction policies that
prevent users from running files based on the
path, URL zone, or publisher criteria.
 Administrators can make exceptions to this
default security level by creating rules for
specific software.
 To defend against viruses, unwanted
applications, and attacks on computers
running Windows XP and Windows Server
2003, Group Policy includes new software
restriction policies.
 Administrators can use policies to identify
software running in a domain and control its
ability to execute.
 Administrators can manage application
installation, updates, and removal centrally
with Group Policy.
 Because organizations can deploy and
manage customized desktop configurations,
they spend less money supporting users on
an individual basis.
 Software can be either assigned to users or
computers (mandatory software distribution)
or published to users (allowing users to
optional install software through
Add/Remove Programs in the Control Panel).
 Users get the flexibility they need to do their
jobs without having to spend time
configuring their system on their own.
 Administrators can use scripts to automate
tasks at computer startup and shutdown and
user logon and logoff.
 Any language supported by Windows
Scripting Host can be used, including the
Microsoft Visual Basic® development system,
Scripting Edition (VBScript); JavaScript;
PERL; and MS-DOS®-style batch files (.bat
and .cmd).
 Roaming user profiles provide the ability to store
user profiles centrally on a server and load them
when a user logs on.
 Through folder redirection, important user
folders, such as the My Documents and Start
menu, can be redirected to a server-based
location.
 Folder redirection allows centralized
management and the capability to easily backup
and restore these folders.
 When a network is unavailable, the Offline
Folders feature provides access to network files
and folders from a local disk.
 Users are assured access to critical information
even when network connections are unstable or
nonpermanent or when using a mobile
computer.
 When users reconnect to their network, the
client files and server files are synchronized,
thereby keeping versions consistent and up-to-
date.
 Administrators can manage and customize
the configuration of Microsoft Internet
Explorer on computers that support Group
Policy.
 The Group Policy Object Editor includes the
Internet Explorer Maintenance node, which
administrators use to edit Internet Explorer
security zones, privacy settings, and other
parameters on a computer.
 Group Policy Operations are collection of
Group Policy settings.
 To create a specific desktop configuration for
users, you create Group Policy Operations.
 Each computer running Microsoft Windows
Server 2003 has:
 One Local GPO
 Any number of Non-Local GPOs
 One local GPO is stored on each computer
(regardless of the condition that it is on a
network or not).
 A local GPO affects only the computer on
which it is stored.
 The local GPO settings can be overridden by
nonlocal GPOs in networked environment
and vice versa.
 Default store location:
%Systemroot%\System32\GroupPolicy.
 Nonlocal GPOs are created in Active
Directory and must be linked to a site,
domain, or OU in order to be applied to either
users or computers.
 By Default two nonlocal GPOs are created:
 Default Domain Policy
 Default Domain Controllers Policy
 Default Domain Policy
 This GPO is linked to the domain.
 it affects all users and computers in the domain
 Default Domain Controllers Policy
 This GPO is linked to the Domain Controllers OU.
 It generally affects only domain controllers
 You use the Group Policy Object Editor to organize
and manage the Group Policy settings in each GPO.
 Group Policy settings are contained in a GPO
and determine the user's desktop environment.
 You can view the Group Policy settings for a GPO
in the Group Policy Object Editor.
 There are two types of Group Policy settings:
 Computer Configuration Settings
 User Configuration Settings.
 They are contained in the Computer
Configuration and the User Configuration nodes
in a GPO.
 The Computer Configuration node contains
the settings used to set group policies applied
to computers, regardless of who logs on to
them.
 Computer configuration settings are applied
when the operating system initializes.
 The User Configuration node contains the
settings used to set group policies applied to
users, regardless of which computer the user
logs on to.
 User configuration settings are applied when
users log on to the computer.
 Both these nodes include settings for installing
software, settings for installing and accessing
the Windows Server 2003 operating system, and
registry settings.
 In both the Computer Configuration and the
User Configuration nodes, the Software
Settings node contains only the Software
Installation extension by default.
 The Software Installation extension helps you
specify how applications are installed and
maintained within your organization.
 It also provides a place for independent
software vendors to add settings.
 In both the Computer Configuration and the
User Configuration nodes, the Windows
Settings node contains the Scripts extension
and the Security Settings node.
 The Scripts extension allows you to specify
two types of scripts: startup/shutdown (in the
Computer Configuration node) and
logon/logoff (in the User Configuration node).
 In both the Computer Configuration and the
User Configuration nodes, the Administrative
Templates node contains registry-based
Group Policy settings.
 There are more than 550 of these settings
available for configuring the user
environment.
 As an administrator, you might spend a
significant amount of time manipulating
these settings.
 Each of the settings in the Administrative
Templates node can be:
 Not Configured: The registry is not modified.
 Enabled: The registry reflects that the policy
setting is selected.
 Disabled: The registry reflects that the policy
setting is not selected.