GROUP POLICIES

Group Policies are used in Windows 2000 and Windows Server 2003 to define change and configuration management. They are used to define user and computer configurations for groups of users and computers. Configuration of Group Policy is done through the Group Policy Object Editor from within the Microsoft Management Console (MMC) snap-in. The Group Policy settings are contained in a Group Policy Object, which is associated with selected Active Directory objects such as sites, domains, and organizational units. There is also an option for local policy creation to assist in controlling specific computers.

Using Group Policy, an administrator is able to control the policy settings for the following:

– Registry-based policies Includes Group Policy for the Windows 2000 and 2003 operating systems and their components , as well as for applications. To manage these settings, use the Administrative Templates node of the Group Policy snap-in.
– Security options Includes local computer, domain, and network security settings.
– Software installation and maintenance options Affords centralized management of application installation, updates, and removal.
– Scripts options Includes scripts for computer startup and shutdown, as well as user logon and logoff .
– Folder redirection options Allows administrators to redirect users' special folders to network storage locations.

Implementing Windows Group Policies for Registry-based policies, security options, and folder redirection is essential in a well-managed on-demand access environment. Administrators should use Group Policy to ensure users have what they need to perform their jobs, but do not have the ability to corrupt or incorrectly configure their environment. Many common user lockdown settings are contained in the Windows Explorer component under the User Configuration section. A new Terminal Server configuration section is available in Windows Server 2003 Group Policy that did not exist in Windows 2000.

The new settings are contained in the Terminal Services component under Computer Configuration. The Terminal Services component of the Computer Configuration Group Policy provides a place to set several important configurations, including

– Setting keep- alive settings
– Setting the path for the Terminal Services roaming profile location
– Setting the path for the Terminal Services home directory
– Overriding Terminal Services Licensing Server autodiscovery and forcing servers to use the specified License Server

Machines that are a member of an Active Directory domain process Group Policies in a very systematic way. The processing order is as follows :

Local Group Policy Object
Site
Domain
Organizational unit (OU)

Exceptions to the default order are due to Group Policies being set to no override, disabled, block policy inheritance, or loopback processing. The key things to remember are the order in which policies are applied, and that a Domain setting will override a Site setting. Understanding this will help in troubleshooting problems with policy settings not being implemented. For example, if the same settings are applied at both the Site and OU levels, the OU policy will still be implemented unless special settings (such as no override) have been configured.

Tip

The default behaviors of Windows Server 2003 in and Active Directory environment can cause problems and inconsistent behavior with regard to Group Policies. By default, the source policy templates (*.adm files) are automatically updated during each edit of a Group Policy Object. This behavior can be disabled globally so that policy templates do not get overwritten by newer versions (particularly important if the Microsoft source template files are customized), and can be further controlled by removing redundant copies of the template files from the Active Directory SYSVOL container. See Microsoft support article number 816662 for more details.