Leveraging the Power of Group Policy | Microsoft Windows Server 2003 Unleashed (R2 Edition)

Group Policy functionality is used to deliver a standard set of security, controls, rules, and options to a user and workstation when authenticating to the domain. In addition, it can be used to configure everything from login scripts and folder redirection to enabling desktop features and preventing users from installing software on network workstations. With Windows Server 2003 and applications like Microsoft Office, Group Policy can be used to control the preferences and options available when configuring and customizing the application.

This section helps network administrators understand Group Policy and its functionality and characteristics when they manage the enforcement of policies.

Managing Group Policy

To manage Group Policy, administrators must understand that Group Policy applies only to Windows 2000 client systems, Windows XP client systems, Windows 2000 server systems, and Windows Server 2003 server systems.

To access and manage Windows Group Policy, administrators can use the Group Policy snap-in available in the Administrative Tools program group of the Windows domain controller. Another more powerful option for managing Group Policy with Windows Server 2003 is the use of the Group Policy Management Console (GPMC) tool, described in detail in Chapter 21, "Windows Server 2003 Group Policies."

With the basic Group Policy Management snap-in, administrators are provided with a standard management console through the built-in administrative tools of Windows server. Through the standard method of accessing Group Policy, administrators are provided a single interface to access, manage, and configure policies with the standard options and functionality available in the built-in Windows tools.

Using the Group Policy Management Console tool, administrators are provided with easier access and better management capabilities of Group Policy that extend beyond the standard options available with the Administrative Tools built-in Management snap-in. GPMC also provides enhanced functionality and options for planning and testing Group Policy implementations prior to deploying and enforcing them on the Windows domain.

Note

To manage Group Policy using the GPMC tool in a Windows 2000 domain, the GPMC must be installed on a Windows XP desktop on the domain being managed.

The GPMC must be installed on Windows Server 2003 or Windows XP. The GPMC.msi package can be downloaded from http://www.microsoft.com/Windowsserver2003/downloads/featurepacks. After it is installed, it can be found in the Start menu in the Administrative Tools program group by selecting the Group Policy Management option.

Caution

Because Group Policy can have a tremendous impact on users, any Group Policy implementation should be tested with the Resultant Set of Policies tool in Planning mode. See the "Working with Resultant Set of Policies" section to learn more about testing Group Policy and using the Group Policy Management tool in Simulation mode.

Understanding Policies and Preferences

When working with Group Policy, you have two methods for making changes on the local workstations: using preferences and using policies. With both preferences and policies, changes are applied and enforced using the local Registry of the machine where they are being applied.

With preferences, changes to options such as wallpaper or screensavers and software settings are applied locally. With policies, changes to the Registry are applied that affect security and Registry keys, which are protected by Access Control Lists (ACLs).

Although Group Policy overrides preference settings when working with applications, the policy does not overwrite the preference keys when preferences are set on the local system by the workstation users. This means that if a policy is created, configured, and applied and then the policy is removed, the preferences that were set by the local user before the policy was applied will return.

This makes policies a powerful tool when a network's administrator wants to control certain aspects of a client application or wants something the user accesses to remain static. Policies can be used to disable end users from changing the appearance, configuration, or functionality of the item to which the policy was applied.

Group Policy and Security Templates

One of the most important features for minimizing administration when working with Group Policy is leveraging security templates. Security templates are a powerful predefined set of security options available from Microsoft for applying Group Policy to a specific area or software component available to users on the network. Based on the type of users and environment needed, these templates can be a handy tool to create and enforce configuration settings on components already predefined in the template.

Available with the standard installation of Windows Server 2000 and Windows Server 2003, these templates can be downloaded and imported into Group Policy Objects (GPOs) where they can then either be implemented as is, or modified to meet the specific needs of the area in which the template applies. However, when templates are used, they are a great starting point for network administrators to obtain a base-level configuration of a client workstation's software component or security settings.

Templates can also be used to configure settings such as account policies, event log settings, local policies, Registry permissions, file and folder permissions, and Exchange Server 2003 client settings.

Defining the Order of Application

When applying Group Policy, each policy object is applied in a specific order. Computers and users whose accounts are lower in the AD tree may inherit policies applied at different levels within the Active Directory. Policies should be applied to objects in the AD in the following order:

1.	Local security policy
2.	Site GPOs
3.	Domain GPOs
4.	OU GPOs
5.	Nested OU GPOs and on down until the OU at which the computer or user is a member is reached

If multiple GPOs are applied to a specific AD objectsuch as a site or OUthey are applied in the reverse order from which they are listed. This means that the last GPO listed is applied first and if conflicts exist, settings in higher GPOs override those in lower ones.

Group Policy Refresh Intervals

When Group Policy is applied, the policy is refreshed and enforced at regularly scheduled intervals after a computer has been booted and a user has logged onto the domain. By default, Group Policy is refreshed every 90 minutes on workstation and member servers within the domain.

When you need to better control the refresh interval of a group policy, the refresh interval can be configured for each group policy by changing its time in the policy configuration. Using the GPMC, refresh intervals can be configured by going to domain policy and selecting the following:

Computer Configuration, Administrative Templates, System, Group Policy (to change the interval for computer policies and domain controllers)
User Configuration, Administrative Templates, System, Group Policy (to change the interval for user policies)

Changes made to existing GPOs or new GPOs being created are enforced when the refresh cycle runs. However, with the following settings, policies are enforced only at login or when booting a workstation to the domain, depending on the GPO configuration settings:

Software installation configured in the Computer Policies
Software installation configured in the User Policies
Note

When working with application settings, refresh intervals can be configured and customized to fit the environment needs. You should leave the refresh interval as the default, however, unless requirements call them to be modified.