Section 6.1. An Introduction to Group Policy


6.1. An Introduction to Group Policy

GPs consist of five distinct components.


Administrative templates

Configure registry-based policies.


Folder redirection

Alters the target location of various elements in the UI, such as My Documents, to other places on the network.


Scripts

Execute when computers are first booted and shut down. They also can run during user logon and logoff.


Security settings

Configure permissions, rights, and restrictions for computers, domains, and users.


Software policies

Assign application packages to users and computers.

The data for each component is stored in a Group Policy Object (GPO). In domain-based GPs, GPOs are stored at various levels in Active Directory, but they're always associated with a domain. GPOs are affiliated with a variety of objects within Active Directory, including sites, domains, domain controllers, and OUs, and they can be linked to multiple sites, to the domains themselves, and to OUs. For nondomain-based (i.e., local) GPs, you simply configure those settings on individual servers.

GPOs store their contents in two parts: as files as part of a Group Policy Template (GPT), and as objects inside a specialized container in Active Directory called a Group Policy Container (GPC). GPTs are stored in the C:\WINDOWS\SYSVOL directory on each domain controller and contain settings related to software installation policies and deployments, scripts, and permissions information for each GPO. The GPTs usually contain subfolders called Adm, USER, and MACHINE, to separate the data to be applied to different portions of the computers' registriesthe USER portion is applied to keys in HKEY_CURRENT_USER, and the MACHINE portion is applied to keys in HKEY_LOCAL_MACHINE. The GPCs simply contain information, such as version, status, or extensions for the policy itself, regarding the GPO's link to Active Directory containers. Each GPC is referred to by a string called a globally unique identifier, or GUID. Data stored in the GPC rarely needs to be modified and is used to indicate whether a specific policy object is enabled as well as to control the proper version of the GPT to apply.

Local computer policies are stored in the %SystemRoot%\System32\GroupPolicy directory because they apply only to the computer on which they're stored and they need not be replicated. Local policies are also more limited in scope and ability, as you'll see later in this chapter.

When you first set up an Active Directory domain, two default GPOs are created: one that is linked to the domain itself, and therefore affects all users and computers within the domain; and one that is linked to the Domain Controllers OU, which affects all domain controllers within a domain.

6.1.1. A Comparison: Group Policies and System Policies

How do GPs compare to the old Windows NT 4.0 system policies? For one, with GPs, Active Directory handles pushing and synchronizing updates across domain controllers. With system policies, the file NTCONFIG.POL was pushed out, usually by the FRS, to all domain controllers from the NETLOGON share of the PDC. Sometimes, though, FRS simply would forget to actually replicatequite a bit of manual intervention was involved. With GP, Active Directory handles replication itself.

Second, domain-based GPs have a reversal feature: if you remove a policy's application to an object within the directory, any changes made by that policy are undone. System policies under Windows NT were permanent changes to the registry: once a policy was applied, there was no wayshort of manually changing back any modified keysto "de-apply" the policy. This was called tattooing.

Third, it's easier to control the timing of GP deployment than of system policies. With NT system policies, the setting changes were applied only twice: during computer boot and during a user logon. By contrast, GPs are applied at regular intervals. Workstations poll the domain every one to two hours to see if there are new policies, and if there are, the workstations simply apply the policies without protest. In addition, you don't have to deal with NT's peculiarities regarding policy application and domains. Unlike NT, machines can obtain policies from the domain they are in, and users can obtain policies from the domain they are in, and there's no confusion between the two; NT had a nasty habit of applying policies from only one domain (the one the machine was in), which might be different from the user's machine.

Fourth, the registry entries written to by NT system policies and Windows 2000 or Windows Server 2003 GPs are different. GPs are written to four different trees of the registry, the first two of which are the default location:

  • HKEY_LOCAL_MACHINE\Software\Policies

  • HKEY_CURRENT_USER\Software\Policies

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

If Windows runs into problems writing to the first two keys for whatever reason, it will attempt to apply information to the latter two keys instead.

NT system policies can write to any part of the registry, but GPs simply delete and rewrite the four trees of the registry when changes are made. The four areas of the registry are secure and written to only by the operating system, whereas other parts of the registry can be modified by users and applications.

That's not entirely the case, actually. You can indeed write to any part of the registry you want using GP with custom ADM templates, but that is beyond the scope of this book.


Additionally, it is very difficult to limit the scope of system policies. GP has the ability to granularly apply policies to objects.

Finally, one sour note: domain-based GPs work only with workstations and servers running Windows 2000 or later that are members of an Active Directory domain. Although you can apply local GP to nondomain machines, the functionality is more limited and replication of GPOs among nondomain machines is not automatic. If you have older machines running operating systems prior to Windows 2000, you'll need to stick with system policies until you migrate those systems to a later platform. You can, however, store NT and Windows 9x system policies on machines running Windows Server 2003.



    Learning Windows Server 2003
    Learning Windows Server 2003
    ISBN: 0596101236
    EAN: 2147483647
    Year: 2003
    Pages: 149

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net