Lesson 4: Understanding Group Policy

Previous page
Table of content
Next page

Group Policy can be set for a single computer with multiple users, for computers in workgroups, or for computers in domains. Group Policy provides a way for administrators to customize or standardize how users’ computers look and what can be accessed.

After this lesson, you will be able to

  • Explain the use of Group Policy locally, in workgroups, and in domains.

  • Identify the Group Policy settings in effect on a workstation.

  • Troubleshoot Group Policy settings.

Estimated lesson time: 25 minutes

Understanding Group Policy

Administrators use Group Policy settings to customize and standardize many things, including but not limited to the following:

  • Which programs can be accessed by users

  • What is shown on the desktop

  • What the Start menu and taskbar look like

  • Which screen saver or wallpaper is used

  • Where data is saved (which can be on a network server, not the local computer)

  • Which Control Panel tools can be accessed

To understand how Group Policy settings might affect an end user or cause an end user’s problem, you must understand what kinds of Group Policy settings can be used, how those settings will affect the end user, and how Group Policy is configured on the local computer.

Group Policy Settings in a Workgroup

In a workgroup, administrators can configure Group Policy for computers, users, or both. The options for each are listed under the Computer Configuration option and the User Configuration option, respectively, in the Group Policy console (which you can access by selecting Run on the Start menu, and then typing gpedit.msc in the Run dialog box). The Computer Configuration options, shown in Figure 9-11, include several policies covered earlier (account policies and local policies). There is also a Software Settings option and an Administrative Templates option.

click to expand
Figure 9-11: Computer Configuration options and Group Policy.

To reinforce the power of configured Group Policy, consider this: A user reports that he cannot add or delete sites from the Security Zones when using Microsoft Internet Explorer. The user would like to add a website to the Trusted Sites zone. The reason he cannot is that Group Policy has been configured in the Computer Configuration option with a setting that disallows this. Policies for Internet Explorer and other components can be set under Computer Configuration, Administrative Templates. Some of these options are fairly complex, and you should work through each of them separately.

The User Configuration options are the ones that we will be most concerned with here, although you should familiarize yourself with all aspects of Group Policy. User configurations offer a myriad of customization and standardization options. To understand the ways in which Group Policy can be configured, open the Group Policy console on a local computer in a workgroup by following these steps:

  1. From the Start menu, choose Run, and type gpedit.msc. Click OK.

  2. Expand User Configuration (if necessary).

  3. Expand Administrative Templates.

  4. Notice that there are several options. Select Start Menu And Taskbar. Within the Start Menu And Taskbar options alone, there are 32 configurable options.

  5. To configure any option, double-click it. As an example, double-click Prevent Changes To Taskbar And Start Menu Settings. To enable this setting, in the Prevent Changes To Taskbar And Start Menu Settings dialog box, shown in Figure 9-12, select Enabled. Select the Explain tab to see an explanation of the setting.

  6. Click OK when finished, or click Previous Setting or Next Setting to make other changes.

    click to expand
    Figure 9-12: Enabling a Group Policy setting.

Click and explore each item in the Administrative Templates options, including all of the items in Windows Components, Desktop, Control Panel, Shared Folders, Network, and System. You must become familiar with what can and might be set on an end user’s computer so that you can successfully troubleshoot end-user issues.

Note

NoteSome extremely strong restrictions can be placed on users of a computer by using Group Policy. Access to Control Panel can be disabled, Windows Messenger can be disabled, and items on the desktop or Start menu can be hidden.

Group Policy Settings in a Domain

If your end users are members of a domain, chances are good that domain Group Policy has been set. Domain Group Policy settings take precedence over any local Group Policy settings on a local computer. Users might ask why specific group or local policies that they configured sometimes work and sometimes do not work; the answer to that is simple. If the user is logged on to the workgroup, the local Group Policy settings are applied; when the user logs on to the domain, those local policy settings are overridden by domain Group Policy settings.

Troubleshooting Group Policy

When problems arise that you suspect are related to Group Policy, either because both local Group Policy and domain Group Policy settings exist, because local Group Policy is configured and you are not sure which settings are applied, or because you can see that unusual restrictions are in place, you can view the policy information set for the computer from the Help and Support Center by following these steps:

  1. From the Start menu, choose Help And Support.

  2. Below Pick A Task, select Use Tools To View Your Computer Information And Diagnose Problems.

  3. In the Tools pane on the left, select Advanced System Information.

  4. Click View Group Policy Settings Applied.

You can save, print, and e-mail the report for troubleshooting purposes. There are sections in the report for the last time Group Policy settings were applied, and a listing of all of the Group Policy and local policy configurations. This list can help you decide what, if any, Group Policy settings are causing the end user’s problem. The Help and Support Center will most likely give you some insight into the problem at hand, and as you work with Group Policy, you will begin to understand that Group Policy settings can have a huge impact on end users.

To help you understand the types of calls you will respond to that involve Group Policy settings, Table 9-4 lists some common reports from end users and the Group Policy settings associated with them.

Table 9-4: Common Group Policy Restrictions

Report/Scenario

Associated Group Policy Setting

A user cannot enable AutoComplete for forms or passwords in Internet Explorer.

User Configuration, Administrative Templates, Windows Components, Internet Explorer, Disable AutoComplete For Forms

The user cannot access My Documents from the Start menu.

User Configuration, Administrative Templates, Windows Components, Start Menu And Taskbar, Remove My Documents Icon From Start Menu

A user cannot access Control Panel.

User Configuration, Administrative Templates, Windows Components, Control Panel, Prohibit Access To The Control Panel

When a user inserts a CD, AutoPlay never works and cannot be used.

Computer Configuration, Administrative Templates, System, Turn Off AutoPlay

A user does not want to be prompted to send a report each time an error occurs with a program.

Computer Configuration, Administrative Templates, System, Internet Communication Management, Internet Communication Settings, Turn Off Windows Error Reporting

A user does not have the Lock Computer option available when using Ctrl+Alt+Del.

User Configuration, Administrative Tools, Windows Components, System, Ctrl+Alt+Del Options, Remove Lock Computer

Of course, hundreds of other configurations can be made by administrators. You should take the time to browse through the available configurations and see what is available.

Note

Administrators who configure and use Group Policy to manage computers on a domain can also use the software installation and maintenance feature of IntelliMirror to install applications on computers. This is done in conjunction with Active Directory directory service and Windows Installer. For more information on application deployment, visit Microsoft TechNet.

Practice: Configure Group Policy in a Workgroup

In this practice, you will configure Group Policy to prevent users in a workgroup from accessing the Properties option on the Recycle Bin’s shortcut menu.

  1. Log on to Windows XP using an account with administrator privileges.

  2. From the Start menu, select Run.

  3. In the Run dialog box, in the Open text box, type gpedit.msc and press Enter.

  4. In the Group Policy console, in the console tree, expand User Configuration, expand Administrative Templates, and select Desktop.

  5. In the right-hand pane, right-click Remove Properties From The Recycle Bin Context Menu, and click Properties.

  6. In the Remove Properties From The Recycle Bin Context Menu Properties dialog box, select Enabled and click OK.

  7. Close all open windows, and right-click the Recycle Bin. Note that Properties is no longer an option on the shortcut menu.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

  1. A Windows XP Professional user reports that she is unable to access the Add/ Remove Programs icon in Control Panel. What is most likely the problem?

    1. The Windows XP installation is corrupt.

    2. A Group Policy setting is in place that prevents access.

    3. The antivirus program is restricting access.

    4. There are no programs to add or remove.

    5. The user is not logged on as an administrator.

  2. Select all of the ways in which the Group Policy console can be accessed.

    1. Type gpedit.msc at the Run line.

    2. Open the Group Policy console from Administrative Tools.

    3. Open Group Policy from Control Panel, using the Group Policy icon.

    4. Open Group Policy by choosing Start, pointing to All Programs, pointing to Accessories, pointing to System Tools, and selecting Group Policy.

Lesson Summary

  • Group Policy settings can restrict the user’s desktop, Start menu, and taskbar and what the user can access and change after logging on to the computer.

  • When multiple Group Policy configurations exist, domain policies always override local policies.



Previous page
Table of content
Next page
McDst Self-Paced Training Kit (Exam 70-272(c) Supporting Users and Troubleshooting Desktop Applications on a[... ]ystem)
McDst Self-Paced Training Kit (Exam 70-272(c) Supporting Users and Troubleshooting Desktop Applications on a[... ]ystem)
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 237
BUY ON AMAZON
MySQL Stored Procedure Programming
Oracle Developer Forms Techniques
SQL Hacks
The Complete Cisco VPN Configuration Guide
Microsoft VBScript Professional Projects
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy