Group Policy Overview

Previous page
Table of content
Next page

Starting in Windows 2000, Microsoft introduced the IntelliMirror technology. Although not really a technology per se, IntelliMirror is more of a technology umbrella that encompasses the following technologies:

  • Remote Installation Services (RIS)

  • Folder Redirection

  • Software Installation

  • Group Policy

Group Policy allows you to define a standard collection of settings and apply them to some or all of the computers and/or users in your enterprise. Group Policy has the capability to provide centralized control of a variety of components of a Windows network, such as security, application deployment and management, communications, and the overall user experience.

Group Policy is applied by creating an object that contains the settings that control the users' and computers' access to network and machine resources. This Group Policy Object (GPO) is created from templates that are stored on the workstation or server.

These GPOs are linked to a container that holds Active Directory objects such as users, groups, workstations servers, and printers. The settings in these GPOs will be applied to the objects in the container. The container can be an OU, a domain, or a site. GPOs can also be applied to a single computer through the use of Local Policy. You can apply multiple GPOs to a container. In this case, the settings will be merged. If there is a conflict in the settings between GPOs, the last setting applied wins.

Group Policy works by manipulating Registry and security settings on the workstation or server. Unlike the System Policies used in Windows NT, Group policy does not permanently (tattoo) change the Registry. After Group Policy is removed, the Registry settings return to their defaults.

Each Group Policy object has two separate sections: User and Computer configuration.

Group Policy for users includes settings for

  • Operating System Behavior

  • Desktop Settings

  • Security Settings

  • Application Settings

  • Application Installation

  • Folder Redirection Settings

  • Logon and Logoff Scripts

User settings are applied at user logon, and during the periodic Group Policy refresh cycle. When these settings are applied to a user, they apply to that user at whatever computer the user logs on to.

Group Policy for computers includes settings for

  • Operating System Behavior

  • Desktop Settings

  • Security Settings

  • Application Settings

  • Application Installation

  • Folder Redirection Settings

  • Computer Startup and Shutdown Scripts

You will probably notice that a lot of the same settings are available via both User and Computer settings. This allows you to specify settings that will apply to a particular user, or to all users who log on to a computer. When the settings between user and computer conflict, user settings generally take precedence.

Note: Loopback Processing

This behavior can be changed so that the computer policy settings take precedence, no matter what user logs on. Check the Windows Server 2003 online help for the section on loopback processing, or the Microsoft Knowledgebase article "Loopback Processing of Group Policy" at http://support.microsoft.com/?id=231287.


In addition, because the GPO is divided into two somewhat separate sections, you can specify that you want to disable one of the sections. For example, if you're planning to use a GPO only to configure settings for a user, you can disable the Computer section of the GPO. By disabling the section that is not being used, you can cut down on the time that it takes to process the GPO, because the system doesn't have to compare its settings against any other GPOs.

Figure 9.1 shows the Group Policy Object Editor MMC, which is used to configure Group Policy settings. If you look in the left pane of the MMC, you can see the various categories of settings that make up both the User and Computer configuration.

Figure 9.1. The Group Policy Editor MMC showing the various Group Policy setting categories.


The categories of note and their uses are the following:

  • Software Settings These settings are used to control the automated installation of software packages. They can be assigned to either users or computers.

  • Scripts This category controls the logon/logoff scripts for users, and the startup/shutdown scripts for computers.

  • Security Settings The category is used to configure the permissions, user rights, and restrictions.

  • Folder Redirection Used to redirect certain folders, such as My Documents, from the user's computer to a server.

  • Administrative Templates Used to configure Registry-based policies. These configurations are stored as .adm files on the server or workstation.

These components are stored in a Group policy object. GPOs are stored in two partsas part of a Group Policy Template (GPT) and as objects inside a container in Active Directory called a Group Policy Container (GPC).

GPTs contain settings related to software installation policies and deployments, scripts, and security information for each GPO. They are stored in the %SystemRoot%\SYSVOL\domain\Policies directory on every domain controller. The GPTs usually contain subfolders called Adm, USER, and MACHINE (see Figure 9.2) to separate the data to be applied to different portions of the Registry.

Figure 9.2. There are separate policy folders for each branch of the Registry.


As you might guess, the USER portion is applied to keys in HKEY_CURRENT_USER, and the MACHINE portion is applied to keys in HKEY_LOCAL_MACHINE. The Adm portion can contain settings for either branch of the Registry.

GPCs contain information, such as version, status, or extensions for the policy itself, regarding the GPO's link to Active Directory containers. Each GPC is referred to by a 128-bit string called a globally unique identifier, or GUID. The GUID is used as the name of the folder under POLICIES, as shown in the figure. Data stored in the GPC is used to indicate whether a specific policy object is enabled, as well as to control the proper version of the GPT to apply.

GPOs can be used to control only Windows 2000 or later servers and workstations.

Refreshing Group Policy

Computer settings are applied at operating system initialization and user settings at logon. Both settings are refreshed during the periodic Group Policy refresh cycle of 90 minutes, plus or minus a stagger interval of 30 minutes. The stagger interval is in place so that all the computers on the network aren't trying to update their policies at the same time, possibly flooding the network with traffic. The default group policy refresh cycle of 90 minutes can be changed via Group Policy.

Changes made to existing GPOs and new GPOs will be applied during the refresh cycle. The exceptions are the following:

  • Software installation settings will be updated only at reboot or logon.

  • Folder redirection settings will be updated only at reboot or logon.

  • Computer configuration changes will be refreshed every 16 hours whether they have been changed or not.

  • Domain controllers refresh Group Policy every 5 minutes, so that critical settings, such as security settings, are not delayed.

Changes can be implemented immediately using the gpupdate tool. Table 9.1 shows available command line options for the tool.

Table 9.1. Command-Line Options for Gpupdate

Value

Description

/Target:{Computer | User}

Specifies that only user or only computer policy settings are refreshed. By default, both user and computer policy settings are refreshed.

/Force

Reapplies all policy settings. By default, only policy settings that have changed are reapplied.

/Wait:{value}

Sets the number of seconds to wait for policy processing to finish. The default is 600 seconds. The value "0" means not to wait. The value "-1" means to wait indefinitely.

/Logoff

Causes a logoff after the Group Policy settings are refreshed. This is required for those Group Policy client side extensions that do not process policy during a background refresh cycle but do process policy when a user logs on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require a logoff.

/Boot

Causes the computer to restart after the Group Policy settings are refreshed. This is required for those Group Policy client-side extensions that do not process policy during a background refresh cycle but do process policy when the computer starts. Examples include computer targeted Software Installation. This option has no effect if no extensions are called that require the computer to restart.

/Sync

Causes the next foreground policy to be done synchronously. Foreground policy applications occur when the computer starts and when the user logs on. You can specify this for the user, computer, or both by using the /Target parameter. The /Force and /Wait parameters are ignored.


We use the gpupdate command in the upcoming exercises to force the immediate application of Group Policy.

Note: Local Only

Gpupdate can only be used to refresh policy on a local machine.




Previous page
Table of content
Next page
MCSA. MCSE 70-290 Exam Prep. Managing and Maintaining a MicrosoftR Windows ServerT 2003 Environment
MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server 2003 Environment (2nd Edition)
ISBN: 0789736489
EAN: 2147483647
Year: 2006
Pages: 219
Authors: Lee Scales
BUY ON AMAZON
Qshell for iSeries
Mastering Delphi 7
Ruby Cookbook (Cookbooks (OReilly))
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Cultural Imperative: Global Trends in the 21st Century
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy