Starting in Windows 2000, Microsoft introduced the IntelliMirror technology. Although not really a technology per se, IntelliMirror is more of a technology umbrella that encompasses the following technologies:
Group Policy allows you to define a standard collection of settings and apply them to some or all of the computers and/or users in your enterprise. Group Policy has the capability to provide centralized control of a variety of components of a Windows network, such as security, application deployment and management, communications, and the overall user experience. Group Policy is applied by creating an object that contains the settings that control the users' and computers' access to network and machine resources. This Group Policy Object (GPO) is created from templates that are stored on the workstation or server. These GPOs are linked to a container that holds Active Directory objects such as users, groups, workstations servers, and printers. The settings in these GPOs will be applied to the objects in the container. The container can be an OU, a domain, or a site. GPOs can also be applied to a single computer through the use of Local Policy. You can apply multiple GPOs to a container. In this case, the settings will be merged. If there is a conflict in the settings between GPOs, the last setting applied wins. Group Policy works by manipulating Registry and security settings on the workstation or server. Unlike the System Policies used in Windows NT, Group policy does not permanently (tattoo) change the Registry. After Group Policy is removed, the Registry settings return to their defaults. Each Group Policy object has two separate sections: User and Computer configuration. Group Policy for users includes settings for
User settings are applied at user logon, and during the periodic Group Policy refresh cycle. When these settings are applied to a user, they apply to that user at whatever computer the user logs on to. Group Policy for computers includes settings for
You will probably notice that a lot of the same settings are available via both User and Computer settings. This allows you to specify settings that will apply to a particular user, or to all users who log on to a computer. When the settings between user and computer conflict, user settings generally take precedence. Note: Loopback Processing This behavior can be changed so that the computer policy settings take precedence, no matter what user logs on. Check the Windows Server 2003 online help for the section on loopback processing, or the Microsoft Knowledgebase article "Loopback Processing of Group Policy" at http://support.microsoft.com/?id=231287. In addition, because the GPO is divided into two somewhat separate sections, you can specify that you want to disable one of the sections. For example, if you're planning to use a GPO only to configure settings for a user, you can disable the Computer section of the GPO. By disabling the section that is not being used, you can cut down on the time that it takes to process the GPO, because the system doesn't have to compare its settings against any other GPOs. Figure 9.1 shows the Group Policy Object Editor MMC, which is used to configure Group Policy settings. If you look in the left pane of the MMC, you can see the various categories of settings that make up both the User and Computer configuration. Figure 9.1. The Group Policy Editor MMC showing the various Group Policy setting categories.The categories of note and their uses are the following:
These components are stored in a Group policy object. GPOs are stored in two partsas part of a Group Policy Template (GPT) and as objects inside a container in Active Directory called a Group Policy Container (GPC). GPTs contain settings related to software installation policies and deployments, scripts, and security information for each GPO. They are stored in the %SystemRoot%\SYSVOL\domain\Policies directory on every domain controller. The GPTs usually contain subfolders called Adm, USER, and MACHINE (see Figure 9.2) to separate the data to be applied to different portions of the Registry. Figure 9.2. There are separate policy folders for each branch of the Registry.As you might guess, the USER portion is applied to keys in HKEY_CURRENT_USER, and the MACHINE portion is applied to keys in HKEY_LOCAL_MACHINE. The Adm portion can contain settings for either branch of the Registry. GPCs contain information, such as version, status, or extensions for the policy itself, regarding the GPO's link to Active Directory containers. Each GPC is referred to by a 128-bit string called a globally unique identifier, or GUID. The GUID is used as the name of the folder under POLICIES, as shown in the figure. Data stored in the GPC is used to indicate whether a specific policy object is enabled, as well as to control the proper version of the GPT to apply. GPOs can be used to control only Windows 2000 or later servers and workstations. Refreshing Group PolicyComputer settings are applied at operating system initialization and user settings at logon. Both settings are refreshed during the periodic Group Policy refresh cycle of 90 minutes, plus or minus a stagger interval of 30 minutes. The stagger interval is in place so that all the computers on the network aren't trying to update their policies at the same time, possibly flooding the network with traffic. The default group policy refresh cycle of 90 minutes can be changed via Group Policy. Changes made to existing GPOs and new GPOs will be applied during the refresh cycle. The exceptions are the following:
Changes can be implemented immediately using the gpupdate tool. Table 9.1 shows available command line options for the tool.
We use the gpupdate command in the upcoming exercises to force the immediate application of Group Policy. Note: Local Only Gpupdate can only be used to refresh policy on a local machine. |