|
Group Policies are used in Windows 2000 and Windows Server 2003 to define change and configuration management. They are used to define user and computer configurations for groups of users and computers. Configuration of Group Policy is done through the Group Policy Object Editor from within the Microsoft Management Console (MMC) snap-in. The Group Policy settings are contained in a Group Policy Object, which is associated with selected Active Directory objects such as sites, domains, and organizational units. There is also an option for local policy creation to assist in controlling specific computers.
Using Group Policy, an administrator is able to control the policy settings for the following:
Registry-based policies This includes Group Policy for the Windows 2000 and 2003 operating systems and their components, as well as for applications. To manage these settings, use the Administrative Templates node of the Group Policy snap-in.
Security options Local computer, domain, and network security settings
Software installation and maintenance options Centralized management of application installation, updates, and removal.
Scripts options This includes scripts for computer startup and shutdown, as well as user logon and logoff.
Folder redirection options This allows administrators to redirect users' special folders to network storage locations.
Implementing Windows Group Policies for registry-based policies, security options, and folder redirection is essential in a well-managed SBC environment. Administrators should use Group Policy to ensure users have what they need to perform their jobs, but do not have the ability to corrupt or incorrectly configure their environment. Many common user lockdown settings are contained in the Windows Explorer component under the User Configuration section. A new Terminal Server configuration section is available in Windows Server 2003 Group Policy that did not exist in Windows 2000. The new settings are contained in the Terminal Services component under Computer Configuration. The Terminal Services component of the Computer Configuration Group Policy provides a place to set several important configurations, including
Setting keep-alive settings
Setting the path for the Terminal Services roaming profile location
Setting the path for the Terminal Services home directory
Machines that are a member of an Active Directory domain process Group Policies in a very systematic way. The processing order is as follows:
Local Group Policy Object
Site
Domain
Organizational unit (OU)
Exceptions to the default order are due to Group Policies being set to no override, disabled, block policy inheritance, or loopback processing. The key things to remember are the order in which policies are applied, and that a Domain setting will override a Site setting. Understanding this will help in troubleshooting problems with policy settings not being implemented. For example, if the same settings are applied at both the Site and OU levels, the OU policy will still be implemented unless special settings (such as no override) have been configured.
|