Who is this Group Policy page for?
- Administrators who want an overview of Windows 2003 Group Policy
- Experienced network managers who want lockdown desktops
- Network Architects who need to turn a desktop vision into
reality
- Those upgrading desktops from Windows 9x or Windows 2000 to XP
Topics for Group Policy
‡
The concept behind Group Policies is that administrators configure settings
once, and then the settings apply continuously to the users. Furthermore, Group
Policy can be applied to computers, so you can control the settings no
matter who logs on. The way that Group Policies works is to alter settings in the registry.
The old saying "Prevention is better than cure", certainly applies to Group
Policies. A good Group Policy will give greater productivity for the users, and
save you time on routine administration. Think of all the damage
and time wasting caused by users experimenting with control panel settings.
I once saw a user set the screen refresh rate faster than the monitor hardware
could cope with,
his screen literally went up in smoke! If only the administrator had
set a group policy, they could have disabled the Display Tab and thus prevented
an expensive mistake.
One neglected aspect of group policy is that you can and pro-active and
configure settings to be kind to the users, in this case you could create a
policy that sets the refresh rate at 80, rather than the flickery default value
of 60.
Just wading through the 100's of Policies is a Herculean task. My
suggestion is to commission two opposite approaches. Get a 'Techie' who understands Windows
2003
to go through the policy and select those settings that he thinks appropriate. Then
ask a manager to produce a vision or wish list of what the desktop should look like.
Finally, bring the two
disparate mind sets together weld them into your Group Policy.
Navigate to the Active Directory Users and Computers. Right click
the Domain object, Properties, Group Policy (Tab)
now 'click' the Edit (button) and you will see the policy settings. A less risky method of easing your way
into Group Policies would be to create
a test OU, and then make a brand new policy.
Firstly,
the GPMC is designed for Windows Server 2003 rather than W2K. Either
execute GPMC.msi from the \program files\folder or download the GPMC add-on from Microsoft's site.
It is well worth the effort in installing to gain the the extra setting to manage
your Group Policies.
It seems that GPMC will not work on Windows 2000 machines.(I have not got it
to run yet).
The Group Policy Management Console (GPMC) unifies Group Policy management
across your Active Directory forest. Before GPMC, administrators needed many tools in order
to manage Group Policy; the Microsoft Active Directory Users and
Computers, the Delegation Wizard, and the ACL Editor. Not only does the GPMC integrate the
existing Group Policy tools, but it also brings these exciting new capabilities:
- A user interface that makes it easier to use and manage Group Policy.
- New WMI filtering means that you can apply policies to particular machine,
or only if there is enough disk space.
- Backup, restore, import, and copy Group Policy Objects (GPOs).
- Simplified management of Group Policy-related security.
- Reporting for GPO settings and Resultant Set of Policy (RSoP) data.
- Programmatic access to the above GPO operations. Note that it is not
possible to programmatically set individual policy settings within a GPO.
Guy Recommends: SolarWinds LANSurveyor
LANSurveyor will produce a neat diagram of your network topology. But that's
just the start;
LANSurveyor can
create an inventory of the hardware and software
of your machines and network devices. Other neat features include dynamic
update for when you add new devices to your network. I also love the ability to export
the diagrams
to Microsoft Visio.
Finally, Guy bets that if you take a free trial of LANSurveyor then you will
find a device on your network that you had forgotten about, or someone else
installed without you realizing!
Download a Free Trial of LANSurveyor
Microsoft provides a snap-in called RSoP for showing a given combination of
policy settings. I find that if you install the GPMC, then you do not
really need this RSoP. However if you do need it the RSoP is intuitive to
use and comes in two modes:
- Logging mode. In logging mode, the RSoP snap-in tracks the policies
that you apply. In this mode, the tool shows the actual policies for a given
user or computer.
- Planning mode. In planning mode, the snap-in indicates the set of
policies that would be applied if you deployed the policy. You can
perform what-if analyses on the user and computer; the domain, and
organizational unit.
I am so pleased that Windows 2000's Secedit is now obsolete, the syntax was
horrendous. Gpupdate completely replaces Secedit on Server 2003 and XP.
Mostly I just use Gpupdate as a simple command on its own, occasionally I tweak
it with the following switches:
/target:computer or /target:user applies only the user or computer
section of your policy. Normally I would use plain Gpupdate without the
optional target switch.
/logoff Useful for settings that do not apply until the user logs
on again.
/boot Handy for configuration which need the computer to restart.
/force reapplies all settings
Block Inheritance
I think of Block Inheritance as the 'anarchists setting'. This is
because OU's further down the chain can prevent settings at the domain from
taking effect. The knack of using Block Inheritance is to select the OU
container and not the individual policy.
Enforce Policy (No-override)
I think of Enforce Policy as 'Big brother fights back' this setting prevents
any 'anarchists' from changing a setting further down the OU chain. The
trick to enforcing is to right click the individual policy, not the OU.
Changing the Security permissions on policies is one of the best kept secrets
of Group Policies. Microsoft call it
'filtering' the policy so it only applies to certain users. The default setting is 'Authenticated Users'
Apply Group Policy. A question: is the
Administrator an 'Authenticated User'? Of course he is. This is how
enthusiastic policy setters lock themselves by applying severe policies at the
Domain level and forgetting that they are an authenticated User'. The secret is to remove 'Authenticated User' and add
the groups you actually want the policy to affect.
What's new with delegation of permissions is there is a new built-in global
group called Group Policy Creator Owners. My own view is that I would
confine configuring Group policies to a small select group of experts and not
allow delegation of Group Policies to people in OUs. My point is that
usually I am all for delegation, creating users - yes, reset passwords -
excellent use of delegation, but delegate Group Policies - no.
If there is a business case for an application then create a Policy and
deliver the package to the Start Menu. Techies likes this approach because
they can then apply service packs and upgrades from one central place.
These policies operate from the Software Settings folder. If you want
everyone who logs on to use an application, then Assign it to a computer;
however if the user needs special software wherever they logon, Assign it at the
User Configuration folder.
If you want more information, my Active Directory eBook has much more
information on Group Policies, including screen shots of how and where to
configure policies.
 Active Directory Training
As an MCT trainer, I can thoroughly recommend
TrainSignal because they provide practical hands on
training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Active Directory or go for
a combination of modules.
See more about Active Directory training
|
The extra features you get in your eBook
include: lots of examples on 'How to ...'. New pages
with deployment recommendations. Detailed instructions and screen shots showing the menus to
configure.
