Introduction To Group Policy in Windows Server 2003: Microsoft Corporation Published: April 2003

Introduction to Group Policy in Windows Server 2003
Microsoft Corporation Published: April 2003
Abstract
This article introduces Microsoft Windows Server 2003 Group Policy a !ey feature of the IntelliMirror "ana#e"ent technolo#ies$ %d"inistrators use Group Policy to define options for "ana#in# confi#uration of servers des!tops and #roups of users$ This article is intended for IT ad"inistrators new to Group Policy and provides an overview of this technolo#y and its new features in Windows Server 2003$
Microsoft Windows Server 2003 White Paper
The infor ation contained in this docu ent represents the current view of Microsoft Corporation on the issues discussed as of the date of publication! "ecause Microsoft ust respond to chan#in# ar$et conditions% it should not be interpreted to be a co it ent on the part of Microsoft% and Microsoft cannot #uarantee the accurac& of an& infor ation presented after the date of publication! This docu ent is for infor ational purposes onl&! M'C()S)*T MA+,S -) WA((A-T',S% ,.P(,SS )( 'MP/',0% AS T) T1, '-*)(MAT')- '- T1'S 0)C2M,-T! Co pl&in# with all applicable cop&ri#ht laws is the responsibilit& of the user! Without li itin# the ri#hts under cop&ri#ht% no part of this docu ent a& be reproduced% stored in or introduced into a retrieval s&ste % or trans itted in an& for or b& an& eans 3electronic% echanical% photocop&in#% recordin#% or otherwise4% or for an& purpose% without the e5press written per ission of Microsoft Corporation! Microsoft a& have patents% patent applications% trade ar$s% cop&ri#hts% or other intellectual propert& ri#hts coverin# sub6ect atter in this docu ent! ,5cept as e5pressl& provided in an& written license a#ree ent fro Microsoft% the furnishin# of this docu ent does not #ive &ou an& license to these patents% trade ar$s% cop&ri#hts% or other intellectual propert&! 7 2003 Microsoft Corporation! All ri#hts reserved! Microsoft% Active 0irector&% 'ntelli irror% Windows% Windows Server% and Windows lo#o are either re#istered trade ar$s or trade ar$s of Microsoft Corporation in the 2nited States and8or other countries! The na es of actual co panies and products the trade ar$s of their respective owners! entioned herein a& be
Contents
Contents........................................................................................................................................ 3 Introduction................................................................................................................................... 1 Intellimirror Management Technologies.....................................................................................2 Intelli"irror &enefits and Technolo#ies$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2 Group Policy O er ie!................................................................................................................. " 'efinin# Group Policy$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ( Group Policy )apa*ilities$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ( +e#istry,*ased Policy$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ( Security Settin#s $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Software +estrictions$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Software 'istri*ution and Installation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$)o"puter and .ser Scripts $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +oa"in# .ser Profiles and +edirected /olders $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$0ffline /olders $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 Internet 23plorer Maintenance$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 #hat$s %e! in #indo!s &er er 2''3 Group Policy...................................................................( .nified Group Policy Mana#e"ent with the GPM)$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$4 GPM) /eatures $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 4 WMI /ilters$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 5 6ew Policy Settin#s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 5 )sing Group Policy....................................................................................................................... * )o"puter and .ser )onfi#uration $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7 %d"inisterin# Group Policy $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7 GPM) $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7 Group Policy 0*8ect 2ditor 9Previously GP2dit:$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;0 Group Policy +esults and Modelin#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;; %pplyin# Group Policy$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;; Group Policy Scope of Mana#e"ent$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;; %pplyin# Security and WMI /ilters to GP0s $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;2 'evelopin# %pplications to .se Group Policy$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;3 &ummary...................................................................................................................................... 1"
+elated ,in-s............................................................................................................................... 1.
Introduction
The Group Policy "ana#e"ent solution in Microsoft Windows Server 2003 allows ad"inistrators to define confi#urations for *oth servers and user "achines$ <ocal policy settin#s can *e applied to all "achines and for those that are part of a do"ain an ad"inistrator can use Group Policy to set policies that apply across a #iven site do"ain or ran#e of or#ani=ational units 90.s: in the %ctive 'irectory directory service$ Support for Group Policy is availa*le on "achines runnin# Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows >P Professional and Windows Server 2003$ Throu#h this %ctive 'irectory infrastructure and Group Policy ad"inistrators can ta!e advanta#e of policy,*ased "ana#e"ent to do the followin#? 2na*le one,to,"any "ana#e"ent of users and co"puters throu#hout the enterprise$ %uto"ate enforce"ent of IT policies$ Si"plify ad"inistrative tas!s such as syste" updates and application installations$ )onsistently i"ple"ent security settin#s across the enterprise$ 2fficiently i"ple"ent standard co"putin# environ"ents for #roups of users$
Group Policy can *e used to define user,related policies as well as security networ!in# and other policies applied at the "achine level$ In addition Group Policy ena*les "ana#e"ent of do"ain controllers and "e"*er servers as well as des!top user "achines$ The new Group Policy Mana#e"ent )onsole 9GPM): provides a unified #raphical user interface for deployin# and "ana#in# Group Policy i"ple"entations and ena*les script,*ased "ana#e"ent of Group Policy operations$ In addition Windows Server 2003 adds even #reater ad"inistrative control to Group Policy includin# "ore than 200 new policy settin#s for the operatin# syste"$ %dditionally support for Windows Mana#e"ent Instru"entation 9WMI: filters provides a #reater de#ree of control over how Group Policy is applied to users and co"puters$ Group Policy and %ctive 'irectory are !ey co"ponents of the IntelliMirror "ana#e"ent technolo#ies$ Throu#h these technolo#ies IT ad"inistrators can i"ple"ent standard co"putin# environ"ents for #roups of users and co"puters$ %s a result IntelliMirror can si#nificantly *oost user productivity and satisfaction while increasin# ad"inistrator efficiency and reducin# IT costs$ This article is intended for IT ad"inistrators new to Group Policy$ It provides an overview of Intelli"irror introduces Group Policy and descri*es new Group Policy features introduced with Windows Server 2003$
Intellimirror Management Technologies

%d"inistrators are tas!ed with helpin# to !eep people productive as they use their co"puters for day, to,day wor!$ Intelli"irror eases this tas!$ Intelli"irror ena*les ad"inistrators to provide users with consistent access to their applications application settin#s and user data fro" any "ana#ed co"puter @even when users are disconnected fro" the networ!$ &ecause users can "aintain constant access to all their infor"ation and applications they receive the assurance that their data is safely "aintained and availa*le fro" a server$ /or IT or#ani=ations eli"inatin# the need to "anually confi#ure user settin#s install applications and transfer user files reduces overhead$ IntelliMirror technolo#ies co"*ine the advanta#es of centrali=ed co"putin# with the perfor"ance and fle3i*ility of distri*uted co"putin#$ I"ple"ented as a set of Windows technolo#ies Intelli"irror allows ad"inistrators to create standard co"putin# environ"ents for #roups of users and co"puters$ When fully deployed IntelliMirror provides policy,*ased "ana#e"ent of usersA des!tops and servers$ Throu#h centrally defined policies *ased on usersA #roup "e"*erships and location "achines runnin# WindowsB*ased server and client operatin# syste"s 9Windows 2000 and later: are confi#ured auto"atically to "eet a specific userAs reCuire"ents each ti"e he or she lo#s on to a networ!$ The followin# ta*le hi#hli#hts the *enefits to users when Intelli"irror is i"ple"ented and identifies the technolo#ies that ena*le these features$ IntelliMirror uses different features in *oth the server and client and these features can *e used either separately or to#ether dependin# on the reCuire"ents of the environ"ent$ Intellimirror /ene0its and Technologies
&enefit Consistent 1n ironment 'escription .sers can wor! with a consistent co"putin# environ"ent fro" any co"puter such as when their des!top or laptop co"puter is unavaila*le$ .sers profiles are stored on a server so that the profile is availa*le fro" any "achine$ In cases where users are not assi#ned a specific co"puter hardware and ad"inistration costs are reduced as well *ecause users can lo# on to any availa*le Intelli"irrorB"ana#ed co"puter and wor! in a fa"iliar environ"ent$ .sers can continue to wor! efficiently even when networ! connections are inter"ittent or even disconnected$ .nder these conditions uninterrupted access to user and confi#uration data can *e ena*led$ Intelli"irror eases the IT tas! of i"ple"entin# centrali=ed *ac!up of user files while satisfyin# need for these files to re"ain availa*le on usersA co"puters$ Technolo#ies Minimi2ed 3ata ,oss IT or#ani=ations can ena*le centrali=ed *ac!up of user data and confi#uration files$ )entrali=ed %ctive 'irectory Group Policy 0ffline /olders +oa"in# .ser Profiles +edirected /olders 2nhance"ents to the Windows Shell Group Policy Software Installation %ctive 'irectory Group Policy 0ffline /olders Synchroni=ation Mana#er 2nhance"ents to the Windows Shell +edirected /olders 'is! Duotas %ctive 'irectory Group Policy
)ninterrupted Access
*ac!ups ease the IT wor!load and satisfy usersA need for files to re"ain availa*le on their co"puters$ Minimi2ed )ser 3o!ntime %d"inistrators can ena*le auto"ated installation and repair of applications reducin# support costs *y usin# Windows Installer to repair application installations auto"atically$
+oa"in# .ser Profiles +edirected /olders 0ffline /olders %ctive 'irectory Group Policy Windows Installer Service %ddE+e"ove Pro#ra"s in )ontrol Panel Group Policy Software Installation
Group Policy O er ie!

%d"inistrators can "ana#e co"puters centrally throu#h %ctive 'irectory and Group Policy$ .sin# Group Policy to deliver "ana#ed co"putin# environ"ents allows ad"inistrators to wor! "ore efficiently *ecause of the centrali=ed one,to,"any "ana#e"ent it ena*les$ Measure"ents of total cost of ownership 9T)0: associated with ad"inisterin# distri*uted personal co"puter networ!s reveal lost productivity for users as one of the "a8or costs for corporations$ <ost productivity is freCuently attri*uted to user errors such as "odifyin# syste" confi#uration files and renderin# a co"puter unwor!a*le or to co"ple3ity such as the availa*ility of nonessential applications and features on the des!top$ &ecause Group Policy defines the settin#s and allowed actions for users and co"puters it can create des!tops that are tailored to usersA 8o* responsi*ilities and level of e3perience with co"puters$
3e0ining Group Policy

%d"inistrators use Group Policy to define specific confi#urations for #roups of users and co"puters *y creatin# Group Policy settin#s$ These settin#s are specified throu#h the Group Policy 0*8ect 2ditor tool 9for"ally !nown as GPedit: and contained in a Group Policy o*8ect 9GP0: which is in turn lin!ed to %ctive 'irectory containers such as sites do"ains or 0.s as /i#ure ; shows$ In this way Group Policy settin#s are applied to the users and co"puters in those %ctive 'irectory containers$ %d"inistrators can confi#ure the usersA wor! environ"ent once and rely on the syste" to enforce the policies as defined$
*i#ure 9! :P)s are applied to sites% do ains% and the )2s beneath the ! 1ere% )29 is affected b& :P)9% :P)2% and :P)3! )22 is affected b& all four :P)s!
Group Policy Capabilities

Throu#h Group Policy ad"inistrators define the policies that deter"ine how applications and operatin# syste"s are confi#ured and !eep users and syste"s secure$ The followin# sections descri*e the !ey features of Group Policy$ +egistry4based Policy The "ost co""on and the easiest way to provide policy for an application or operatin# syste" co"ponent is to i"ple"ent re#istry,*ased policy$ With the new Group Policy Mana#e"ent )onsole 9GPM): descri*ed later in this paper and the Group Policy 0*8ect 2ditor ad"inistrators can define
re#istry,*ased policies for applications the operatin# syste" and its co"ponents$ /or e3a"ple an ad"inistrator can ena*le a policy settin# that re"oves the +un co""and fro" the Start "enu for all affected users$ &ecurity &ettings Group Policy provides options for ad"inistrators to set security options for co"puters and users within the scope of a GP0$ <ocal co"puter do"ain and networ! security settin#s can *e specified$ /or added protection ad"inistrators can apply software restriction policies that prevent users fro" runnin# files *ased on the path .+< =one hash or pu*lisher criteria$ %d"inistrators can "a!e e3ceptions to this default security level *y creatin# rules for specific software$ &o0t!are +estrictions To defend a#ainst viruses unwanted applications and attac!s on co"puters runnin# Windows >P and Windows Server 2003 Group Policy includes new software restriction policies$ %d"inistrators can now use policies to identify software runnin# in a do"ain and control its a*ility to e3ecute$ &o0t!are 3istribution and Installation %d"inistrators can "ana#e application installation updates and re"oval centrally with Group Policy$ &ecause or#ani=ations can deploy and "ana#e custo"i=ed des!top confi#urations they spend less "oney supportin# users on an individual *asis$ Software an *e either assi#ned to users or co"puters 9"andatory software distri*ution: or pu*lished to users 9allowin# users to optional install software throu#h %ddE+e"ove Pro#ra"s in the )ontrol Panel:$ .sers #et the fle3i*ility they need to do their 8o*s without havin# to spend ti"e confi#urin# their syste" on their own$ %d"inistrators can use Group Policy to deploy approved pac!a#es$ /or e3a"ple in a hi#hly "ana#ed des!top environ"ent where users donAt have per"ission to install applications the Windows Installer service can perfor" an installation on the userFs *ehalf$ In addition for hi#hly "ana#ed wor!stations Windows Installer inte#rates with the software restriction policies i"ple"ented throu#h Group Policy to restrict new installations to a list of accepta*le software$ Computer and )ser &cripts %d"inistrators can use scripts to auto"ate tas!s at co"puter startup and shutdown and user lo#on and lo#off$ %ny lan#ua#e supported *y Windows Scriptin# Gost can *e used includin# the Microsoft Hisual &asic develop"ent syste" Scriptin# 2dition 9H&Script:I JavaScriptI P2+<I and MS,'0S,style *atch files 9$*at and $c"d:$ +oaming )ser Pro0iles and +edirected 5olders +oa"in# user profiles provide the a*ility to store user profiles centrally on a server and load the" when a user lo#s on$ %s a result users e3perience a consistent environ"ent no "atter which co"puter they use$ Throu#h folder redirection i"portant user folders such as the My 'ocu"ents and Start "enu can *e redirected to a server,*ased location$ /older redirection allows centrali=ed "ana#e"ent of these folders and #ives an IT #roup the capa*ility to easily *ac!up and restore these folders on *ehalf of users$ 2nhance"ents in Windows Server 2003 provide "ore ro*ust roa"in# capa*ilities and si"plified folder redirection$ To#ether these features allow "o*ile users or those not assi#ned to a particular co"puter
see a fa"iliar des!top when they lo# on and locate needed folders$ %d"inistrators also can ta!e advanta#e of roa"in# user profiles to replace co"puters "ore easily$ When a user lo#s on to a new co"puter for the first ti"e the server copy of the userFs profile is copied to the new co"puter$ In addition ad"inistrators can redirect usersA My 'ocu"ents folder to their ho"e directory a new feature$ O00line 5olders When a networ! is unavaila*le the 0ffline /olders feature provides access to networ! files and folders fro" a local dis!$ .sers are assured access to critical infor"ation even when networ! connections are unsta*le or nonper"anent or when usin# a "o*ile co"puter$ When users reconnect to their networ! the client files and server files are synchroni=ed there*y !eepin# versions consistent and up,to,date$ Internet 16plorer Maintenance %d"inistrators can "ana#e and custo"i=e the confi#uration of Microsoft Internet 23plorer on co"puters that support Group Policy$ The Group Policy 0*8ect 2ditor includes the Internet 23plorer Maintenance node which ad"inistrators use to edit Internet 23plorer security =ones privacy settin#s and other para"eters on a co"puter runnin# Windows 2000 and later$
#hat$s %e! in #indo!s &er er 2''3 Group Policy

In Windows Server 2003 enhance"ents to Group Policy si#nificantly i"prove the a*ility to plan sta#e deploy "ana#e trou*leshoot and report on Group Policy i"ple"entations$ The sections *elow descri*e !ey new features in the Group Policy infrastructure$
)ni0ied Group Policy Management !ith the GPMC

The new Group Policy Mana#e"ent )onsole 9GPM): "a!es Group Policy "uch easier to "ana#e Group Policy i"ple"entations$ The GPM) provides a unified view of GP0s sites do"ains and 0.s across an enterprise and can *e used to "ana#e either Windows Server 2003 or Windows 2000 do"ains$ &efore GPM) ad"inistrators were reCuired to use several tools to "ana#e Group Policy$ The GPM) inte#rates the e3istin# Group Policy functionality e3posed in these tools into a sin#le console$ To#ether with new features such as *ac!up restore copy and scripta*le operations the GPM) si"plifies Group Policy deploy"ents$ GPMC 5eatures
/eature Inte#rated MM) Snap,In 'escription The Microsoft Mana#e"ent )onsole 9MM): provides a Group Policy,centric view of an enterprise with ad"inistrative features inte#rated cleanly for increased ease of use$ The MM)As user interface descri*es GP0s and associated lin!s in a "ore intuitive "anner and inte#rates with an updated Group Policy 0*8ect 2ditor$ % rich GTM<,*ased reportin# environ"ent for GP0s and their policy settin#s is included in GPM)$ GPM) e3poses +esultant Set of Policy 9+SoP: data$ /irst introduced in Windows >P +SoP "a!es it easy for an ad"inistrator to deter"ine the resultin# set of policies for a #iven user or co"puter in *oth an actual and a what,if scenario$ In GPM) Group Policy +esults displays the result of a Cuery "ade directly a#ainst a co"puterEuser$ Group Policy Modelin# ena*les what,if si"ulation of userEco"puter scenarios and can *e an i"portant tool when plannin# chan#es to a Group Policy i"ple"entation$ Group Policy Modelin# "ust *e perfor"ed a#ainst a Windows Server 2003 do"ain controller$ GPM) includes *ac!up and restore options for GP0s$ .sin# this feature ad"inistrators can "aintain GP0 te"plates@versions of GP0s for different confi#urations such as hi#hly "ana#ed des!tops laptops Ter"inal Services on Windows Server 2003 23chan#e Servers and so on$ 6ew support for *ac!up copyin# and i"portin# GP0s lets ad"inistrators deploy confi#urations rapidly throu#hout an or#ani=ation as needed includin# *etween test and production environ"ents and across forests$$ Policy settin#s are "ore easily understood "ana#ed and verified with We*,view inte#ration in the Group Policy 0*8ect 2ditor$ )lic!in# a policy displays te3t that e3plains its function and supported operatin# syste"s 9the latter throu#h a new Supported 0n ta#:$ 0perations such as *ac!up restore i"port copy and reportin# of GP0s
GPM) +eportin# Group Policy +esults and Modelin#
Support for &ac!up Sta#in# and Testin# Group Policy 0*8ects
2nhanced .ser Interface in the Group Policy 0*8ect 2ditor
Scripta*le Interfaces
are fully scripta*le which lets ad"inistrators custo"i=e and auto"ate "ana#e"ent$ 6ote that it is not possi*le to pro#ra""atically set individual policy settin#s within a GP0$ Support for )ross,forest Trusts %d"inistrators can "ana#e Group Policy for "ultiple do"ains and sites within a #iven forest all in a si"plified user interface with dra#,and,drop support$ %nd with cross,forest trust ad"inistrators can "ana#e Group Policy across "ultiple forests fro" the sa"e console$
#MI 5ilters
%d"inistrators can now specify create and edit a WMI,*ased Cuery to filter the affect of a GP0$ With WMI filters ad"inistrator can deter"ine the scope of GP0s dyna"ically *ased on attri*utes of a tar#et co"puter$ /or e3a"ple a WMI filter can *e defined to include all "achines with "ore than -00 "e#a*ytes 9M&: of free dis! space$ In addition Group Policy Modelin# in the GPM) includes a WMI option so that ad"inistrators can perfor" a what,if analysis *ased on WMI filterin# properties$
%e! Policy &ettings

0ver 200 new policy settin#s in Windows Server 2003 e3tend functionality to include the )ontrol Panel error reportin# Ter"inal Services +e"ote %ssistance networ!in# and dial,up connections networ! lo#on Group Policy roa"in# profiles client '6S settin#s and "ore$ To "ana#e these settin#s the %d"inistrative Te"plates node of the Group Policy snap,in is used$
)sing Group Policy

%d"inistrators use Group Policy and %ctive 'irectory to#ether to define policy across sites do"ains and 0.s accordin# to the followin# rules? GP0s are stored on a per,do"ain *asis$ Multiple GP0s can *e associated with a sin#le site do"ain or 0.$ Multiple sites do"ains or 0.s can use a sin#le GP0$
%ny site do"ain or 0. can *e associated with any GP0 even across do"ains 9althou#h doin# so slows perfor"ance:$ The effect of a GP0 can *e filtered to tar#et particular #roups of users or co"puters *ased on "e"*ership in a security #roup or throu#h WMI filters$ To set Group Policy for a selected %ctive 'irectory o*8ect an ad"inistrator "ust have read and write per"ission to access the syste" volu"e of do"ain controllers 9Sysvol folder: and to "odify ri#hts to the currently selected directory o*8ect$ The syste" volu"e folder is created auto"atically when you install a do"ain controller 9or pro"ote a server to do"ain controller:$
Computer and )ser Con0iguration

%d"inistrators can confi#ure specific des!top environ"ents and enforce policy settin#s on #roups of co"puters and users on the networ! as follows? Computer Con0iguration. )o"puter,related policies specify operatin# syste" *ehavior des!top *ehavior application settin#s security settin#s assi#ned applications options and co"puter startup and shutdown scripts$ )o"puter,related policy settin#s are applied when the "achine is re*ooted and durin# a periodic refresh of Group Policy$ )ser Con0iguration. .ser,related policies specify operatin# syste" *ehavior des!top settin#s application settin#s security settin#s assi#ned and pu*lished applications options user lo#on and lo#off scripts and folder redirection options$ .ser,related policy settin#s are applied when users lo# on to the co"puter and durin# the periodic refresh of Group Policy$
Administering Group Policy

To deploy and "ana#e Group Policy ad"inistrators use GPM) and the Group Policy 0*8ect 2ditor$ GPMC The GPM) inte#rates the Group Policy functionality provided *y the followin# tools into a sin#le console? %ctive 'irectory .sers and )o"puters %ctive 'irectory Sites and Services +esultant Set of Policy MM) snap,in %)< 2ditor 'ele#ation Wi=ard
%d"inistrators can perfor" core Group Policy tas!s usin# GPM) without the use of these other tools$ /i#ure 2 shows the GPM) interface for an 0. called 2n#ineerin# B 0ffsite$
*i#ure 2! ;Co on Mana#ed Settin#s< is a :P) lin$ed to the ,n#ineerin# = )ffsite )2! This view of :PMC shows the scope of the :P)! GPM) consists of a new Microsoft Mana#e"ent )onsole 9MM): snap,in and a set of pro#ra""a*le interfaces for "ana#in# Group Policy$ GPM) can *e used to "ana#e *oth Windows Server 2003 and Windows 2000 do"ains$ In either case the ad"inistrative co"puter on which the tool itself runs "ust *e runnin# one of the followin#? Windows Server 2003$
Windows >P Professional with Service Pac! ; 9SP;: plus an additional post,SP; hotfi3 and the Microsoft $62T /ra"ewor!$ The GPM) is availa*le as a free download to all Windows Server 2003 custo"ers at the Microsoft 'ownload )enter$ Group Policy Ob7ect 1ditor 8Pre iously GP1dit9 The Group Policy 0*8ect 2ditor is a tool that hosts MM) e3tension snap,ins used to "ana#e policy settin#s$ %ll functionality is provided *y e3tension snap,ins$ %d"inistrators edit policy settin#s usin# the Group Policy 0*8ect 2ditor$
;0
%ll policy settin#s created *y the Group Policy 0*8ect 2ditor are stored in a GP0$ The policy settin#s that an ad"inistrator provides with the Group Policy 0*8ect 2ditor do not ta!e effect until the tar#et syste" applies policy$ Group Policy +esults and Modeling The GPM) now inte#rates the plannin# and lo##in# capa*ilities provided *y the +SoP service with two new options? Group Policy +esults. This option displays the resultant set of policy that was applied to a #iven user and co"puter and wor!s *y directly co""unicatin# with the tar#et "achine to retrieve the appropriate +SoP data$ In GPM) ad"inistrators can read +SoP lo##in# data for o*8ects in a do"ain or or#ani=ational unit$ Individual nodes represent different +SoP Cueries for a #iven userEco"puter co"*ination$ Group Policy +esults data is supported only for co"puters runnin# Windows >P or Windows Server 2003 and later$ Group Policy Modeling. This option displays si"ulations of the policy deploy"ent for any user and co"puter in a do"ain$ GPM) provides access to si"ulated +SoP data *y callin# a service runnin# on a Windows Server 2003 do"ain controller$ 2ach Group Policy Modelin# si"ulation is displayed as an individual node within the GPM) snap,in$ The "odelin# option is availa*le only for a forest that has the Windows Server 2003 sche"a for %ctive 'irectory$
Applying Group Policy

Group Policy is applied in an inherited and cu"ulative fashion and affects all co"puters and users in an %ctive 'irectory container$ Policy is applied when the co"puter starts up and when the user lo#s on$ When a user turns on the co"puter the syste" applies co"puter policy$ When a user lo#s on interactively the syste" loads the userFs profile then applies user policy$ Policy is reapplied on a periodic *asis which an ad"inistrator can set *y usin# the Group Policy 0*8ect 2ditor and can also reapplied on de"and$ When applyin# policy the syste" Cueries the directory service for a list of GP0s to process$ If a co"puter or user access has *een denied access to a GP0 the syste" does not apply the specified policy settin#s$ If access is per"itted the syste" applies the policy settin#s specified *y the GP0$ %ote: %pplication deploy"ent and startup and lo#on scripts occur only durin# startup or interactive user lo#on not on a periodic *asis$ /older redirection occurs only durin# interactive lo#on$ This prevents undesira*le results such as uninstallin# or up#radin# an application that is in use$ Gowever re#istry,*ased policy settin#s and security policy settin#s are applied periodically$ Group Policy &cope o0 Management The scope of Group Policy can e3tend fro" a sin#le co"puter@that is the local GP0 that all co"puters include@to %ctive 'irectory sites do"ains and 0.s$ 2ach of these different tar#etin# options is called a scope of "ana#e"ent 9S0M:$ /or e3a"ple a GP0 "i#ht *e lin!ed to an %ctive 'irectory site to specify policy settin#s for pro3y settin#s and networ!,related settin#s that are specific to that site$ % GP0 *eco"es useful only after it is lin!ed to a S0M@the settin#s in the GP0 are then applied accordin# to the scope$
;;
GP0s are processed in the order of local site do"ain and then 0. as /i#ure 3 shows$ %s a result a co"puter or user receives the policy settin#s of the last %ctive 'irectory container processed@that is a policy applied later overwrites policy applied earlier$
*i#ure 3! 1ere% the Mar$etin# )2 inherits :P)9% :P)2% :)3% and :P)>% while the Servers )2 inherits :P)9% :P)2% :P)3% :P)?% and :P)@! Applying &ecurity and #MI 5ilters to GPOs GP0s can *e applied to %ctive 'irectory o*8ects with #reater precision throu#h filterin#$ &y default a GP0 affects all co"puters and users in a lin!ed %ctive 'irectory container$ Gowever ad"inistrators can filter Group Policy *ased on "e"*ership in security #roups *y settin# discretionary access control list 9'%)<: per"issions$ They can also filter *ased on Windows Mana#e"ent Instru"entation 9WMI: properties$ With WMI ad"inistrators can deter"ine whether to apply a GP0 to a specific co"puter or user *ased on its WMI properties$ WMI filterin# can *e applied to either Windows Servers 2003 or Windows >P Professional "achines 9Windows 2000 "achines i#nore a WMI filter and apply the GP0 re#ardless:$ The co"*ination of tar#etin# of GP0s throu#h S0M and selective filterin# throu#h security #roups and WMI filterin# #ives ad"inistrators si#nificant fle3i*ility$ They can decide which users and co"puters receive and are affected *y Group Policy$
;2
3e eloping Applications to )se Group Policy

%pplications can *e developed to ta!e advanta#e of the "ost co""on type of policy settin# na"ely re#istry,*ased policy$ /or e3a"ple a pro#ra""er can create a co"ponent that includes Kavaila*leL and Kunavaila*leL functionality *ased on re#istry,*ased policy$ %d"inistrators then have a well,defined and si"ple process? They can use the GPM) to turn functionality on or off *y for all affected users and co"puters$ This type of policy is i"ple"ented usin# a *uilt in re#istry client,side e3tension on every Group Policy client to process the data and "ana#e the appropriate re#istry !eys$ +e#istry,*ased policy settin#s are stored in one of four secure Group Policy !eys which cannot *e "odified without ad"inistrative ri#hts on the "achine$ /or "ore infor"ation see the I"ple"entin# +e#istry,&ased Group Policy article at http?EEwww$"icrosoft$co"Ewindows2000EtechinfoEhowitwor!sE"ana#e"entEr*ppaper$asp$
;3
&ummary
Group Policy,*ased "ana#e"ent si"plifies such tas!s as deployin# syste" updates installin# applications settin# user profiles and "ana#in# des!tops and syste"s$ %s a !ey co"ponent of the Intelli"irror "ana#e"ent set of technolo#ies Group Policy e3tends ad"inistrative control and reduces redundant "ana#e"ent tas!s$ %s a result e3istin# IT resources can *e used "ore efficiently so ad"inistrative costs can *e reduced across or#ani=ations$ &y i"ple"entin# Group Policy *oth s"all and lar#e or#ani=ations *enefit fro" the followin#? Greater le erage o0 an organi2ation$s Acti e 3irectory in estment. Group Policy allows for centrali=ed or decentrali=ed "ana#e"ent of policy options$ 5le6ible scope o0 management. Group Policy handles a wide ran#e of "ana#e"ent scenarios that can *e applied in *usinesses fro" s"all to lar#e$ Support for scala*le one,to,"any "ana#e"ent of users and co"puters across the enterprise can increase IT productivity and reduce IT costs$ Met Group Policy also offers fle3i*le #ranular control of "ana#e"ent tas!s ena*lin# Cuic! responses to chan#in# *usiness needs$ An integrated tool 0or managing policy. GPM) inte#rates other %ctive 'irectory ad"inistrative tools such as the %ctive 'irectory .sers and )o"puters and %ctive 'irectory Site and Services Mana#er snap, ins$ %d"inistrators can also dele#ate control of GP0s$ 1ase o0 use. With an updated "ore strai#htforward interface GPM) is easy to use a *enefit that *oth reduces the learnin# curve and increases productivity for ad"inistrators$ 6ew scripta*le interfaces provide co""and,line "ana#e"ent as well$ +eliability and security. %d"inistrators can define and enforce IT policies increasin# the relia*ility and security of the IT environ"ent$ %fter Group Policy has *een esta*lished for #roups of users and co"puters ad"inistrators can rely on the syste" to enforce those policy settin#s$ 6ew support for *ac!up sta#in# and testin# GP0s "a!es Group Policy even "ore relia*le$ Central control o0 IT con0igurations. &y usin# Group Policy to standardi=e the user co"putin# environ"ents support costs are reduced while user productivity and satisfaction are increased$
To#ether these advanta#es "a!e Group Policy "uch easier to use and help IT or#ani=ations "ana#e an enterprise "ore cost,effectively$
;(
+elated ,in-s
See the followin# technical articles for "ore detail a*out Group Policy? KIntroduction to Windows 2000 Group PolicyL at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;(7-5
K2nterprise Mana#e"ent with the Group Policy Mana#e"ent )onsole 9GPM):L at http?EE#o$"icrosoft$co"Efwlin!EN<in!I'O5130 K%d"inisterin# Group Policy with GPM)L at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;(320 KTrou*leshootin# Group PolicyL at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;(7(7 KGroup Policy InfrastructureL at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;(7-0 KMi#ratin# GP0s across 'o"ains with GPM)L at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;(32;
KI"ple"entin# )o""on 'es!top Mana#e"ent ScenariosL at http?EE#o$"icrosoft$co"Efwlin!EN <in!IdO;(7-; KI"ple"entin# +e#istry,&ased Group PolicyL at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;-;44
See also the followin# resources for further infor"ation? Group Policy 6ews#roup at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;-370 Group Policy pa#e on the Tech6et We* site at http?EEwww$"icrosoft$co"EtechnetE#rouppolicy
K/reCuently %s!ed Duestions a*out the Group Policy Mana#e"ent )onsoleL pa#e at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;(7- KGroup Policy Settin#s +eference for Windows Server 2003L pa#e with an %d"inistrative Te"plates reference to download at http?EE#o$"icrosoft$co"Efwlin!EN<in!IdO;-;1-
/or the latest infor"ation a*out Windows Server 2003 see the Windows Server 2003 We* site at http?EEwww$"icrosoft$co"Ewindowsserver2003$
;-

Introduction To Group Policy in Windows Server 2003: Microsoft Corporation Published: April 2003

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To Group Policy in Windows Server 2003: Microsoft Corporation Published: April 2003

Uploaded by

Copyright:

Available Formats

Introduction to Group Policy in Windows Server 2003

Microsoft Corporation Published: April 2003

Microsoft Windows Server 2003 White Paper

Microsoft Windows Server 2003 White Paper

Microsoft Windows Server 2003 White Paper

Microsoft Windows Server 2003 White Paper