Section 8.7: Group Policy

Group Policy provides you with administrative control over users and computers in your network. You can use Group Policy to configure a user's desktop environment and let Windows Server 2003 enforce the Group Policy settings that you have configured. You can apply Group Policy settings across a network, or to a specific group of users and computers.

You can use Group Policy to:

• Centralize policies by applying the Group Policy for an entire organization at the site or domain level

• Decentralize policies by applying the Group Policy for departments at the organizational unit level.

• Ensure that users have the desktop environment and software applications that they require. You can also prevent users from installing applications that they do not require.

• Control where users store their data folders.

• Control user and computer environments, to reduce the level of technical support that users might require

• Enforce a company's policies, including business rules, goals, and security needs.

Note: Group Policy applies only to Windows 2000, Windows Server 2003 and Windows XP Professional, but not to earlier versions of the Windows operating system.

The types of Group Policy settings that you can configure are:

• Administrative Templates, which allow you to configure registry settings. These allow you to configure application settings and user desktop environments, including operating system components and applications to which users can gain access, the degree of access to Control Panel options, and control of users' offline files.

• Security, which allows you to configure local computer, domain, and network security settings. These include controlling user access to the network, setting account and audit policies, and controlling user rights.

• Software Installation. This allows you to centralize the management of software installations, updates, and removals. You can install applications automatically on client computers, you can upgrade applications automatically, or you can automatically remove applications. You can also make applications available in Add/Remove Programs in Control Panel, which provides users with a central location to obtain applications for installation.

• Scripts, which allows you to specify when Windows Server 2003 runs specific scripts. You can specify scripts to run when a computer starts and shuts down, and when a user logs on and logs off. You can specify scripts to perform batch operations, control multiple scripts, and determine the order in which the scripts run.

• Remote Installation Services, which allows you to control the options when running the Client Installation Wizard used by Remote Installation Services (RIS), available to users.

• Internet Explorer Maintenance, which allows you to administer and customize Microsoft Internet Explorer on Windows Server 2003 computers.

• Folder Redirection, which allows you to specify where specific user profile folders are stored on the network.

Windows Server 2003 applies the Group Policy settings that are contained in the GPO user and computer objects. GPOs can be associated with sites, domains, or organizational units. The content of a GPO is stored the Group Policy container and in the Group Policy template (GPT). The Group Policy container is an Active Directory object that contains GPO attributes and version information. This allows computers to access the Group Policy templates, and domain controllers to access it to obtain version information. The Group Policy template is a folder in the SYSVOL directory, which is a shared directory that stores the server copy of the domain's public files, on domain controllers. These files are replicated among all domain controllers in the domain. When you create a GPO, Windows Server 2003 automatically creates the corresponding Group Policy template folder.

8.7.1: Group Policy Settings for Computers and Users

You can create a Group Policy object that contains configuration settings for computers or for users and apply them to computers and users respectively. Group Policy settings for computers can specify operating system settings, desktop settings, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings. Computer-related Group Policy is applied when the operating system initializes and during the periodic refresh cycle. In general, computer Group Policy takes precedence over conflicting user Group Policy. Group Policy settings for users can specify operating system settings, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and logging and logging off scripts. User-related Group Policy is applied when users log on to the computer and during the periodic refresh cycle.

When the Windows 2000, Windows XP Professional or Windows Server 2003 client computer starts, it retrieves the list of GPOs that contain computer configuration settings and determines the order in which they should be applied. The computer then connects to the SYSVOL folder on the authenticating domain controller, and locates the Registry.pol files that apply to the client computer in the Machine folder in the GPT for each GPO. The client computer writes the registry settings to the appropriate registry subtree. The computer then continues to initialize the operating system and enforces the registry settings. When the registry settings have been enforced, the Logon dialog box appears. After the user has initiated the logon process, the client computer retrieves the list of GPOs that contain user configuration settings, and determines the order in which they should be applied. The client computer then connects to the SYSVOL folder on the authenticating domain controller, and then locates the Registry.pol files that contain Group Policy settings that apply to the user in the User folder in the GPT for each GPO. These settings are then written to the appropriate registry subtree and continue the logon process and enforce the registry settings. When the registry settings have been enforced, the client computer displays the user's desktop.

8.7.2: Linking Group Policy Objects

You apply a GPO by linking it to sites, domains, and organizational units. This allows you to set centralized policies that affect the entire organization and decentralized policies that are set by department. The linking of a GPO to a site, domain, or organizational unit causes the Group Policy settings to affect user and computer objects in that site, domain, or organizational unit.

• You can link one GPO to multiple sites, domains, or organizational units in your network. This allows you to configure Group Policy settings that apply to users and computers in different sites, domains, or organizational units.

• You can create several GPOs for different types of Group Policy settings and then link them to the appropriate sites, domains, or organizational units and link these GPOs to one site, domain, or organizational unit. These multiple GPOs can also be linked to other organizational units.

You can create a GPO for domains and organizational units by using Active Directory Users and Computers.

• Click on the START button

• Point to PROGRAMS

• Point to ADMINISTRATIVE TOOLS

• Click on ACTIVE DIRECTORY USERS AND COMPUTERS

• Right-click the domain or organizational unit for which you want to create a GPO

• Click PROPERTIES

• On the group policy tab that appears, click new

• Type a name for the new GPO

• Press enter on the keyboard.

• The GPO that you created appears in the list of GPOs that are associated with the organizational unit or domain on the Group Policy tab.

You can create a GPO for a site by using Active Directory Sites and Services

• Click on the START button

• Point to PROGRAMS

• Point to ADMINISTRATIVE TOOLS

• Open ACTIVE DIRECTORY SITES AND SERVICES

• Right-click the site for which you want to create a GPO

• Click PROPERTIES

• On the group policy tab that appears, click new

• Type a name for the new GPO

• Press ENTER

• The GPO that you created appears in the list of GPOs that are associated with the site on the Group Policy tab.

Note: You must be a member of the Enterprise Admins group to create GPOs that are linked to sites.

You can apply existing Group Policy settings to additional Active Directory containers by linking the GPO that contains the required settings to those containers.

Note: To link a GPO to a site, domain, or organizational unit, you must have Read and Write permissions on the gPLink and gPOptions attributes for that site, domain, or organizational unit.

8.7.3: Group Policy Inheritance

Group Policy inheritance refers to the order in which Windows Server 2003 applies GPOs. This order determines which settings ultimately affect users and computers.

You can modify Group Policy inheritance and control how Group Policy settings are applied to specific computers and users. This allows you to block, force, or filter the inheritance of Group Policy settings. You can thus prevent a child container from inheriting any GPOs from parent containers by enabling Block Policy Inheritance on the child container. However, you cannot choose which GPOs are blocked as Block Inheritance affects all GPOs from all parent containers.

If a link is configured with the No Override setting then Block Policy Inheritance cannot stop the inheritance of a GPO linked to a parent container as the No Override setting takes precedence over the Block Policy Inheritance setting. The No Override setting causes all Group Policy settings to apply, even if they conflict with settings in a GPO that is linked to a child container.

You can also modify Group Policy inheritance by using filtering. This allows you to prevent a GPO and its settings from applying to specific computers, users, and security groups in a container. This method is preferred over Block Policy Inheritance and No Override. For Group Policy to apply to a user or computer account, the account must have Allow Read and Allow Apply Group Policy permissions for the GPO.

8.7.4: Order of Application

The order in which Windows Server 2003 applies GPOs is based on the Active Directory container to which the GPOs are linked. Windows Server 2003 applies GPOs that are linked to sites first, then GPOs that are linked to domains, and then GPOs that are linked to Organizational Units. Thus, the Group Policy settings of the organizational unit of which a user or computer is a member are the final Group Policy settings that

are applied.

Note: Local policies are always applied first. They should not be used in a domain environment because they will be overwritten by the Group Policies applied at the site, domain, or organizational unit levels. The exception is a member server running unique services, such as Internet Information Services (IIS).

8.7.5: Controlling the Processing of Group Policy

You can control the processing of Group Policy by specifying the refresh interval and configuring the client-side extensions to process unchanged Group Policy settings.

Computers running Windows Server 2003 and Windows 2000 refresh, or reapply, Group Policy settings at established intervals. This ensures that the settings are applied to computers and users, even if users never restart their computers or log off. By default Domain Controllers refresh every five minutes, hence those critical new Group Policy settings, such as security settings, are applied after no more than five minutes. By default Windows 2000 Professional or Windows XP Professional computers, and Windows Server 2003 and Windows 2000 member servers refresh every 90 minutes at a randomized offset time, which ensures that multiple computers do not contact a domain controller at the same time. You can change the default refresh values by modifying the Administrative Template settings for the user or computer configuration. However, Group Policy cannot be scheduled to refresh at a specific time. The processing of software installation and folder redirection settings in a GPO occurs only when a computer starts or when the user logs on and not on specified time.

8.7.6: Resolving Conflicts Between Group Policy Settings

Group Policy settings in all of the GPOs that affect a user or computer account are applied, unless two or more settings conflict. If settings from a parent container GPO conflict with settings from a child container GPO, the settings in the child container are applied last and take effect. If settings from GPOs that are linked to the same container conflict, the settings in the GPO at the top of the list of GPOs on the Group Policy tab of the Properties dialog box for the container are applied last and take effect. When computer and user settings conflict, in most instances, the computer setting overrides the user settings and applies, even though the user setting was processed last. This override is not enforced by the Group Policy infrastructure but is a convention that is followed by the operating system and by applications that use Group Policy.