Windows 2003 Server

Chapter 9

Implementing and Using Group Policy

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP

Main | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | Chapter 5 | Chapter 6 | Chapter 7

Chapter 8 | Chapter 9 | Chapter 10 | Chapter 11 | Chapter 12 | Chapter 13 | Chapter 14


At the end of this chapter you should be able to:

  • Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection

  • Manage and troubleshoot Group Policy inheritance

  • Deploy and manage software using Group Policy

Introduction to Group Policy

Group policies are very powerful in Windows Server 2003.  They allow you to centrally manage your user's and computer's configurations.  They can do the following:

  • Configure desktop settings using administrative templates.

  • Control security settings for users and computers.

  • Assign scripts to a user logon or log off, and to a computer startup and shutdown.

  • Redirect folders to a server location.  For example, you can redirect My Documents to a user's home folder on a server.  When the user saves to My Documents it will be redirected to the server.

  • Automatic software installation and maintenance.

Group policy settings are stored in a Group Policy Object (GPO) in Active Directory and assigned to other objects in Active Directory.  There are two built-in GPO's:

  • Default Domain Policy - Applied to the domain.  This is the only place you can set Account Policies.

  • Default Domain Controller Policy - Applied to the Domain Controllers OU.

Group Policies can only be applied to Windows Server 2003, and Windows 2000/XP.  You must use System Policies for earlier Microsoft operating systems.


Creating a Group Policy Object

You can create group policies multiple ways; one way is to use the Group Policy snap-in.


LAB ACTIVITY - Do the lab on page 339. (10 Minutes)


Once you have created a GPO you can assign it to sites, domains, and organizational units.


LAB ACTIVITY - Do the lab on page 340. (10 Minutes)

LAB ACTIVITY - Do the lab on page 341. (15 Minutes)


Editing a GPO

A GPO is broken down into two sections.  The first is the Computer Configuration, the second is the User Configuration.  Each section has three sub sections:

  • Software Settings - This is where you install, upgrade, and manage software.

  • Windows Settings - This is where you set logon scripts, IE settings, folder redirection etc.

  • Administrative Templates - All other settings that control the user desktop are here.

Each policy in the GPO has an Explain tab that will tell you more about the policy.  When you have finished creating a GPO it is stored in two places.  The Group Policy Container (GPC) is stored in AD Users and Computer\System\Policies and is used to verify version information between Domain Controllers.  The Group Policy Template (GPT) is stored in the SYSVOL share under domainname\policies\ and this stores all the settings.  Each policy is in a subfolder that has its Globally Unique Identifier (GUID) as its name.  A GUID is a 128-bit number that is unique in a forest.


LAB ACTIVITY - Do the lab on page 344. (5 Minutes)


Application of Group Policy

The group policies settings are split into the two sections, Computer Configuration and User Configuration.  When a computer is started the Computer Configuration's settings from the GPO's assigned to the computer are applied then it sits at the logon screen.  Once a user logs on the User Configuration from the GPO's assigned to the users are applied. 

NOTE: There is a special policy called "User Group Policy loopback processing mode" that allows you to apply the User Configuration to a user from a policy that is assigned to the computer.


Controlling User Desktop Settings

We will jump in and start to configure user desktop settings in the next lab.


LAB ACTIVITY - Do the lab on page 346. (15 Minutes)


Managing Security Settings with Group Policy

Below is a list of security settings you can apply in a GPO.  We already covered Account Policies in Chapter 3, those settings could only be applied at the domain level.  The ones listed below can be applied at the Domain or OU levels.  They are listed as they appear in the book.

  • Local Policies - Applies security settings to the local account database of the workstation or server; settings may be overwritten at the site, domain, or OU level but remain in effect if there are no other policies at those levels.

    • Audit Policy - Defines various successful or unsuccessful events that can be audited and recorded in the event logs.

    • User Rights Assignment - Controls local computer rights that may be assigned to users or groups. (e.g., the right to log on locally or shut down the computer.)

    • Security Options - Defines a wide variety of configuration settings that adjust the registry (e.g., logon banner configurations, restricted floppy or CD-ROM access, and removing the last logged-on user from the logon screen.)

  • Event Log - Defines configuration settings for event log size, retention period, and access restrictions.

  • Restricted Groups - Gives the administrator the ability to control who is a member of any security group; each time the policy is refreshed, any users that have been added to the group by any means other than the security template are removed automatically; can also control the other groups to which a security group belongs.

  • System Services - Allows an Administrator control over service startup mode, disabling of a service, permissions to edit the service mode, and auditing of the service.

  • Registry - Defines security and auditing access control list (ACL) settings for Registry keys and subkeys; allows an administrator to control who has the ability to change or overwrite various registry settings.

  • File System - Defines and maintains NTFS security permissions and auditing permissions for any folder or file listed in the policy; files or folders must reside on an NTFS partition.

  • Wireless Network (IEEE  802.11) Policies - Defines security settings for wireless networks, including which wireless networks a client can connect to, whether access points should be used, and the data encryption settings.

  • Public Key Policies - Defines configuration settings for different public key-based applications like the Encrypted File System (EFS), certificate auto-enrollment settings, and Certificate Authority (CA) trusts.

  • Software Restriction Policies - Defines security settings for the deployment of software, such as the ability to manually define which file extensions are considered executable, control security settings of software-related Registry paths, and override software settings from other GPO's.

  • IP Security Policies on Active Directory - Defines different IP settings based on the role of a server or workstation; three default policies exist, but none are applied by default.

LAB ACTIVITY - Do the lab on page 349. (10 Minutes)

LAB ACTIVITY - Do the lab on page 351. (15 Minutes)


Assigning Scripts

One of the features of group policies is the ability to assign scripts to users and computers.  Scripts assigned to computer will run when the computer starts up, or when the computer shuts down.  Scripts assigned to the user will run when the user logs in or out. 


LAB ACTIVITY - Do the lab on page 353. (15 Minutes)


Redirecting Folders

Folder redirection allows the administrator to redirect certain folders from a user's profile to a shared folder.  One of the folders you can redirect is My Documents.  If this folder is redirected to the user's home folder when the user saves to My Documents, it will automatically go to the server.  There are five folders you can redirect.

  • Application Data

  • Desktop

  • My Documents

  • My Pictures

  • Start Menu

You can also redirect these folders to the same location for each user.  For example, if you want all users to have the same icons on the desktop you can redirect their desktop to a shared folder on the server that contains those icons.

Managing Group Policy Inheritance

Group policies are applied in the following order:

  • Local computer policy

  • Site

  • Domain

  • Parent OU

  • Child OU

You can apply multiple policies at each level.  Policies that are applied later overwrite earlier policies.  So if a setting in a policy at the domain level conflicts with a policy at an OU the policy in the OU will win.


LAB ACTIVITY - Do the lab on page 358. (10 Minutes)


Configuring Block Policy Inheritance, No Override, and Filtering

Policies are inherited from parent containers by default.  You can change this by blocking policy inheritance, using the no override option and filtering.


Blocking Group Policy Inheritance

You might have an OU with users in it and a policy applied that sets proxy settings.  There are a few users in that OU that need the proxy disabled to do their job.  You can create a child OU and move those users to that OU and enable the Block Policy Inheritance option.  This way they won't get any policies besides the ones applied to that child OU.


Configuring No Override

The no override option can be set to a policy that forces it to be the dominate policy.  No policies lower in the OU structure can change the setting in a No Override policy.  A policy that is set to No Override will even apply to an OU that has the Block Group Policy Inheritance option set.


Filtering User Permissions

You can set the security of a GPO to disallow processing on some computers or users.  You do this by denying the user or computer Read and Apply Group Policy permissions.


LAB ACTIVITY - Do the lab on page 362. (20 Minutes)

LAB ACTIVITY - Do the lab on page 363. (10 Minutes)


Troubleshooting Group Policy Settings

Sometimes group policies don't work the way they are supposed to.  There are some tools that you can use to troubleshoot policies.  GPUPDATE is used to force the computer to get an updated policy from the server, by default they are automatically updated about every 90 minutes on workstations and 5 minutes on Domain Controllers.  Two other tools, GPRESULT and Resultant Set of Policy (RSoP), can be used to see what policies have been applied and report any errors.  You can also disable a portion of a policy to reduce processing time by the client.


LAB ACTIVITY - Do the lab on page 366. (10 Minutes)

Deploying Software Using Group Policy

A group policy can also be used to install software on your client PCs


Software Preparation

Software installation in a group policy is done with with a MSI file.  This contains all the information needed to install an application.  Most new software packages come with a preconfigured MSI to use for deployment.  If you have an application that you want to deploy and you don't have an MSI, you can create one with WinINSTALL from Veritas.



There are two ways you can deploy software with group policies in Windows Server 2003.  You can assign it, or you can publish it.  The table below outlines the differences.

  Computer User
Assign Application installs when the computer starts up.  Installation finishes before logon screen is displayed. Application appears in the start menu.  When the user clicks on the application it is installed.
Publish N/A Application appears in the Add or Remove control panel under the Add New Programs section.


LAB ACTIVITY - Do the lab on page 369. (15 Minutes)

LAB ACTIVITY - Do the lab on page 371. (10 Minutes)


Software Maintenance

You have three options to maintain the software that you deploy.  You can do a mandatory upgrade, optional upgrade or a redeployment.


Software Removal

You can do a forced removal or an optional removal.

More Information


Click Here to download the slides for this chapter

(NOTE: You must have PowerPoint or PowerPoint Viewer if you don't have  either Click Here to download PowerPoint Viewer.)

Home | Chapters | Homework | Grades | Calendar | Forums | Syllabus

Forum Policy | Assignment Policy | E-Mail Mr Hull | FTP