Windows 2003 Server
Implementing and Using Group Policy
At the end of this chapter you should be able to:
Introduction to Group Policy
Group policies are very powerful in Windows Server 2003. They allow you to centrally manage your user's and computer's configurations. They can do the following:
Group policy settings are stored in a Group Policy Object (GPO) in Active Directory and assigned to other objects in Active Directory. There are two built-in GPO's:
Group Policies can only be applied to Windows Server 2003, and Windows 2000/XP. You must use System Policies for earlier Microsoft operating systems.
Creating a Group Policy Object
You can create group policies multiple ways; one way is to use the Group Policy snap-in.
LAB ACTIVITY - Do the lab on page 339. (10 Minutes)
Once you have created a GPO you can assign it to sites, domains, and organizational units.
LAB ACTIVITY - Do the lab on page 340. (10 Minutes)
LAB ACTIVITY - Do the lab on page 341. (15 Minutes)
Editing a GPO
A GPO is broken down into two sections. The first is the Computer Configuration, the second is the User Configuration. Each section has three sub sections:
Each policy in the GPO has an Explain tab that will tell you more about the policy. When you have finished creating a GPO it is stored in two places. The Group Policy Container (GPC) is stored in AD Users and Computer\System\Policies and is used to verify version information between Domain Controllers. The Group Policy Template (GPT) is stored in the SYSVOL share under domainname\policies\ and this stores all the settings. Each policy is in a subfolder that has its Globally Unique Identifier (GUID) as its name. A GUID is a 128-bit number that is unique in a forest.
LAB ACTIVITY - Do the lab on page 344. (5 Minutes)
Application of Group Policy
The group policies settings are split into the two sections, Computer Configuration and User Configuration. When a computer is started the Computer Configuration's settings from the GPO's assigned to the computer are applied then it sits at the logon screen. Once a user logs on the User Configuration from the GPO's assigned to the users are applied.
NOTE: There is a special policy called "User Group Policy loopback processing mode" that allows you to apply the User Configuration to a user from a policy that is assigned to the computer.
Controlling User Desktop Settings
We will jump in and start to configure user desktop settings in the next lab.
LAB ACTIVITY - Do the lab on page 346. (15 Minutes)
Managing Security Settings with Group Policy
Below is a list of security settings you can apply in a GPO. We already covered Account Policies in Chapter 3, those settings could only be applied at the domain level. The ones listed below can be applied at the Domain or OU levels. They are listed as they appear in the book.
LAB ACTIVITY - Do the lab on page 349. (10 Minutes)
LAB ACTIVITY - Do the lab on page 351. (15 Minutes)
One of the features of group policies is the ability to assign scripts to users and computers. Scripts assigned to computer will run when the computer starts up, or when the computer shuts down. Scripts assigned to the user will run when the user logs in or out.
LAB ACTIVITY - Do the lab on page 353. (15 Minutes)
Folder redirection allows the administrator to redirect certain folders from a user's profile to a shared folder. One of the folders you can redirect is My Documents. If this folder is redirected to the user's home folder when the user saves to My Documents, it will automatically go to the server. There are five folders you can redirect.
You can also redirect these folders to the same location for each user. For example, if you want all users to have the same icons on the desktop you can redirect their desktop to a shared folder on the server that contains those icons.
Managing Group Policy Inheritance
Group policies are applied in the following order:
You can apply multiple policies at each level. Policies that are applied later overwrite earlier policies. So if a setting in a policy at the domain level conflicts with a policy at an OU the policy in the OU will win.
LAB ACTIVITY - Do the lab on page 358. (10 Minutes)
Configuring Block Policy Inheritance, No Override, and Filtering
Policies are inherited from parent containers by default. You can change this by blocking policy inheritance, using the no override option and filtering.
Blocking Group Policy Inheritance
You might have an OU with users in it and a policy applied that sets proxy settings. There are a few users in that OU that need the proxy disabled to do their job. You can create a child OU and move those users to that OU and enable the Block Policy Inheritance option. This way they won't get any policies besides the ones applied to that child OU.
Configuring No Override
The no override option can be set to a policy that forces it to be the dominate policy. No policies lower in the OU structure can change the setting in a No Override policy. A policy that is set to No Override will even apply to an OU that has the Block Group Policy Inheritance option set.
Filtering User Permissions
You can set the security of a GPO to disallow processing on some computers or users. You do this by denying the user or computer Read and Apply Group Policy permissions.
LAB ACTIVITY - Do the lab on page 362. (20 Minutes)
LAB ACTIVITY - Do the lab on page 363. (10 Minutes)
Troubleshooting Group Policy Settings
Sometimes group policies don't work the way they are supposed to. There are some tools that you can use to troubleshoot policies. GPUPDATE is used to force the computer to get an updated policy from the server, by default they are automatically updated about every 90 minutes on workstations and 5 minutes on Domain Controllers. Two other tools, GPRESULT and Resultant Set of Policy (RSoP), can be used to see what policies have been applied and report any errors. You can also disable a portion of a policy to reduce processing time by the client.
LAB ACTIVITY - Do the lab on page 366. (10 Minutes)
Deploying Software Using Group Policy
A group policy can also be used to install software on your client PCs
Software installation in a group policy is done with with a MSI file. This contains all the information needed to install an application. Most new software packages come with a preconfigured MSI to use for deployment. If you have an application that you want to deploy and you don't have an MSI, you can create one with WinINSTALL from Veritas.
There are two ways you can deploy software with group policies in Windows Server 2003. You can assign it, or you can publish it. The table below outlines the differences.
LAB ACTIVITY - Do the lab on page 369. (15 Minutes)
LAB ACTIVITY - Do the lab on page 371. (10 Minutes)
You have three options to maintain the software that you deploy. You can do a mandatory upgrade, optional upgrade or a redeployment.
You can do a forced removal or an optional removal.
Click Here to download the slides for this chapter