Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Group Policies

Group policies are used by administrators to configure and control user environment settings. Group Policy Objects (GPOs) are used to configure group policies which are applied to sites, domains, and organizational units (OUs). Group policy may be blocked or set so it cannot be overridden. The default is for subobjects to inherit the policy of their parents. There is a maximum of 1000 applicable group policies.

Group policies are linked to domains, organizational units, or sites in Active Directory. A policy must be linked to a container object in Active Directory to be effective. They are stored in any domain for storage but can be linked to other domains to make them effective there also. The policy must be linked to the container (site, domain, or OU) that it is stored in to be effective in that container. One policy object can be linked to sveral containers. Several policy objects can be linked to one container.

Group Policy Settings

Group policy settings only work for Windows 2000 computers. Settings that do the following may be applied with group policy:

  • Manage user environments - Wallpaper and other settings.
  • Manage scripts - Logon/logoff and startup/shutdown scripts.
  • Manage security - Event log settings, account policies, and more.
  • Manage software deployment - Applications may be automatically installed when the client computer starts.
  • Redirect folders - Folders on a local computer may be redirected to a network share.

Group Policy Types

Group policy types and their order of application are:

  • Local Policy
  • Site Linked Policies
  • Domain Linked Policies
  • Organizational Unit Policies

Group policy may be set using Active Directory globally or or using Local Group Policy on local computers. The files are stored:

  • Locally - SystemRoot\System32\GroupPolicy\
  • Globally - SystemRoot\SYSVOL\sysvol\domainname\Policies\ on domain controllers. The global group policy is made of a Group Policy Object (GPO) which is an Active Directory object and the files in this directory.

The GPT.INI file contains information about the policy. Group policy templates are in the system volume\public directory.

Group Policy Priorities

Group policy is inherited by children objects of parents. If a parent object has group policy, then the children have the same policy. Group policies are applied down from the higher level objects to the lower level objects. The policies are cumulative unless they conflict, in which case the lower level policy applies to the object.

  1. Local or Roaming Individual user profile is applied. Local policies cannot be blocked.
  2. Local Group Policy is applied. Conflicts with individual policy are overridden by local group policy.
  3. Group Policy is applied. Conflicts with individual policy or local group policy are overridden by group policy. The group policies are processed in the following order based on the object they are linked to:
    1. Sites
    2. Domains
    3. Organizational Units

Policies normal behavior can be modified with the following settings:

  • No Override - Normally the local policies or lower level policies will take presidence. If this setting is made on a higher level policy, the lower level policy cannot modify it and the policy associated with this setting will take precidence.
  • Block Policy - Group Policy Objects (GPOs) are entirely blocked or applied. The No Override option takes priority over the Block Policy option.

Policy application steps:

  1. When the computer is turned on, all group policies that are applicable to the computer are applied.
  2. Any group policy startup scripts are run.
  3. At user logon, after the user profile is set, all group policies for that user are applied.
  4. Any group logon scripts are run, then any individual logon scripts are run.
  5. At user logoff, group logoff scripts are run.
  6. At system shutdown, any group policy shutdown scripts associated with the computer are run.

Group policy is updated by active directory to domain controllers every 5 minutes and to all Windows 2000 computers that are not domain controllers every 90 minutes. These updates are requested by the computer and the intervals may be modified by administrators.

Setting Group Policy

The creator of a policy and administrators have Full Control permission for policies. To set Group Policy, the user must have permission to Log on Locally on a domain controller

Group policies can be set from any domain controller, but the one that is the best to use is the PDC Emulator domain controller.

All group policy object containers have a default policy. Group policies can be managed using the Group Policy Editor. There are two default policy nodes:

  • Computer configuration - Settings are applied to the computer and the user on the computer does not affect the settings.
  • User configuration

Both nodes contain three sections for various settings which are:

  • Administrative templates - Additional confuguration for computer and user settings.
  • Software settings - Applications can be assigned to computers or users. The application can be run by the user or on the computer on which they are assigned. Either a stub for the application or the application is installed.
  • Windows settings - The behavior of the operating system may be customized here.

The Microsoft Management Console (MMC) Group Policy snap-in is used to set local group policy. To start it, select "Start", "Run", and type "gpedit.msc". It also allows configuration of local Security Policies that may be set using the "Local Security Policy" Administrative Tool. The Group Policy snap-in on a remote computer may be used to set local Group Policies also. The following Local Group Policy settings are possible:

  • Computer Configuration - Applies to specific computers
    • Software Settings - Applications can be assigned to computers or users. The application can be run by the user or on the computer on which they are assigned. Either a stub for the application or the application is installed.
    • Windows Settings - Used to manage startup and shutdown scripts.
      • Scripts (Startup/Shutdown)
      • Security Settings
        • Account Policies - Password and account lockout policy.
          • Account lockout policy - Set the reset interval between logon attempts. Set the failed logon counter reset interval. Set the duration of the lockout.
          • Password policy - Number of passwords remembered that can't be repeated. Maximum pasword age (42 default). Minimum password length.
          • Kerberos policy - Set lifetime of service tickets.
        • Local Policies - Audit, User rights, security options.
          • Audit policy - These may include Logon and logoff, File and object access, Use of user rights, User and group management, Security policy changes, System shutdown and restart, and Process Tracking.
          • User rights - Determines actions that a user can perform such as shutting the system down, change time, use the computer locally, and others.
          • Security options - Must be enabled by an administrator. Restricted groups are used to help automate group management. A user can be added to a restricted group temporarily and that user will be removed during the next security audit.
        • Event Log - Application, Security, and System log settings.
        • Restricted Groups - Can be sure certain group memberships are not modified locally.
        • System Services - Set services to automatic, manual, or disabled.
        • Registry - Registry settings to be affected by this group policy. Permissions for registry keys may set up here.
        • File system - Security settings for files and directories on several computers can be set along with file system extension associations with applications.
        • Public Key Policies - Encrypted Data Recovery Agents, Automatic Certificate Request Settings, Trusted Root Certificate Authorities, and Enterprise Trust.
      • IP Security Policies on Active Directory - Rules for secure servers, servers, and clients. These rules control whether information sent between clients and the server is encyrpted or secure. These are the default policies:
        • Client policy - Most communication is not secure (encrypted) but the client may request and get a secure channel.
        • Secured server policy - Only secure communication is attempted.
        • Server policy - The server attempts to use a secure channel, but if the client does not respond through the secure channel, an unsecure channel will be used.
    • Administrative Templates - Can be used to manage a user's environment. More templates may be added for applications by creating a unicode file (usually provided by the application creator) with the ".adm" extension. The .adm file causes the HKEY_LOCAL_MACHINE registry key to be changed.
      • Windows Components - Can configure the user's ability to use specific Windows programs or certain functions in those programs. Those programs include Internet Explorer, Task Scheduler, Windows Installer, and NetMeeting.
      • System - Settings for:
        • Disk quotas - Levels of warnings and hard limits may be set.
        • DNS clients - The DNS suffix may be set.
        • Group policy
        • Logon - Scripts at startup or shutdown may be configured to run.
        • Windows file protection - System files may be scanned.
      • Network - Can configure access to offline files and limit the user's ability to configure connection sharing.
      • Printers - Policies may allow local printers to be published in Active directory.
  • User Configuration - Applies to specific users.
    • Software Settings - Applications can be assigned to computers or users. The application can be run by the user or on the computer on which they are assigned. Either a stub for the application or the application is installed.
    • Windows Settings - Used to manage logon, and logoff scripts. It is best to manage these scripts here rather than by configuring user account properties.
      • Internet Explorer maintenance. - Settings:
        • Browser user interface settings
        • Connection settings
        • URLs section
        • Security zones
        • Programs settings
      • Scripts - Used for user configuration are used during logon and/or logoff.
      • Security Settings - Public key policies.
      • Remote Installation Service
      • Folder Redirection - Determines where users can get specific types of files. It is based on user groups or specific folders.
    • Administrative Templates - Can be used to manage group policy options. More templates may be added for applications by creating a unicode file (usually provided by the application creator) with the ".adm" extension. The .adm file causes the HKEY_CURRENT_USER registry key to be changed.
    • Windows Components - Can configure the user's ability to use specific Windows programs or certain functions in those programs. Those programs include:
      • Internet Explorer
      • Task Scheduler
      • Windows Installer
      • NetMeeting
      • Windows Explorer - Menu items may be disabled or removed.
      • Microsoft Management Console.
    • System - The configuration may be set so the user cannot change their password or logoff. The group policy refresh interval is configured here.
      • Logon/logoff settings - Logon and logoff scripts may be hidden so the user is unaware that they are run. Part of the Task Manager or its entirety may be disabled.
      • Group policy settings
    • Network - Can configure access to offline files and limit the user's ability to configure connection sharing.
    • Start Menu and Taskbar - Can remove some options.
    • Desktop - Desktop icons may be hidden.
    • Control Panel - Configure the user's ability to use the control panel and specific features. Specific applets or the entire control panel may be hidden.

Creating Group Policy Objects

There are several tools used to create and manage group policy objects. The most appropriate tool to use depends on the level the group policy object is at. The tools are as follows:

  • Active Directory Sites and Services Administrative tool - Used to create and manage Group Policy Objects (GPOs) that are associated with a site.
  • Active Directory Users and Computers Administrative tool - Used to create Group Policy Objects (GPOs) that are associated with an OU or domain.
  • MMC Group Policy snap-in - This tool, also called the "Group Policy Console" can be used to manage GPOs at any level.

Setting Group Policy

The Microsoft Management Console (MMC) Group Policy snap-in can be used to create and manage Group Policy objects if the user has the correct permissions. Enterprise Admins, Domain Admins groups and domain Administrators have correct permissions.

Group Policy inheritance is configured on the Active Directory container the GPO is in and on the object itself.

  • There is a "Block Policy Inheritance" checkbox in the Group Policy Tab on the object container's properties dialog box.
  • There is a "No Override: prevents..." checkbox in the Group Policy Tab on the object's properties dialog box.

In the case of a conflict between the two above settings, the "No Override: prevents..." checkbox option prevails. If this option is set on a parent container, the child cannot override the inheritance.

GPO Security

GPO security is used to specify the users and groups that can modify the GPO settings and to specify those to whom they apply as follows:

  • The Group Policy settings apply to users and groups that have the Active Directory read and apply group policy permissions to the GPO. Authenticated Users have these settings apply by default.
  • Users or groups that have the Active Directory read and write permissions to the GPO can modify the GPO settings.

The Object's or container's properties dialog box (Select "Action", "Properties") group policy tab, GPO's security tab is where the security settings are modified. This is done in the Administrative Tool "Active Directory Sites and Services" or "Active Directory Users and Computers". This allows policies to be set, or "filtered" so they only affect specific users or groups. When these permissions for the group policy objects are modified, the Discretionary Access Control List (DACL) for the policy object is modified. The DACL must permit the groups that the policy is for to have both "Read" and "Apply Group Policy" permission.

Linking GPOs

A GPO may be linked to another container. When this is done a new GPO, pointing to the original GPO, is created. The GPO settings of the original GPO apply to all objects it is linked to. At this point the new GPO may be modified and the new settings will apply only to the new GPO. If settings in the original GPO are modified, the settings in the linked GPOs will also be changed.

Group Policy Application Order

Groups are listed by priority in the System Policy Editor dialog box, Group Priority tab. When a user is in multiple groups, the highest priority group's policy applies. The groups may be moved up and down the list which sets their relative priorities..

Using Group Policy for Software Deployment

Methods:

  • Assign the application to a computer - The application shortcut appears in the user start menu, and the application is installed the first time the user runs it..]
  • Assign the application to a user - The application is installed the next time the computer is booted.
  • Publish the application to the user - The application is installed the first time the user opens a document that is associated with the application. Once installed, the start menu lists the application.

Installation steps:

  1. Prepare application for deployment if it is not in a Windows installer file (ending with .msi). Do one of:
    • Convert the file to a Windows installer file.
      1. Use WinINSTALL LE to repackage the application as a Windows installer file. This program is on the Windows 2000 Server CD in \VALUEADD\3RDPARTY\WINSTLE.
    • Create application installation instructions in a text file ending with ".zap". These applications can only be published. Two sections of .zap file:
      • {Application] - Give "FriendlyName = " and "SetupCommand =" on two separate lines followed by the appropriate information.
      • [Ext] - List extensions to be associated with the application on separate lines followed by "=".

Group policies can also be used to:

  • Deploy service packs
  • Create application categories
  • Maintain or upgrade software
  • Remove previously deployed applications.

Policy Refresh Intervals

The default refresh interval for policies is 90 minutes. The default refresh interval for domain controllers is 5 minutes. Group policy object's group policy refresh intervals may be changed in the group policy object. The appropriate refresh interval depends on link speed. A slow network should have longer refresh intervals. A slow link is defined as one slower than 500Kbps.