Group Policy Therapy
Get more work done. In this first of three parts, Harry Brelsford
explains the advantages of this jewel of Win2K technology.
This month, I begin a three-part installment on Group Policy, the jewel
of the Win2K Server crown. Before jumping into the details, let me provide
some historical context. When Win2K was introduced more than a year ago,
the focus was on Active Directory. As time passed, AD remained important,
but another feature caught the fancy of the MCSE community: Group Policy.
Microsoft and the reseller and consulting community were seeking the
"killer application" that would drive the sales of both Win2K Server and
Professional. Over time, it became apparent that AD alone wouldn't motivate
more buyers to purchase Win2K. Over the next three months, I'll show you
why Group Policy is the killer application and how it justifies the move
to Win2K Server (on the server side) and Professional (on the user desktop
Group Policy Definition
Group Policy is Microsoft's implementation of the centralized management
paradigm to computing that has truly come full circle from host-based
(read "mainframe") from a generation (or two) ago. Group Policy is also
the evolution of system policy in Windows NT to something bigger and better
in Win2K. From a business perspective, Group Policy holds the promise
of reduced Total Cost of Ownership (TCO). The idea is that, by implementing
Group Policy, you can reduce live visits to the user's desktop machine
to install software or perform configuration activity. This translates
into great savings in an environment (information technology) in which
some of the most significant expenses are professional services (your
salary or consulting fees).
|A prerequisite for Group Policy is a homogeneous Win2K
network. This fact is often overlooked by many MCSEs without Win2K
experience. Your server must be Win2K Server and your client
workstations must be Win2K Professional. This isn't to say that you
can't play a trick to get around this homogeneous requirement. For
example, you can use a Terminal Services session on a legacy (i.e.
Windows 9x) workstation to get around this requirement. Why? Because
the Terminal Services session is effectively Win2K Professional.
For more information on Terminal Services, see my February 2001
Note that Group Policy can be applied to an organizational unit (OU),
a domain or a site in AD. These terms, as well as a long and loud primer
on AD, can be found in my April 2000 column (which can still be found
on this site). It's been my experience that most people apply Group Policy
at the OU level to isolate the scope of the settings. When you apply Group
Policy at the domain level, it can get much more complex. The settings
are inherited by default by the lower-level object in the domain, such
as the OUs. Let's just say it can get crazy pretty darn fast!
In a nutshell, Group Policy is a collection of capabilities that greatly
assist in the configuration and management of both users and machines.
I've outlined these capabilities below.
Users and Computers
First and foremost, understand that Group Policy is "applied" to two objects
in AD: users and computers. Thus, you can apply settings to a user regardless
of which Win2K Professional machine they use, a computer regardless of
which user logs on or both the user and computer (a combination of the
two; see Figure 1).
|Figure 1. The Group Policy MMC displaying Computer
Configuration and User Configuration. Notice that all capabilities of
Group Policy are expanded and displayed. (Click image to view larger
One of the best features of Group Policy is its ability to install software
on client machines. A practical example of this is the installation of
new and upgraded applications on your fleet of desktop computers, circumventing
the need for live visits to each machine. This feature also allows for
a quick recovery from a desktop disaster. Imagine the following: An executive
in your organization travels with her laptop, which is lost by the airlines.
Upon her return to the office, you learn of this incident and requisition
a new laptop for the executive. The laptop quickly arrives; after configuring
the machine for Win2K networking, you log on as the executive. At that
point, Group Policy installs the baseline applications that the executive
used on the lost laptop.
One of the only tricky parts about the Group Policy software installation
capabilities is the requirement that you use Windows Installer package
(which is an *.msi) file. This is relatively easy to create and is often
provided by the independent software vendor (ISV) supporting the Win2K
application. Ironically, the software installation capability in Small
Business Server 2000 (via the Setup Computer Wizard) won't work with *.msi
files and the software installation capability in Group Policy will only
work with *.msi files. Hmmm... Is the left hand not working with the right
hand in Redmond?
The dialog box where you specify the *.msi file for the software installation
capability in Group Policy is shown in Figure 2.
|Figure 2. Be sure you've got your Windows
Installer package ready to go when using the software installation
capability in Group Policy. (Click image to view larger version.)
Group Policy is known for its ability to lock down the goods on a machine.
One place you can do this is with Windows Settings, seen in Figure 3.
Here you can specify a number of settings, specifically for security and
scripts. The Windows Settings area is a very rich part of Group Policy,
something you would find if you poked around and expanded some of the
|Figure 3. As an example, Windows Settings allows
you to enforce complex passwords for a machine or a user. (Click image
to view larger version.)
One of the smart things that Microsoft did to save time for MCSEs using
Group Policy was to create templates. Stepping back in time, this is akin
to the Security Configuration Editor templates that appeared as part of
Service Pack 4 late in the life of Windows NT Server. The concept of templates
is simple: provide some pre-configured settings for the most popular uses
of Group Policy in order to save administration time. So instead of conceptualizing
down to a very fine level of detail, you can simply trot around the Administrative
Templates, find the settings you like, such as "enabling" the Disable
changing proxy settings in Figure 4, and be home in time for dinner!
|Figure 4. The richest area of detail in Group Policy
is arguably the detailed settings you can configure under Administrative
Templates. (Click image to view larger version.)
In the next two months, I will dedicate columns to Windows Settings
and Administrative Templates.
Creating a Group Policy Object (GPO)
No Win2K Foundations column is worth its salt if there isn't a step-by-step,
hands-on exercise for you to complete, and this column won't depart from
that standard. As you've now been introduced to Group Policy, create a
Group Policy Object (GPO) for an OU (which you'll also create). In the
following two months, you will apply Group Policy settings in this sample
- Log on as an Administrator at the Win2K Server machine.
- Click Start | Programs | Administrative Tools | AD Users | Computers.
- In the left pane, the existing folders and OUs will be displayed.
Right-click directly below the last object in this pane and select New
| Organizational Unit from the secondary menu.
- Name the OU after a department in a business (for example, I'll assume
you name the OU as Marketing). Click OK.
- Right-click on the Marketing OU. Select Properties from the secondary
- Select Group Policy.
- Click Add and, while the text field of the new GPO has the focus (and
can be edited by typing), type One as the GPO name. The result should
look similar to Figure 5.
|Figure 5. Creating your first GPO in Win2K!
And there you have it! You've created your first GPO and are well on
your way to working with Group Policy. If you'd like to see the details
of your GPO, click Edit and your screen should look similar to some of
the screenshots shown earlier in this column.
This month's column provides the foundation to move forward in the detailed
study of Group Policy. I will start with software settings and security
next month. A couple of closing thoughts to consider:
Understand that the possibilities are darn near endless with Group Policy.
Not only are there hundreds of built-in settings, but you can create your
own policy settings to further extend the management paradigm of Group
When planning for Group Policy, be sure to take a few
minutes to consult references such as the online help
system and the Windows 2000 Server Resource Kit to learn
about inheritance. You need to think through which order
Group Policy should be applied from the site, domain and
|Figure 6. Group Policy settings
have a robust and informative explanation tab.
A wealth of information about each Group Policy setting
is displayed when you click the Explanation tab for any
settings. An example of this is shown in Figure 6. I've
found the Explanation tab to be one of the secrets to
learning about Group Policy.
Bainbridge Island, Washington author Harry Brelsford is the CEO of NetHealthMon.com, a Small Business Server consulting and networking monitoring firm. He publishes the "Small Business Best Practices" newsletter ([email protected]com), and is the author of several IT books, including MCSE Consulting Bible (Hungry Minds) and Small Business Server 2000 Best Practices (Hara Publishing).