Windows Foundation

Group Policy Therapy

Get more work done. In this first of three parts, Harry Brelsford explains the advantages of this jewel of Win2K technology.

This month, I begin a three-part installment on Group Policy, the jewel of the Win2K Server crown. Before jumping into the details, let me provide some historical context. When Win2K was introduced more than a year ago, the focus was on Active Directory. As time passed, AD remained important, but another feature caught the fancy of the MCSE community: Group Policy.

Microsoft and the reseller and consulting community were seeking the "killer application" that would drive the sales of both Win2K Server and Professional. Over time, it became apparent that AD alone wouldn't motivate more buyers to purchase Win2K. Over the next three months, I'll show you why Group Policy is the killer application and how it justifies the move to Win2K Server (on the server side) and Professional (on the user desktop side).

Group Policy Definition
Group Policy is Microsoft's implementation of the centralized management paradigm to computing that has truly come full circle from host-based (read "mainframe") from a generation (or two) ago. Group Policy is also the evolution of system policy in Windows NT to something bigger and better in Win2K. From a business perspective, Group Policy holds the promise of reduced Total Cost of Ownership (TCO). The idea is that, by implementing Group Policy, you can reduce live visits to the user's desktop machine to install software or perform configuration activity. This translates into great savings in an environment (information technology) in which some of the most significant expenses are professional services (your salary or consulting fees).

A prerequisite for Group Policy is a homogeneous Win2K network. This fact is often overlooked by many MCSEs without Win2K experience. Your server must be Win2K Server and your client workstations must be Win2K Professional. This isn't to say that you can't play a trick to get around this homogeneous requirement. For example, you can use a Terminal Services session on a legacy (i.e. Windows 9x) workstation to get around this requirement. Why? Because the Terminal Services session is effectively Win2K Professional. For more information on Terminal Services, see my February 2001 column.

Note that Group Policy can be applied to an organizational unit (OU), a domain or a site in AD. These terms, as well as a long and loud primer on AD, can be found in my April 2000 column (which can still be found on this site). It's been my experience that most people apply Group Policy at the OU level to isolate the scope of the settings. When you apply Group Policy at the domain level, it can get much more complex. The settings are inherited by default by the lower-level object in the domain, such as the OUs. Let's just say it can get crazy pretty darn fast!

In a nutshell, Group Policy is a collection of capabilities that greatly assist in the configuration and management of both users and machines. I've outlined these capabilities below.

Users and Computers
First and foremost, understand that Group Policy is "applied" to two objects in AD: users and computers. Thus, you can apply settings to a user regardless of which Win2K Professional machine they use, a computer regardless of which user logs on or both the user and computer (a combination of the two; see Figure 1).

Figure 1. The Group Policy MMC displaying Computer Configuration and User Configuration. Notice that all capabilities of Group Policy are expanded and displayed. (Click image to view larger version.)

Software Installation
One of the best features of Group Policy is its ability to install software on client machines. A practical example of this is the installation of new and upgraded applications on your fleet of desktop computers, circumventing the need for live visits to each machine. This feature also allows for a quick recovery from a desktop disaster. Imagine the following: An executive in your organization travels with her laptop, which is lost by the airlines. Upon her return to the office, you learn of this incident and requisition a new laptop for the executive. The laptop quickly arrives; after configuring the machine for Win2K networking, you log on as the executive. At that point, Group Policy installs the baseline applications that the executive used on the lost laptop.

One of the only tricky parts about the Group Policy software installation capabilities is the requirement that you use Windows Installer package (which is an *.msi) file. This is relatively easy to create and is often provided by the independent software vendor (ISV) supporting the Win2K application. Ironically, the software installation capability in Small Business Server 2000 (via the Setup Computer Wizard) won't work with *.msi files and the software installation capability in Group Policy will only work with *.msi files. Hmmm... Is the left hand not working with the right hand in Redmond?

The dialog box where you specify the *.msi file for the software installation capability in Group Policy is shown in Figure 2.

GPO software installation
Figure 2. Be sure you've got your Windows Installer package ready to go when using the software installation capability in Group Policy. (Click image to view larger version.)

Windows Settings
Group Policy is known for its ability to lock down the goods on a machine. One place you can do this is with Windows Settings, seen in Figure 3. Here you can specify a number of settings, specifically for security and scripts. The Windows Settings area is a very rich part of Group Policy, something you would find if you poked around and expanded some of the listings.

GPO - enforcing complex passwords
Figure 3. As an example, Windows Settings allows you to enforce complex passwords for a machine or a user. (Click image to view larger version.)

Administrative Templates
One of the smart things that Microsoft did to save time for MCSEs using Group Policy was to create templates. Stepping back in time, this is akin to the Security Configuration Editor templates that appeared as part of Service Pack 4 late in the life of Windows NT Server. The concept of templates is simple: provide some pre-configured settings for the most popular uses of Group Policy in order to save administration time. So instead of conceptualizing down to a very fine level of detail, you can simply trot around the Administrative Templates, find the settings you like, such as "enabling" the Disable changing proxy settings in Figure 4, and be home in time for dinner!

GPO detailed settings configuration
Figure 4. The richest area of detail in Group Policy is arguably the detailed settings you can configure under Administrative Templates. (Click image to view larger version.)

In the next two months, I will dedicate columns to Windows Settings and Administrative Templates.

Creating a Group Policy Object (GPO)
No Win2K Foundations column is worth its salt if there isn't a step-by-step, hands-on exercise for you to complete, and this column won't depart from that standard. As you've now been introduced to Group Policy, create a Group Policy Object (GPO) for an OU (which you'll also create). In the following two months, you will apply Group Policy settings in this sample scenario.

  1. Log on as an Administrator at the Win2K Server machine.
  2. Click Start | Programs | Administrative Tools | AD Users | Computers.
  3. In the left pane, the existing folders and OUs will be displayed. Right-click directly below the last object in this pane and select New | Organizational Unit from the secondary menu.
  4. Name the OU after a department in a business (for example, I'll assume you name the OU as Marketing). Click OK.
  5. Right-click on the Marketing OU. Select Properties from the secondary menu.
  6. Select Group Policy.
  7. Click Add and, while the text field of the new GPO has the focus (and can be edited by typing), type One as the GPO name. The result should look similar to Figure 5.
Figure 5. Creating your first GPO in Win2K!

And there you have it! You've created your first GPO and are well on your way to working with Group Policy. If you'd like to see the details of your GPO, click Edit and your screen should look similar to some of the screenshots shown earlier in this column.

This month's column provides the foundation to move forward in the detailed study of Group Policy. I will start with software settings and security next month. A couple of closing thoughts to consider:

Understand that the possibilities are darn near endless with Group Policy. Not only are there hundreds of built-in settings, but you can create your own policy settings to further extend the management paradigm of Group Policy.

When planning for Group Policy, be sure to take a few minutes to consult references such as the online help system and the Windows 2000 Server Resource Kit to learn about inheritance. You need to think through which order Group Policy should be applied from the site, domain and OU levels.

Figure 6. Group Policy settings have a robust and informative explanation tab.

A wealth of information about each Group Policy setting is displayed when you click the Explanation tab for any settings. An example of this is shown in Figure 6. I've found the Explanation tab to be one of the secrets to learning about Group Policy.

About the Author

Bainbridge Island, Washington author Harry Brelsford is the CEO of, a Small Business Server consulting and networking monitoring firm. He publishes the "Small Business Best Practices" newsletter ([email protected]), and is the author of several IT books, including MCSE Consulting Bible (Hungry Minds) and Small Business Server 2000 Best Practices (Hara Publishing).


comments powered by Disqus

Subscribe on YouTube