Group Policy Part 3
Group Policy is all about being
efficient. Here's how to get there by setting up users'
Windows Setting with Administrative Templates.
This month I conclude my three-part series
on Group Policy by looking at the Windows Settings,
Administrative Templates and couple of cool tools. Just
for the record, Group Policy allows you to -- in homogeneous
Windows 2000 networks (including Win2K Server and Professional)
-- to install software, set security and manage settings.
If you've stuck with me for the past few months, you
know Group Policy is powerful!
So let's dig in and launch the Group Policy
snap-in, similar to Figure 1. This is accomplished by
clicking Start | Programs | Administrative Tools | Active
Directory Users and Computers and right-clicking on
the domain or an organizational unit. Select Properties,
click the Group Policy tab, and click either New or
Edit a Group Policy Object (GPO).
|Figure 1. Both the Computer
Configuration and User Configuration objects display
the Windows Settings and Administrative Templates
Note: It's important to remember
that the Computer Configuration object configures the
machine. And as you'd expect, the User Configuration
object configures based on the user's logon name. While
this seems obvious, it's critical to understanding the
Under the Computer Configuration object, Windows
Settings has two objects:
- Scripts (Startup/Shutdown) --
This is where you can designate scripts, ranging from
simple to complex, to run at either the startup or
the shutdown of the machine. For more information
on scripting, be sure to read Chris Brooke's monthly
column, "Scripting for MCSEs,"
in MCP Magazine.
- Security Settings -- Now we
can have some fun. If you look at Figure 2, you'll
see that the Security Settings object is "rich." As
you can see in the right pane of Figure 2, this is
where you'd set the ability to audit logon activity
on machines that fall under the authority of this
|Figure 2. Take a moment to
appreciate the depth of the settings in Security
Settings object. (Click image to view larger version.)
Note: To audit logon activity on
the network and have it appear in the server's Event
Viewer in the Security Log, you need to set the Local
Security Policy snap-in that's accessed from Start |
Programs | Administrative Tools | Local Security Policy.
Under the User Configuration object, the
Windows Settings folder looks slightly different when
you expand it. As seen in Figure 3, there are three
selections in addition to what you saw above with the
Computer Configuration object.
- Internet Explorer Maintenance. This
is a group of settings you can use to enforce your
company's Internet policy. For example, you can impose
proxy server settings. You can also dictate what URLs
are listed under the Favorites folder for each user
and what the default home page is (such as the company
Web site) at startup.
- Remote Installation Services. On
a per-user basis, you can configure on-screen options
that relate to automatic and custom setups.
- Folder Redirection. When discussing
what can and can't be accomplished with Group Policy,
the area of folder redirection emerges as one of the
most popular. This is because both IT and business
management see great value in enforcing the storage
of data on a server upon which regular backups occur
and security can be imposed. You start this process
by configuring folder redirection so data is moved
to the server.
|Figure 3. Note that there are
three additional selections in the Windows Setting
folder under the User Configuration object that
aren't found under the Computer Configuration object.
(Click image to view larger version.)
Next up are the Administrative Templates. Here
you can set hundreds of settings using Group Policy.
In fact, this is many people's perception of what Group
Policy is -- detailed management via these configurations
at the computer and user levels.
The Administrative Templates under the
Computer Configuration object, seen in Figure 4, contains
the following folders. (Note that I'm making select
comments about the types of configurations possibilities
because there are far too many for individual discussion
in a column.)
Note: I've always felt a book should
be written about Group Policy, which is exactly what
MCP Magazine writer Jeremy Moskowitz has done.
His book, Windows 2000 System and Group Policies
(Sybex, ISBN 0782128815) will be out in mid-August
|Figure 4. The Administrative
Templates under the Computer Configuration object
contain folders that allow you to make changes to
a variety of settings. (Click image to view larger
- Windows Components. The Windows
Components folder contains sub-folders for NetMeeting,
Internet Explorer, Task Scheduler and Windows Installer.
For example, under NetMeeting, you can use Group Policy
to disable remote desktop sharing, a capability I
view as security-related. Under the Internet Explorer
folder, you may make proxy server settings on a per-machine
basis (unlike the per-machine basis I discussed a
few paragraphs above).
An administrator might disable
the ability to run tasks on an individual machine
via the Task Scheduler folder. Here's an interesting
example: On a per-machine basis, under the Windows
Installer folder, you can have applications installed
with elevated privileges so that the user who logs
on doesn't have to be a member of the Local Administrators
group for an application to automatically install
via Group Policy. This is helpful, as you often don't
want a "normal" user at a workstation to be a member
of the Local Administrators group.
- System. This includes sub-folders
for Logon, Disk Quotas, DNS Client, Group Policy and
Windows File Protection. Under Logon, you can have
Win2K advise the user when a slow network link is
detected. Under Disk Quotas you may enable and enforce
disk quotas on a per-machine basis. The DNS Client
folder allows you to make one policy configuration
to set the DNS suffix (note that make DNS-type settings
can be made with a DHCP IP address lease, not Group
Policy, so don't worry!).
The Group Policy folder allows
you to select the order in which policies are processed.
And, as a final example for the System folder, the
Windows File Protection folder allows you to, not
surprisingly, configure Windows File Protection (such
as hide the file scan progress window).
- Network. The Network folder
allows you to configure, among other things, the use
of Offline Folders (something that many people find
cool in Win2K and replaces the "Briefcase" application
from prior Windows operating systems).
- Printers. Printers allows the
publishing of printers to Active Directory and several
other printer-related settings.
The Administrative Templates under User
Configuration are similar to those listed immediately
above, except that the settings are applied on a per-user
basis (not per computer).
Note: There are minute (or detailed)
differences between computer and user, so I highly recommend
you take an afternoon off of work some day, take a Win2K
Server out to a local park, site in the sun and poke
around discovering what these differences are. There
are a couple of additional Administrative Template folders
under User Configuration that aren't found elsewhere.
These are shown in Figure 5.
Some of the sub-folders under Administrative Templates
under the User Configuration object aren't found
anywhere else. (Click image to view larger version.)
- Start Menu and Task Bar. One
setting you can invoke here (of many possibilities)
is to disable changes to the Taskbar and Start Menu
Settings. This translates into one less Help Desk
call from a user that "something changed."
- Desktop. This folder
primarily relates to the management of user interface
elements. One setting from the multitude of selections
is to enable Active Desktop (one-click functionality
and so on).
- Control Panel. This folder contains
several sub-folders, including Add/Remove Programs,
Display, Printers and Regional Options. While I don't
really care as much if users change their time zone
via Regional Settings (although I can block that behavior),
I'm very interested in the ability to disable Add/Remove
Programs so users can't install the latest TurboTax
upgrade on a company computer.
Something that many people don't realize
is that, if you right-click on any policy and select
Properties, then Explain, you'll get an eye full of
well-written text that discusses the specific policy.
An example of this is shown in Figure 6.
|Figure 6. You'll appreciate
the explanation provided for each policy in Group
Before I close out this series on Group
Policy, let me share with you two cools tools I found
at the Microsoft site dedicated to the Win2K Resource
where you will click on the "Free Downloads" link.
- Gptool.exe. This tool (Group
Policy Verification Tool) is, quite frankly, for large
enterprise accounts with multiple sites. It allows
administrators to check Group Policy object integrity
and monitor policy replication.
- GPresult.exe. This is my favorite
Group Policy tool, officially called Group Policy
Results. This displays information about the effect
that Group Policy has had on the current computer
and logged-on user.
Next month I'll revisit Active Directory
and dispute the myth in MCSE-land that it should be
renamed "Inactive Directory."
Bainbridge Island, Washington author Harry Brelsford is the CEO of NetHealthMon.com, a Small Business Server consulting and networking monitoring firm. He publishes the "Small Business Best Practices" newsletter (firstname.lastname@example.org), and is the author of several IT books, including MCSE Consulting Bible (Hungry Minds) and Small Business Server 2000 Best Practices (Hara Publishing).