Active Directory How-To

Group Policy Fundamentals in Active Directory

Here's a breakdown and explanation of the multiple types of Group Policy.

In an Active Directory environment, Group Policy is an easy way to configure computer and user settings on computers that are part of the domain.  An Active Directory environment means that you must have at least one server with the Active Directory Domain Services installed.  Group Policy allows you to centralize the management of computers on your network without having to physically go to and configure each computer individually.  If you need to manage computers in a large company, it is almost impossible without using Group Policy.  In order to use Group Policy editor in a domain environment, you must use an administrator account.  A standard domain user account is not in the local Administrators group and will not have the proper permissions to configure Group Policies.

To launch the Group Policy Management Tool, choose, Start, All Programs, Administrative Tools, Group Policy Management (see Figure 1).

[Click on image for larger view.]  Figure 1.

Once the Group Policy Editor has launched, you will see many different options (see Figure 2).

[Click on image for larger view.]  Figure 2.

You can apply Group Policy on a variety of Microsoft platforms to include Windows 2000, Windows 2003, Windows XP, Vista, Windows Server 2008, Windows 7, Windows 8 and Windows Server 2012. Granted, there will be some settings that are particular to that operating system, but those settings are kind of rare.  If a user is connecting via a slow link, which by default is 500KB or less, there are certain group policies that will not be applied.  By default, Disk Quotas, Folder Redirection, Internet Explorer settings, and Software Deployment are not applied over slow links. It is possible to change the definition of a slow link in the Group Policy Slow Link Detection setting.

Group Policy setting at any level automatically affects all levels beneath it. If needed, you can prevent inheritance. Some other default behavior to consider are that domains, OUs, and child OUs inherit settings from their parents, but duplicate settings in GPOs linked to child OUs have precedence over the same settings in GPOs linked to parent OUs. Any policy geared for a Domain Controller is refreshed within five minutes.

Examples of Group Policy
Drive Mappings: You can map drives via login scripts, but it can be done more reliably using Group Policy.  It is also possible to remove drive mappings for users.

Power Options: Using Group Policy, you can set things like hard disk sleep time, the amount of time before the monitor goes into stand-by mode, and what happens to laptops when you hit the power button or close the lid.  All aspects of power can be configured, but some of these are user preferences, which can be changed by the user.

Folder Redirection: Normally, users' folders for storing data are located on their local computers. If you want to redirect their data to another location, you can do this using Group Policy.  In a domain environment, it is common to backup server data, but not each individual computer.  By redirecting a user's My Documents to a server, you keep their data off the local computer. This redirect has several uses.  It allows the user data to be backup up in a central location and it also provides the user access to their data regardless of the computer they log onto.  The type of folders that can be redirected are:

  • Contacts
  • Start Menu
  • Desktop
  • Documents
  • Downloads
  • Favorites
  • Music
  • Videos
  • Pictures
  • Searches
  • Links
  • AppData (Roaming)

Internet Explorer Settings: There are almost 2,000 different items that you can configure in Internet Explorer using Group Policy.  Some of the more common items are:

  • Configure Delete Browsing History on exit
  • Configure Toolbar Buttons
  • Configure new tab page default behavior
  • Disable changing home page settings
  • Do not allow resetting Internet Explorer settings
  • Do not allow users to enable or disable add-ons
  • Pop-up allow list

Local Accounts and Passwords: The Default Domain Policy is created by default at the domain level.  This default policy encompasses three domain-wide security settings:

    • Password policy: You can use Group Policy to set the password length, complexity and longevity.
    • Account Lockout policy: A Group Policy can be set to define when an account is locked out and for how long.
    • Kerberos policy:  You can set the Kerberos ticket expiration time.

If the Password policy, Account Lockout policy, or Kerberos policy is set anywhere else in the domain, such as at the OU or site level, the settings will be ignored when users log onto the domain.

Printers: The Print Management snap-in with Group Policy can be used to automatically deploy printer connections to users or computers and install the appropriate printer drivers. If you choose to add the printer per-computer connections, Windows will add the printer connections when the user logs on. If per-user connections are chosen, Windows will add the printer connections during background policy refresh. If the printer connection settings are removed from the GPO, Windows will remove the corresponding printers from the client computer during the next background policy refresh or user logon.

You can reapply Group Policies without restarting your computer or logging off.  From a Run prompt, type GPupdate / force. This will cause the Group Policies to be reapplied.  After running this command, it is sometimes necessary to logoff for the change to take effect immediately. 

About the Author

Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is [email protected].

Featured

comments powered by Disqus

Subscribe on YouTube