PlayUKlottery.com - win up to 42 million Pounds
Lesson 1: Understanding Group Policy

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 1: Understanding Group Policy

You can lower your network's total cost of ownership (TCO) by using Group Policy in Microsoft Windows 2000 to create a managed desktop environment that is tailored to the user's job responsibilities and experience level. TCO is the cost that is involved in administering distributed personal computer networks. Recent studies on TCO cite lost user productivity as one of the major costs to corporations. Lost productivity is often due to user error, such as modifying system configuration files and thereby rendering the computer unusable. Group Policy provides the network administrator with greater control over computer configurations, thus reducing the potential for lost user productivity.

After this lesson, you will be able to

  • Explain the capabilities and structure of Group Policy, including Group Policy Objects (GPOs), Group Policy Containers (GPCs), and Group Policy Templates (GPTs).

Estimated lesson time: 15 minutes

Group Policy Settings

Group Policy in Windows 2000 allows an administrator to establish a requirement for a user or a computer once and have that requirement continually enforced. For example, the administrator can implement group policy settings that will run a startup script on all computers in an organizational unit (OU) or audit all failed logon attempts in a domain.

You use the Group Policy tool and its extensions in Microsoft Management Console (MMC) to define group policy settings for desktop configurations for computers and users. You can specify group policy settings with the following Group Policy extensions:

  • Administrative Templates (Computers) and Administrative Templates (Users). The Administrative Templates extensions allow you to control the registry-based group policy settings that configure the application settings and customize desktop appearances and behavior of system services.

  • Folder Redirection Editor. The Folder Redirection Editor extension allows you to redirect folders like My Documents to network locations, so that users' folders are stored on the network rather than on the user's local computer.

  • Internet Explorer Maintenance. The Internet Explorer Maintenance extension allows you to administer Internet Explorer settings.

  • Remote Installation Services. The Remote Installation Services extension allows you to predefine configuration options such as operating system selection and client computer naming conventions to provide better disaster recovery and easier operating system and application management.

  • Scripts (Logon/Logoff) and Scripts (Startup/Shutdown). The Scripts extensions allow you to configure scripts for when a computer starts and shuts down and when a user logs on and logs off.

  • Security Settings. The Security Settings extension extends the Group Policy snap-in and allows you to define security policies for computers in your domain.

  • Software Installation (Computers) and Software Installation (Users). The Software Installation extensions allow you to control the central management of software including installation, updates, and removal.

Group Policy Objects

In Windows 2000, you create a Group Policy Object (GPO) and then configure the settings for that specific GPO. The GPO is a virtual storage location for the group policy settings. The contents of the GPO are stored in two different locations, the Group Policy Container and the Group Policy Template.

Group Policy Container

The Group Policy Container (GPC) is an Active Directory object that contains GPO attributes and includes subcontainers for group policy information about computers and users. The GPC includes the following information:

  • Version information. Ensures that the information in the GPC synchronizes with the Group Policy Template information.

  • Status information. Indicates whether the GPO is enabled or disabled.

  • List of components (extensions). Lists any of the Group Policy extensions that are used in the GPO.

Group Policy Template

The Group Policy Template (GPT) is a folder hierarchy in the Sysvol folder on domain controllers. The GPT is the container for all group policy information on administrative templates, security, software installation, scripts, and folder redirection.

When you create a GPO, Windows 2000 creates the corresponding GPT folder hierarchy. The name of the GPT folder is the globally unique identifier (GUID) of the GPO that you created.

For example, if you associate a GPO with the domain domain.com, and the GPO is assigned a GUID of {A3A2C853-F033-11D1-9BE4-00C0DFE00C63}, the resulting GPT folder name would be systemroot\Sysvol\Sysvol\domain.com\ Policies\{A3A2C853-F033-11D1-9BE4-00C0DFE00C63}

Group Policy Inheritance

When you create a GPO, you associate it with a selected Active Directory container, such as a site, domain, or organizational unit. Within the hierarchical structure of the Active Directory directory services, child containers inherit GPOs from parent containers. You must understand the processing order of GPOs to plan your group policy implementation. You can filter the scope of the GPO and delegate control of a GPO with permissions. The attributes of a GPO offer you other options for managing how you apply group policy settings.

Group policy settings are inherited, cumulative, and affect all computers and user accounts in the Active Directory container with which the GPO is associated. You can associate multiple Active Directory containers with the same GPO and multiple GPOs with a single Active Directory container.

Understanding Order of Inheritance

Windows 2000 evaluates GPOs starting with the Active Directory container furthest away (highest up the hierarchical structure) from the computer or user. The order of group policy inheritance is site, domain, and then organizational unit. With this order, the GPOs of the OU that the computer or user is a member of are the final group policy settings that Windows 2000 applies to the computer or user.

This default behavior allows a group policy setting in the Active Directory container closest to the computer or user to override a conflicting group policy setting in a container that is higher up in the Active Directory hierarchy.

When a group policy setting is configured for a parent OU, and the same group policy setting is not configured for a child OU, the objects in the child OU inherit the group policy setting from the parent OU. However, a group policy setting can be configured in the GPO for both the parent and child OU. In that case, the compatibility of the group policy settings determines the result.

When the parent OU and child OU both have a configured group policy setting and the settings are compatible, the settings from both OUs apply. If a group policy setting that is configured for a parent OU is incompatible with the same group policy setting that is configured for a child OU, the child OU does not inherit the group policy setting from the parent, but retains its own group policy setting.

NOTE
A GPO that is linked to a site affects all computers in that site, regardless of the domain to which the computers belong. The GPO, however, is only stored in one domain. Because a single site can include multiple domains, a GPO that is associated with a site can be inherited by computers in multiple domains. All computers in the site must contact a domain controller in the domain that contains the GPO. You should consider the network traffic implications when you create a site GPO.

Order of Processing GPO Settings

The group policy settings in a GPO are processed in a specific order. Some group policy settings for users can affect computers also. For example, the permission to use the Run command on the Start menu can affect computers and users both. By understanding the order in which Windows 2000 processes group policy settings, you can avoid overwriting settings.

The group policy settings are processed in the following sequence:

  1. When the computer starts, group policy settings for computers process. This is done synchronously by default.

  2. Startup scripts run synchronously by default. This means that each script must complete or time out before the next one will start.

  3. When a user logs on, group policy settings for users process. This is also done synchronously by default.

  4. Logon scripts run. Logon scripts in GPOs run asynchronously by default. If you have scripts that are associated with a user object, they run last.

NOTE
You can modify the synchronous and asynchronous processing of both group policies and scripts with a group policy setting.

Windows 2000 periodically refreshes group policy settings throughout the network. This is done by default on client computers every 90 minutes with a randomized offset of plus or minus 30 minutes. For domain controllers, the default period is every 5 minutes. You can change the default values by modifying the settings in Administrative Templates. You cannot schedule the application of a GPO to the client computers.

NOTE
The processing of software installation and folder redirection settings in a GPO occurs only when a computer starts or when the user logs on, rather than on a periodic basis.

Lesson Summary

The Windows 2000 Group Policy tool allows an administrator to manage desktop environments throughout the network by applying configuration settings to computers and users within a site, domain, or organizational unit. Group policy settings are contained in Group Policy Objects. A GPO is a virtual storage location for the group policy settings whose contents are stored in two different locations, the Group Policy Container and the Group Policy Template.

You use the Group Policy tool and its extensions in MMC to define group policy settings for desktop configurations for computers and users. The extensions available for Group Policy include Administrative Templates, (Computers), Administrative Templates (Users), Folder Redirection Editor, Internet Explorer Maintenance, Remote Installation Services, Scripts (Logon/Logoff), Scripts (Startup/Shutdown), Security Settings, Software Installation (Computers), and Software Installation (Users). These extensions allow you to specify additional group policy settings. The settings contained in the GPOs are applied in a specific order. When the computer is started, the group policy settings for the computers process. Next any startup scripts run. When a user logs on, the group policy settings for users process, and finally, if there are any logon scripts, they run.