PlayUKlottery.com - win up to 42 million Pounds
Lesson 3: Configuring Group Policy

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 3: Configuring Group Policy

You configure the group policy settings within a GPO by using the Group Policy tool and its extensions in MMC. The extensions in Group Policy display the configurable settings for administrative templates, scripts, security, and folder redirection, in addition to software installation and Remote Installation Services (RIS).

NOTE
For information on the use of group policies for software installation, see Chapter 7, "Managing Software by Using Group Policy." For information on RIS, see Chapter 14, "Deploying Windows 2000."

After this lesson, you will be able to

  • Apply group policy by creating a GPO, managing the access permissions of GPOs, and managing the inheritance of GPOs through the structure of Active Directory directory services.

  • Configure administrative templates, scripts, security, and folder redirection policies.

Estimated lesson time: 30 minutes

Group Policy Console

You use Group Policy in MMC to specify group policy settings for a GPO. The group policy settings are separated under Computer Configuration and User Configuration.

You can open Group Policy in two ways:

  • On the Group Policy tab in the Properties dialog box for a site, domain, or OU, select the GPO that you want to view in Group Policy, and then click Edit.

  • Add the Group Policy tool and any desired extensions to an MMC console and select the GPO you want to configure.

When you open Group Policy by clicking the Edit button, the Group Policy console opens. Figure 6.5 shows a Group Policy window with the Group Policy extensions expanded. When you manually add the Group Policy tool to an MMC console, you can select which extensions to include in the console that you create.

Click to view at full size.

Figure 6.5 Group Policy nodes and extensions

Computer Configuration

Group policy settings that customize the desktop environment or enforce security policies on computers on the network are contained under the Computer Configuration node in the Group Policy window. Computer configuration policies apply when the operating system initializes.

Computer configuration settings include all computer-related policies that specify operating system behavior, desktop settings, application settings, security settings, assigned applications options, and computer startup and shutdown scripts.

User Configuration

Group policy settings that customize the user's desktop environment or enforce lockdown policies on users on the network are contained under the User Configuration node in the Group Policy window.

User configuration settings include all user-related policies that specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policies apply when users log on to the computer.

Settings Folders

The group policy settings in Computer Configuration and User Configuration are categorized into the following folders:

  • Software Settings

  • Windows Settings

  • Administrative Templates

The subfolders and individual policies within each folder differ according to the item that you select. For example, Folder Redirection settings are displayed in the Windows Settings folder under User Configuration but not under Computer Configuration because folder redirection applies only to users.

Administrative Template Settings

The Administrative Templates extension includes all registry-based group policy information. Group policy settings that are specific to a user are written to the registry under HKEY_CURRENT_USER, and computer-specific settings are written under HKEY_LOCAL_MACHINE.

In previous versions of Windows, group policy settings remained in the registry until they were removed, either through an additional group policy setting or by directly editing the registry. Windows 2000, however, automatically removes group policy settings from the registry when the GPO that implemented the group policy no longer applies. To modify group policy settings in the Administrative Templates folder, you would do the following:

  1. Open the GPO in Group Policy, expand Computer Configuration or User Configuration, and then expand the Administrative Templates folder.

  2. Expand the item that represents the particular policy that you want to modify.

    3. For example, if you wanted to modify the desktop settings for a user, you would expand User Configuration\Administrative Templates\Desktop.

  3. Once you have expanded the policy you want to modify, in the details pane, double-click the policy or right-click the policy, and then click Properties.

    4. You configure the group policy settings in the Administrative Templates folder by selecting the appropriate option:

    • If the Enabled option button on the Policy tab is selected, the setting is implemented. If this option was selected the last time that the user logged on, no changes are made (see Figure 6.6).

    • If the Disabled option button on the Policy tab is selected, the setting is not implemented. If the group policy settings were previously implemented, they are removed from the registry (see Figure 6.6).

    • If the Not Configured option button on the Policy tab is selected, Windows 2000 ignores the group policy setting and makes no changes to the computer (see Figure 6.6).

Click to view at full size.

Figure 6.6 Modifying Administrative Template settings

You can move the Properties dialog box to one side so that you can see the group policy settings that are available and then use the Next Policy button and the Previous Policy button to move through the available group policies. In addition, the Properties dialog box has an Explain tab that provides detailed information regarding the purpose and use of individual group policy settings.

Script Settings

In previous versions of Windows NT, scripts were limited to logon scripts. In Windows 2000, the Group Policy tool allows you to assign scripts to both users and computers. For users, you can assign scripts that execute during the logon process, in addition to scripts that execute during the logoff process. For computers, you can assign scripts that execute during the startup process, in addition to scripts that execute during the shutdown process.

Windows 2000 Script Execution

Windows 2000 executes scripts according to the following rules:

  • When you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, the scripts are executed from top to bottom as listed in the corresponding Properties dialog box.

  • When a computer shuts down, Windows 2000 first processes logoff scripts and then processes shutdown scripts.

  • By default, the timeout value for processing scripts is two minutes. If a script requires more than two minutes to process, you must adjust the time-out value by modifying the wait time in the following location: Computer Configuration\Administrative Templates\System\Logon\.

Group Policy Settings for Scripts

The Scripts extension allows you to configure startup and shutdown scripts for a computer and logon and logoff scripts for a user. To set group policy settings for scripts, you would do the following:

  1. Open the appropriate GPO in Group Policy.

  2. Under either Computer Configuration (for startup and shutdown scripts) or User Configuration (for logon and logoff scripts), expand the Windows Settings folder.

  3. Click Scripts.

  4. Right-click the appropriate script type (startup, shutdown, logon, or logoff) in the details pane, and then click Properties.

  5. In the Properties dialog box, click Add, click Browse, select the script that you copied in the previous step, and then click Open.

  6. Add any necessary script parameters, and then click OK. Then close the Properties dialog box.

NOTE
Windows 2000 still enables you to assign scripts to users in the Properties dialog box for user objects; however, using the Group Policy tool is the preferred method of assigning scripts.

Practice: Implementing Administrative Templates and Script Policies

In this practice you will implement administrative templates.

Exercise 1: Creating a GPO

In this exercise, you will create a GPO at the domain level. You will create a user account, ADAdmin. You will create a group, DCLogin, grant the group the right to log on to the domain controller, and add ADAdmin to the DCLogin group.

  • To create a GPO

    1. Log on as Administrator with a password of password.

    2. Open the Active Directory Users and Computers tool.

    3. If it is not already expanded, expand domain.com.

    4. Right-click Administration, and then click Properties.

    5. On the Group Policy tab, click New.

    6. Type Administration Admin Template Policy and then press Enter.

      7. Administration Admin Template Policy appears in the list of Group Policy Object Links.

    7. Close the Administration Properties dialog box.

      8. Leave the Active Directory Users And Computers window open.

  • To create a user account

    1. Right-click Users, point to New, and then click User.

      2. The New Object - User dialog box appears.

    2. Type ADAdmin in the First Name box.

    3. Type ADAdmin in the User Login Name box, and then click Next.

    4. Type password in the Password and Confirm Password boxes, and then click Next.

    5. Review the information, and then click Finish to create the user account.

    6. Leave the Active Directory Users And Computers window open.

  • To create a group and add a user account to the group

    1. Right-click Users, point to New, and then click Group.

      2. The New Object - Group dialog box appears.

    2. Type DCLogin in the Group Name box.

    3. Ensure that the default group scope, Global, is selected.

    NOTE
    Windows 2000 has three group scopes: Domain Local, Global, and Universal. The group scope determines the membership of the group. Domain Local groups can contain user accounts, universal groups, and global groups from any domain. Global groups can contain user accounts and global groups from the same domain. Global groups can be members of universal and domain local groups in any domain. Universal groups can contain user accounts, universal groups, and global groups from any domain. Universal groups are only available in native mode. By default Windows 2000 is in mixed mode, indicating that there are other operating systems on the network.

    1. Ensure that the default group type, Security, is selected.

    NOTE
    Windows 2000 has two group types: Security and Distribution. The group type determines how you use the group. Both group types are stored in the database component of Active Directory directory services, so you can use them anywhere in your network. The Security group type is used for assigning permissions to gain access to resources while the Distribution group type cannot be used for permissions and can only be used by e-mail applications, such as Microsoft Exchange.

    1. Click OK.

      2. Notice that the group DCLogin is now listed in the details pane.

    2. Right-click the group DCLogin, and then click Properties.

    3. In the description box type Grants the Log On Locally right.

    4. Click the Members tab, and click the Add button.

    5. Ensure that the Look In box says domain.com.

    6. Select ADAdmin from the list of names in the top Name box, and then click Add.

    7. Click OK to close the Select Users, Contacts, Computers, or Groups dialog box.

    8. Click OK to close the DCLogin Properties dialog box.

    9. Leave the Active Directory Users And Computers window open.

  • To allow the ADAdmin user to modify GPOs in the Administration OU

    1. On the View menu, click Advanced Features (or ensure that it is active).

    2. Right-click Administration, and then click Properties.

    3. On the Security tab, click Add.

    4. Select ADAdmin from the list of names in the top Name box, and then click Add.

    5. Click OK to close the Select Users, Computers, or Groups dialog box.

    6. In the Administration Properties dialog box with ADAdmin selected, ensure that a check mark is in the check box in front of both the Read and Write permissions and then click Apply.

    7. Click Advanced.

    8. Ensure that ADAdmin is selected, and then click View/Edit.

      9. The Permissions Entry For Administration dialog box appears.

    9. In the Apply Onto box, click This Object And All Child Objects, and then click OK.

    10. Click OK close the Access Control Settings For Administration dialog box.

    11. Click OK to close the Administration Properties dialog box.

    12. Leave Active Directory Users And Computers open.

  • To attempt to log on to a domain controller

    1. Log off as Administrator.

    2. Log on as ADAdmin with a password of password.

      3. A Logon Message appears indicating that the local policy of this system does not permit you to log on interactively.

    NOTE
    Just as in earlier Windows products Authenticated users cannot log on to domain controllers for security reasons.

  • To allow the members of a group to log on to the domain controller

    1. Log on as Administrator, and open the Active Directory Users And Computers window.

    2. Right-click Domain Controllers in the console pane, click Properties, and then click the Group Policy tab.

      3. The Domain Controllers Properties dialog box appears with the Default Domain Policy selected.

    3. Click Edit.

      4. The Group Policy window appears.

    4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

      5. The rights appear listed in the details pane.

    5. In the details pane, right-click Log On Locally, and then click Security.

      6. The Security Policy Setting dialog box for Log On Locally appears.

      Notice that Define These Policy Settings is selected and that the groups and users listed have the right to Log On Locally to Domain Controllers.

    6. Click Add.

      7. The Add User Or Group dialog box appears.

    7. Click Browse.

      8. The Select Users Or Groups dialog box appears.

    8. Click DCLogin in the Name box, click Add, and then click OK.

      9. Notice that DOMAIN\DCLogin appears in the User And Group Names box.

    9. Click OK.

      10. Notice that DOMAIN\DCLogin appears in the list of users and groups that have the right to Log On Locally to the Domain Controllers.

    10. Click OK to close the Security Policy Setting dialog box.

    11. Close the Group Policy window.

    12. Click OK to close the Domain Controllers Properties dialog box.

    13. Close the Active Directory Users And Computers window.

  • To test the Log On Locally right

    1. Log off as Administrator.

    2. Log on as ADAdmin with a password of password.

      3. You were able to log on to the Domain Controller because you successfully assigned the Log On Locally right to the DCLogin group of which ADAdmin is a member.

  • To modify OU policy inheritance

    1. Log on as Administrator with a password of password.

    2. Open the Active Directory Users and Computers tool.

    3. Right-click Production, and then click Properties.

    4. On the Group Policy tab, click the Block Policy Inheritance check box, and then click OK.

      5. This setting will block all policy from parent containers.

    5. Right-click Administration, and then click Properties.

    6. On the Group Policy tab, right-click Administration Admin Template Policy, and then click No Override.

    7. Click OK.

    8. Close the Active Directory Users And Computers window.

  • To create a custom administrative tool for the ADAdmin user

    1. Start the Mmc.exe command from the Run dialog box.

    2. On the Console menu, click Add/Remove Snap-In.

    3. In the Add/Remove Snap-In dialog box, click Add, click Active Directory Users And Computers, click Add, and then click Close.

    4. Click OK to close the Add/Remove Snap-In dialog box.

      5. Active Directory Users And Computers appears in the console pane below the console root.

    5. Maximize the Console1 window, expand Active Directory Users And Computers, and then expanddomain.com.

    6. Right-click Administration, and then click New Window From Here.

      7. A new window appears with Administration as the root node.

    7. On the Console menu, click Options.

    8. On the Console tab, change the name of the window to ADAdmin, and then in the Console Mode list, select User Mode - Limited Access, Single Window.

    9. Click Do Not Save Changes To This Console, and then click OK.

      10. Notice that the name of the console is now ADAdmin.

    10. On the Console menu, click Save As, and then in the Save In list click the drive C icon. Browse to C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools in the list.

    11. Type ADAdmin in the File Name box, and then click Save.

      12. A Microsoft Management Console dialog box appears indicating that you have chosen to display a single window interface when the console opens in user mode. The user will only be able to view the currently active window.

    12. Click Yes.

    13. Close the ADAdmin console.

    Exercise 2: Implementing Group Policy

    In this exercise, you will implement Group Policy.

  • To set the required restrictions in Administrative Templates

    1. Open Active Directory Users And Computers.

    2. Open the Administration Properties dialog box.

    3. On the Group Policy tab, ensure that the Administration Admin Template Policy is selected, and then click Edit.

    4. If necessary expand User Configuration, and then expand the Administrative Templates folder.

    5. Click Start Menu & Taskbar, and then double-click Remove Run Menu From Start Menu.

      6. The Remove Run Menu From Start Menu Properties dialog box appears.

    6. On the Policy tab, click the Enabled option button.

    7. Click OK.

      8. Notice that the value in the Setting column for this policy has changed to Enabled.

    8. Using the following table, enable the remainder of the required restrictions:

      9. Node Policy
      Control Panel/Display Disable Display In Control Panel
      Desktop Hide My Network Places Icon On Desktop
      Windows Components\Windows Explorer Remove The "Map Network Drive" And "Disconnect Network Drive" Options

    9. Close the Group Policy window, and then click OK to close the Administration Properties dialog box.

    10. Close the Active Directory Users and Computers tool and log off.

    Exercise 3: Testing Group Policy

    In this exercise, you will first log on as the User1 user to test the group policy settings implemented in Exercise 2. Then you will log on as the ADAdmin user to test the group policy settings implemented in Exercise 2.

  • To test Group Policy

    1. Log on as User1 with a password of User1.

      2. Were the following restrictions enforced? Why or why not?

      No Run command on the Start menu.

      No access to Display icon in Control Panel.

      No My Network Places icon on the desktop.

      No Map Network Drive or Disconnect Network Drive on the Tools menu in Windows Explorer.

    2. Log off.

    3. Log on as ADAdmin with a password of password.

      4. Were the following restrictions enforced? Why or why not?

      No Run command on the Start menu.

      No access to Display icon in Control Panel.

      No My Network Places icon on the desktop.

      No Map Network Drive or Disconnect Network Drive on the Tools menu in Windows Explorer.

    4. Log off.

    Answers

    Exercise 4: Removing Group Policy

    In this exercise, you will remove the GPOs you created in the previous exercises.

  • To remove the GPOs

    1. Log on as Administrator.

    2. Open the Active Directory Users and Computers tool.

    3. Open the Administration Properties dialog box for the Administration OU.

    4. On the Group Policy tab, ensure that the Administration Admin Template Policy is selected, and then click Delete.

      5. The Delete dialog box appears.

    5. Click Remove The Link And Delete The Group Policy Object Permanently, and then click OK.

    6. When prompted to confirm the deletion, click Yes.

    7. Click Close.

    8. Close Active Directory Users And Computers.

    Exercise 5: Testing Group Policy

    In this exercise, you will log on as the User1 user to test the group policy settings removed in Exercise 4.

  • To test Group Policy

    1. Log on as User1 with a password of User1.

      2. Were the following restrictions enforced? Why or why not?

      No Run command on the Start menu.

      No access to Display icon in Control Panel.

      No My Network Places icon on the desktop.

      No Map Network Drive or Disconnect Network Drive on the Tools menu in Windows Explorer.

    2. Log off.

    Answers

    Lesson Summary

    You configure the group policy settings within a GPO by using the Group Policy snap-in and its extensions in MMC. The extensions in Group Policy display the configurable settings for administrative templates, scripts, security, and folder redirection, in addition to software installation and Remote Installation Services (RIS).

    Group policy settings that customize the desktop environment or enforce security policies on computers on the network are contained under Computer Configuration in Group Policy. Computer configuration policies apply when the operating system initializes. Computer configuration settings include all computer-related policies that specify operating system behavior, desktop settings, application settings, security settings, assigned applications options, and computer startup and shutdown scripts.

    Group policy settings that customize the user's desktop environment or enforce lockdown policies on users on the network are contained under User Configuration in Group Policy. User configuration settings include all user-related policies that specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policies apply when users log on to the computer.

    The way that you implement group policy depends on the structure of your organization and network. However there are some general guidelines you should follow. Limit the use of the Block Policy Inheritance and No Override options. Also limit the use of GPOs linked across domains, and limit the number of GPOs that affect any given user or computer. Computer startup and user logon time are affected by the number of GPOs that must be processed. Make use of security groups to filter the effect of group policies because this will reduce the number of GPOs to be processed. Also disable the unused portion of a GPO. This will speed up the processing of GPOs.