Foundation Network Companion Guide: Deploying Group Policy by Using Membership Groups
Microsoft Corporation
Published: August 2008
Author: Dave Bishop
Editor: Allyson Adley
Reviewers: Rob Greene, Ned Pyle, Brit Weston, James McIllece
Abstract
The Windows Server® 2008 Foundation Network Guide provides instructions for planning and deploying the core components that are required for a fully functioning network. It also explains how to set up a new Active Directory® domain in a new forest.
This companion guide to the Foundation Network Guide provides instructions for deploying Group Policy objects (GPOs) to domain-joined computers independently of the organizational unit (OU) hierarchy of the domain. Membership in a single membership group causes the correct GPO to be applied to the computer, with filters ensuring that a GPO for one version of Windows is not accidentally applied to another version.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Foundation Network Companion Guide: Deploying Group Policy by Using Membership Groups 1
Abstract 1
Contents 3
Foundation Network Companion Guide: Deploying Group Policy by Using Membership Groups 5
Technology overview of Group Policy 5
About this guide 6
Requirements 7
What this guide does not provide 7
Group Policy Deployment Overview 7
Group Policy deployment components 8
Domain controller: AD-DNS-01 8
Group Policy: GPO_Membership 8
WMI Filters 8
Membership group: GRP_Membership 8
Exception group: GRP_Exception 8
Group Policy deployment process 9
Group Policy Deployment Planning 10
Planning the membership and exception groups 10
Planning domain access 11
Group Policy Deployment 11
Create the Membership Groups 11
Create the Exception Groups 12
Create the Group Policy Objects for Each Version of Windows 12
Create the WMI Filters 13
Apply Security Group Filters and WMI Filters to the GPOs 15
Link the GPOs to the Domain 15
Add Computers to the Exception Groups 16
Add Test Computers to the Membership Groups 17
Add Production Computers to the Membership Groups 18
Additional Resources 19
Foundation Network Companion Guide: Deploying Group Policy by Using Membership Groups
This is a companion guide to the Windows Server® 2008 Foundation Network Guide, which is available for download in Microsoft Office Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).
The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory domain in a new forest.
This guide explains how to build on the foundation network by providing instructions for deploying Group Policy objects (GPOs) by using membership groups instead of the organizational units (OUs) that form the hierarchy of an Active Directory domain.
 Caution
We recommend that you use the methods documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match up well with the deployment needs of these GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO will apply.
In a large enterprise environment with hundreds or thousands of GPOs, the use of this method can result in user or computer accounts that are made members of an excessive number of groups; this can result in network connectivity problems when network protocol limits have been exceeded. For more information about the problems associated with excessive group membership, see the following articles in the Microsoft Knowledge Base:
Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in GPOs, which are linked to sites, domains, or OUs within an Active Directory domain. The settings within GPOs are then evaluated and applied by the targeted computers and users. Group Policy is one of the top reasons to deploy Active Directory Domain Services (AD DS) because it allows you to manage user and computer objects.
Most administrators associate GPO deployment with the OU hierarchy of an Active Directory domain. You can link a GPO to an OU, and any computers or users in that OU or one of its descendants receive and apply the settings in the GPO. However, an Active Directory domain can contain only a single hierarchy of OUs, and computer and user accounts can be placed into only a single OU. For this reason, there are times when an OU hierarchy that is appropriate for solving one problem is inappropriate for another. For example, many organizations design the OU hierarchy to support delegated administration. Computer and user accounts are placed into OUs for which an IT team has been assigned responsibility. By granting the IT team administrative permissions on the OU container, they can manage the computers and users whose accounts are in the OU. This same hierarchy might be ineffective for deploying Group Policy settings that affect computers across the entire organization, for example, when deploying Internet Protocol security (IPsec) settings for server and domain isolation scenarios.
In addition, configuring one version of Windows might require you to use a GPO setting that is different from the setting used in another version of Windows. For example, IPsec rules in Windows Vista and later versions of Windows are managed by a different part of the GPO than the IPsec rules for Windows Server 2003 and earlier versions of Windows. This means that you might have five separate GPOs that all perform the same function, one each for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Group Policy is one of a group of management technologies, collectively known as IntelliMirror management technologies, that provide users with consistent access to their applications, application settings, roaming user profiles, and user data, from any managed computer—even when they are disconnected from the network. IntelliMirror is implemented through a set of Microsoft Windows features, including AD DS, Group Policy, Software Installation, Windows Installer, Folder Redirection, Offline Folders, and Roaming User Profiles.
This guide provides instructions for deploying Group Policy settings to a set of client computers or users by using membership groups rather than account location in the OU hierarchy of an Active Directory domain.
The method described in this guide shows you how to create a single membership group into which you can add the user or computer accounts that are to receive a configuration through the use of GPOs. Membership in the group, rather than the account location in the OU hierarchy, determines whether the computer receives one of the GPOs associated with the membership group. In addition, Windows Management Instrumentation (WMI) filters are used to ensure that only the GPO with the settings that correspond to the version of Windows running on the computer is applied.
There are two main benefits to using this method to deploy GPOs:
It is totally independent of the OU structure of your Active Directory domain. To apply a GPO to one computer no longer means moving computers to another OU or restructuring your OU hierarchy.
It is very easy to apply or stop applying the settings in a GPO. You simply remove the user or computer account from the membership group. This removes the user or computer from the scope of the GPO without affecting any other GPOs that apply to the user or computer.
This guide is designed for network and system administrators who have followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including Active Directory Domain Services (AD DS), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, and Windows Internet Name Service (WINS) (optional).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements
Following are the requirements for using Group Policy:
To deploy Group Policy, you must have an Active Directory domain controller hosting a domain and computers that are joined to the domain.
To configure GPOs, create membership groups, and assign members to them, you must be logged on as a member of the Domain Admins group.
What this guide does not provide
This guide does not provide comprehensive instructions for designing and deploying a Group Policy infrastructure by using AD DS. It is recommended that you review AD DS and Group Policy documentation before you deploy the technologies in this guide. For more information, see Additional Resources .
Group Policy Deployment Overview
The following illustration shows the components that are required to deploy Group Policy by using a membership group.
| 