This paper is part of a series that introduces Windows 2000 Change and Configuration Management services and technologies. This paper presents an introductory overview of one of these technologies, Group Policy.
Change and Configuration Management
As its name implies, Change and Configuration Management involves managing the ongoing change and configuration issues that arise as administrators try to ensure that people are productive as they use their computers to complete their day-to-day work.
The following table highlights the Windows 2000 Change and Configuration Management features, benefits, and the technologies that enable these features.
Change and Configuration Management
|
Feature
|
Benefits
|
Technologies
|
IntelliMirror*
|
User Data Management
|
“My data and documents follow me!”
Users can access the data that they need to do their job, whether they are working online or offline, or when roaming from one computer to another on the network.
Administrators centrally manage this feature by policy to minimize support costs.
|
Active Directory™
Group Policy
Offline Folders
Synchronization Manager
Enhancements to the Windows Shell
Disk Quotas
|
Software
Installation
and Maintenance
|
“My software follows me!”
Users have the software they need to perform their job. Software is self-repairing, and both the software and features install ‘just-in-time.’
Administrators centrally manage this feature by policy to minimize support costs.
|
Active Directory
Group Policy
Windows Installer Service
Add/Remove Programs in Control Panel
Enhancements to the Windows Shell
|
User Settings Management
|
“My preferences follow me!”
Users get the same experience from any desktop. Personal preferences and settings for desktops or software are available whenever the user logs on.
Administrators centrally manage this feature by policy to minimize support costs.
|
Active Directory
Group Policy
Offline Folders
Roaming User Profiles
Enhancements to the Windows Shell
|
Remote OS Installation
|
Administrators can enable installation and configuration of the Windows 2000 operating system on new or replacement computers without staging or on-site technical support.
|
Active Directory
Dynamic Host Configuration Protocol
Remote Installation Server
|
IntelliMirror
IntelliMirror management technologies are a set of powerful features native to Windows 2000 for desktop Change and Configuration Management that combines the advantages of centralized computing with the performance and flexibility of distributed computing. IntelliMirror uses different features in both the server and client, and enables the users' data, applications, and personal settings to follow them to any desktop on the network.
All users have data and settings that are specific to each of them. IntelliMirror increases the availability of the user’s computer and computing environment by intelligently storing information, settings, and applications, based on policy definitions. IntelliMirror is able to recover, restore, or replace users' data, applications, and personal settings in a Windows 2000-based environment. Therefore, users have constant access to all their information and applications, whether or not they are connected to the network, with the assurance that their data is safely maintained and available from the server.
At the core of IntelliMirror are three features:
User Data Management
Software Installation and Maintenance
User Settings Management
Administrators can use these IntelliMirror features either separately or together, depending on the requirements of the environment. When fully deployed, IntelliMirror uses the Active Directory directory service in Windows 2000 Server and Group Policy to provide policy-based management of users’ desktops. Through centrally defined policies based on the users’ business roles, group memberships, and location, Windows 2000 Professional desktops automatically reconfigure to meet a specific user’s requirements each time that user logs onto the network.
Group Policy
In Windows 2000, you use Group Policies to define user and computer configurations for groups of users and computers. You create a specific desktop configuration for a particular group of users and computers by using the Group Policy Microsoft Management Console1 (MMC) snap-in. The Group Policy settings that you create are contained in a Group Policy Object (GPO), which is in turn associated with selected Active Directory objects, such as sites, domains, or organizational units (OUs).
Group Policy and Total Cost of Ownership
Recent studies on total cost of ownership (TCO), the costs involved in administering distributed personal computer networks, cite lost productivity at the desktop as one of the major costs for corporations. Lost productivity is frequently attributed to user errors, such as modifying system configuration files and rendering the computer unworkable, or to complexity, such as the availability of non-essential applications and features on the desktop.
One way to address TCO is for administrators to use Group Policy to create managed desktop environments tailored to users’ job responsibilities and level of experience with computers. In Windows 2000, administrators can manage desktops centrally, using the Active Directory service and its Group Policy support.
Group Policy Capabilities
You use the Group Policy MMC snap-in and its extensions to define Group Policy options for managed desktop configurations for groups of computers and users. With the Group Policy snap-in you can specify policy settings for the following:
Registry-based policies—Includes Group Policy for the Windows 2000 operating system and its components, and for applications. To manage these settings, use the Administrative Templates node of the Group Policy snap-in.
Security options—Includes options for local computer, domain, and network security settings.
Software installation and maintenance options—Used to centrally manage application installation, updates, and removal.
Scripts options—Includes scripts for computer startup and shutdown, and user logon and logoff.
Folder redirection options—Allows administrators to redirect users’ special folders to the network.
Using Group Policy, you can define the state of users’ work environment once and rely on the system to enforce the policies you define.
Group Policy Benefits
Group Policy provides the following advantages:
Capitalizes on the Windows 2000 Active Directory services
Group Policy allows for centralized or decentralized management of policy options.
Offers flexibility and scalability
Group Policy handles a wide range of implementation scenarios that can be applied to both small businesses and large corporations.
The Group Policy MMC snap-in extends other Active Directory administrative tools, such as the Active Directory Users and Computers and Active Directory Site and Services Manager snap-ins.
Administrators can delegate control of Group Policy Objects.
Has a clear interface and is easy to use
Provides slow link detection and straightforward, unobtrusive feedback.
Provides reliability and security
After you define Group Policy for groups of users and computers, you can rely on the system to enforce those policy settings.
Group Policy and the Active Directory
Group Policy extends and takes advantage of the Active Directory service. Group Policy settings are contained in Group Policy Objects that are in turn associated with the following Active Directory containers: sites, domains, or organizational units (OUs). For example, you can specify Group Policy for a site, domain, OU, or OUs within an OU.
Group Policy and Security Groups
You can filter Group Policy by using membership in Security Groups and setting Discretionary Access Control List (DACL) permissions. Doing so enables fast processing of Group Policy Objects and allows Group Policy to be applied to Security Groups. By using ACLs and Security Groups, you can modify the scope of Group Policy Objects. For example, when you use Security Groups to filter Group Policy, you can provide finer granularity of policy than just to OUs; that is, you can modify the application of policy for specific users within an OU.
Group Policy Overview
In Windows NT®4.0, you used the System Policy Editor tool to configure user and computer configurations stored in the Windows NT registry database. Using System Policy Editor, you could create a system policy to control user work environment and actions and to enforce system configuration settings for all computers running Windows NT Workstation and Windows NT Server. System policies are registry settings that define the behavior of various components of the desktop environment.
Windows 2000 introduces the Group Policy MMC snap-in, a tool that extends the functionality of System Policy Editor and provides enhanced capabilities for specifying user and computer configurations for groups of computers and users. The Group Policy snap-in is a Microsoft Management Console snap-in that includes native features for setting Group Policy. Group Policies define the various components of the user’s environment that system administrators need to manage, such as policy settings for registry-based policies, security options, software deployment options, scripts, and redirection of folders.
Group Policy Administrative Requirements
To set Group Policy for a selected Active Directory object, you must have a Windows 2000 domain controller installed, and you must have read and write permission to access the system volume of domain controllers (Sysvol folder) and modify rights to the currently selected directory object. The system volume folder is automatically created when you install a Windows 2000 domain controller (or promote a server to domain controller).
By default, Group Policy affects all computers and users in a selected Active Directory container. However, you can filter the effects of Group Policy based on users’ or computers’ membership in a Windows 2000 Security Group. To filter Group Policy, you use the Security tab on a Group Policy Object’s Properties page to specify Discretionary Access Control List (DACL) permissions. To delegate the use of the Group Policy snap-in tool, you use DACL permissions.
The following graphic illustrates a Group Policy and Active Directory scenario:
Computer Configuration and User Configuration
At the root of the Group Policy snap-in namespace are two parent nodes: Computer Configuration and User Configuration. These are the parent folders you use to configure specific desktop environments and to enforce policy settings on groups of computers and users on the network.
Computer Configuration
This includes all computer-related policies that specify operating system behavior, desktop behavior, application settings, security settings, assigned applications options, and computer startup and shutdown scripts. Computer-related policy settings are applied when the operating system initializes.
User Configuration
This includes all user-related policies that specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policy settings are applied when users log on to the computer.
To set User Configuration per computer, in the Group Policy MMC console, select Computer Configuration, navigate to Administrative Templates, System, Group Policy, and set the option for Loopback Policy.
Snap-in Extensions to Group Policy
The Group Policy snap-in includes several snap-in extensions. A Group Policy snap-in extension may extend either or both of the User or Computer Configuration nodes in either the Windows Settings node or the Software Settings node. Most snap-ins extend both of these nodes, but frequently with different options. The following is a list and brief description of the Group Policy snap-in extensions that are included in Windows 2000:
Administrative Templates—Includes registry-based policy settings, which you use to mandate registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications. The Administrative Templates snap-in extension also includes functionality for managing Disk Quotas and Remote Installation options.
Security Settings—You use the Security Settings extension to define security configuration for computers within a GPO. You can define local computer, domain, and network security settings.
Software Installation—You use the Software Installation extension to centrally manage software distribution in your organization. You can install, assign, publish, update, repair, and remove software for groups of users and computers.
Scripts—You can use scripts to automate computer startup and shutdown, and user logon and logoff. For these purposes, you can use Windows Scripting Host2 to include Visual Basic®, Scripting Edition (VBScript), and Jscript® type scripts.
Folder Redirection—Allows you to redirect special folders to the network.
For more detailed information on Group Policy, see the technical paper entitled Windows 2000 Group Policy, available at: http://www.microsoft.com/windows/server/Technical/management.
For More Information
For the latest information on Windows 2000, see the Web site at http://www.microsoft.com/ntserver/ and the Windows NT Server Forum on MSN™, The Microsoft Network online service (GO WORD: MSNTS).
Management and Overview Papers
The following table lists a series of papers that introduce Microsoft’s Windows management services and Change and Configuration Management. These papers are intended for managers and technical decision makers who need to understand the business requirements for, and the benefits of, management features, as well as Microsoft’s management architecture, tools, and solutions. We recommend that you read these in the order listed below.
Title
|
Content
|
URL
|
Introduction to Windows Management Services
|
An overview of the management roles and disciplines, as well as the architecture for management solutions that will be available either as part of the operating system or as an add-on.
|
http://www.microsoft.com/windows/server/Technical/management.
|
Introduction to Change and Configuration Management
|
An overview of Change and Configuration Management and an introduction to how Microsoft’s products, such as Windows 2000 IntelliMirror, Remote OS Install and Systems Management Server, address this management discipline.
|
http://www.microsoft.com/windows/server/Technical/management.
|
IntelliMirror
|
An overview of the features of Windows 2000 IntelliMirror and scenarios for how organizations can benefit from IntelliMirror.
|
http://www.microsoft.com/windows/server/Technical/management.
|
Remote OS Installation
|
An overview of the features of Remote OS Installation and scenarios illustrating how organizations can benefit from IntelliMirror.
|
http://www.microsoft.com/windows/server/Technical/management.
|
Systems Management Server
|
An overview of the features of Systems Management Server and discussion of its benefits.
|
http://www.microsoft.com/ntserver/management/exec and http://www.microsoft.com/smsmgmt.
|
Technical Papers
The following table lists additional technical papers that are or will be available for administrators and Information Technology (IT) managers who are interested in understanding the details of Windows management services features and technologies.
To learn about
|
Check this URL
|
Active Directory
|
http://www.microsoft.com/windows/server/Technical/directory.
|
Group Policy
|
http://www.microsoft.com/windows/server/Technical/management.
|
“Windows 2000 Group Policy Scenarios”
|
http://www.microsoft.com/windows/server/Technical/management.
|
Microsoft Windows Installer Service
|
http://www.microsoft.com/Windows/professional/technical/whitepapers/Installer.asp.
|
Software Installation and Maintenance
|
http://www.microsoft.com/windows/server/Technical/management.
|
Remote OS Installation Service
|
http://www.microsoft.com/windows/server/Technical/management.
|
User Documents and Settings
|
http://www.microsoft.com/windows/server/Technical/management.
|
Windows Management Instrumentation (WMI)
|
http://www.microsoft.com/ntserver/management/Techdetails.
|
“Implementing Profiles and Policies for Windows NT 4.0”
|
http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp.
|
|
