Contents 3
Introduction 1
Intellimirror Management Technologies 2
Intellimirror Benefits and Technologies 2
Group Policy Overview 4
Defining Group Policy 4
Group Policy Capabilities 4
Registry-based Policy 4
Security Settings 5
Software Restrictions 5
Software Distribution and Installation 5
Computer and User Scripts 5
Roaming User Profiles and Redirected Folders 5
Offline Folders 6
Internet Explorer Maintenance 6
What’s New in Windows Server 2003 Group Policy 7
Unified Group Policy Management with the GPMC 7
GPMC Features 7
WMI Filters 8
New Policy Settings 8
Using Group Policy 9
Computer and User Configuration 9
Administering Group Policy 9
GPMC 9
Group Policy Object Editor (Previously GPEdit) 10
Group Policy Results and Modeling 11
Applying Group Policy 11
Group Policy Scope of Management 11
Applying Security and WMI Filters to GPOs 12
Developing Applications to Use Group Policy 13
Summary 14
Related Links 15
Introduction
The Group Policy management solution in Microsoft® Windows Server™ 2003 allows administrators to define configurations for both servers and user machines. Local policy settings can be applied to all machines, and for those that are part of a domain, an administrator can use Group Policy to set policies that apply across a given site, domain, or range of organizational units (OUs) in the Active Directory® directory service. Support for Group Policy is available on machines running Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional, Microsoft Windows® XP Professional, and Windows Server 2003.
Through this Active Directory infrastructure and Group Policy, administrators can take advantage of policy-based management to do the following:
Enable one-to-many management of users and computers throughout the enterprise.
Automate enforcement of IT policies.
Simplify administrative tasks, such as system updates and application installations.
Consistently implement security settings across the enterprise.
Efficiently implement standard computing environments for groups of users.
Group Policy can be used to define user-related policies as well as security, networking, and other policies applied at the machine level. In addition, Group Policy enables management of domain controllers and member servers as well as desktop user machines.
The new Group Policy Management Console (GPMC) provides a unified, graphical user interface for deploying and managing Group Policy implementations and enables script-based management of Group Policy operations. In addition, Windows Server 2003 adds even greater administrative control to Group Policy, including more than 200 new policy settings for the operating system. Additionally, support for Windows Management Instrumentation (WMI) filters provides a greater degree of control over how Group Policy is applied to users and computers.
Group Policy and Active Directory are key components of the IntelliMirror® management technologies. Through these technologies, IT administrators can implement standard computing environments for groups of users and computers. As a result, IntelliMirror can significantly boost user productivity and satisfaction while increasing administrator efficiency and reducing IT costs.
This article is intended for IT administrators new to Group Policy. It provides an overview of Intellimirror, introduces Group Policy, and describes new Group Policy features introduced with Windows Server 2003.
Intellimirror Management Technologies
Administrators are tasked with helping to keep people productive as they use their computers for day-to-day work. Intellimirror eases this task. Intellimirror enables administrators to provide users with consistent access to their applications, application settings, and user data from any managed computer—even when users are disconnected from the network. Because users can maintain constant access to all their information and applications, they receive the assurance that their data is safely maintained and available from a server. For IT organizations, eliminating the need to manually configure user settings, install applications, and transfer user files reduces overhead.
IntelliMirror technologies combine the advantages of centralized computing with the performance and flexibility of distributed computing. Implemented as a set of Windows technologies, Intellimirror allows administrators to create standard computing environments for groups of users and computers. When fully deployed, IntelliMirror provides policy-based management of users’ desktops and servers. Through centrally defined policies based on users’ group memberships and location, machines running Windows–based server and client operating systems (Windows 2000 and later) are configured automatically to meet a specific user’s requirements each time he or she logs on to a network.
The following table highlights the benefits to users when Intellimirror is implemented and identifies the technologies that enable these features. IntelliMirror uses different features in both the server and client, and these features can be used either separately or together depending on the requirements of the environment.
Intellimirror Benefits and Technologies
Benefit
|
Description
|
Technologies
|
Consistent Environment
|
Users can work with a consistent computing environment from any computer, such as when their desktop or laptop computer is unavailable. Users profiles are stored on a server so that the profile is available from any machine. In cases where users are not assigned a specific computer, hardware and administration costs are reduced as well, because users can log on to any available Intellimirror–managed computer and work in a familiar environment.
| |
Uninterrupted Access
|
Users can continue to work efficiently even when network connections are intermittent or even disconnected. Under these conditions, uninterrupted access to user and configuration data can be enabled. Intellimirror eases the IT task of implementing centralized backup of user files while satisfying need for these files to remain available on users’ computers.
|
Active Directory
Group Policy
Offline Folders
Synchronization Manager
Enhancements to the Windows Shell
Redirected Folders
Disk Quotas
|
Minimized Data Loss
|
IT organizations can enable centralized backup of user data and configuration files. Centralized backups ease the IT workload and satisfy users’ need for files to remain available on their computers.
|
Active Directory
Group Policy
Roaming User Profiles
Redirected Folders
Offline Folders
|
Minimized User Downtime
|
Administrators can enable automated installation and repair of applications, reducing support costs by using Windows Installer to repair application installations automatically.
|
Active Directory
Group Policy
Windows Installer Service
Add/Remove Programs in Control Panel
Group Policy Software Installation
|
Group Policy Overview
Administrators can manage computers centrally through Active Directory and Group Policy. Using Group Policy to deliver managed computing environments allows administrators to work more efficiently because of the centralized, one-to-many management it enables. Measurements of total cost of ownership (TCO) associated with administering distributed personal computer networks reveal lost productivity for users as one of the major costs for corporations. Lost productivity is frequently attributed to user errors, such as modifying system configuration files and rendering a computer unworkable, or to complexity, such as the availability of nonessential applications and features on the desktop. Because Group Policy defines the settings and allowed actions for users and computers, it can create desktops that are tailored to users’ job responsibilities and level of experience with computers.
Defining Group Policy
Administrators use Group Policy to define specific configurations for groups of users and computers by creating Group Policy settings. These settings are specified through the Group Policy Object Editor tool (formally known as GPedit) and contained in a Group Policy object (GPO), which is in turn linked to Active Directory containers, such as sites, domains, or OUs as Figure 1 shows. In this way, Group Policy settings are applied to the users and computers in those Active Directory containers. Administrators can configure the users’ work environment once and rely on the system to enforce the policies as defined.
Figure 1. GPOs are applied to sites, domains, and the OUs beneath them. Here, OU1 is affected by GPO1, GPO2, and GPO3. OU2 is affected by all four GPOs.
|