Through Group Policy, administrators define the policies that determine how applications and operating systems are configured and keep users and systems secure. The following sections describe the key features of Group Policy.
Registry-based Policy
The most common and the easiest way to provide policy for an application or operating system component is to implement registry-based policy. With the new Group Policy Management Console (GPMC), described later in this paper, and the Group Policy Object Editor, administrators can define registry-based policies for applications, the operating system, and its components. For example, an administrator can enable a policy setting that removes the Run command from the Start menu for all affected users.
Security Settings
Group Policy provides options for administrators to set security options for computers and users within the scope of a GPO. Local computer, domain, and network security settings can be specified. For added protection, administrators can apply software restriction policies that prevent users from running files based on the path, URL zone, hash, or publisher criteria. Administrators can make exceptions to this default security level by creating rules for specific software.
Software Restrictions
To defend against viruses, unwanted applications, and attacks on computers running Windows XP and Windows Server 2003, Group Policy includes new software restriction policies. Administrators can now use policies to identify software running in a domain and control its ability to execute.
Software Distribution and Installation
Administrators can manage application installation, updates, and removal centrally with Group Policy. Because organizations can deploy and manage customized desktop configurations, they spend less money supporting users on an individual basis. Software an be either assigned to users or computers (mandatory software distribution) or published to users (allowing users to optional install software through Add/Remove Programs in the Control Panel). Users get the flexibility they need to do their jobs without having to spend time configuring their system on their own.
Administrators can use Group Policy to deploy approved packages. For example, in a highly managed desktop environment where users don’t have permission to install applications, the Windows Installer service can perform an installation on the user's behalf. In addition, for highly managed workstations, Windows Installer integrates with the software restriction policies implemented through Group Policy to restrict new installations to a list of acceptable software.
Computer and User Scripts
Administrators can use scripts to automate tasks at computer startup and shutdown and user logon and logoff. Any language supported by Windows Scripting Host can be used, including the Microsoft Visual Basic® development system, Scripting Edition (VBScript); JavaScript; PERL; and MS-DOS®-style batch files (.bat and .cmd).
Roaming User Profiles and Redirected Folders
Roaming user profiles provide the ability to store user profiles centrally on a server and load them when a user logs on. As a result, users experience a consistent environment no matter which computer they use. Through folder redirection, important user folders, such as the My Documents and Start menu, can be redirected to a server-based location. Folder redirection allows centralized management of these folders and gives an IT group the capability to easily backup and restore these folders on behalf of users.
Enhancements in Windows Server 2003 provide more robust roaming capabilities and simplified folder redirection. Together, these features allow mobile users or those not assigned to a particular computer see a familiar desktop when they log on and locate needed folders. Administrators also can take advantage of roaming user profiles to replace computers more easily. When a user logs on to a new computer for the first time, the server copy of the user's profile is copied to the new computer. In addition, administrators can redirect users’ My Documents folder to their home directory, a new feature.
Offline Folders
When a network is unavailable, the Offline Folders feature provides access to network files and folders from a local disk. Users are assured access to critical information even when network connections are unstable or nonpermanent or when using a mobile computer. When users reconnect to their network, the client files and server files are synchronized, thereby keeping versions consistent and up-to-date.
Internet Explorer Maintenance
Administrators can manage and customize the configuration of Microsoft Internet Explorer on computers that support Group Policy. The Group Policy Object Editor includes the Internet Explorer Maintenance node, which administrators use to edit Internet Explorer security zones, privacy settings, and other parameters on a computer running Windows 2000 and later.
What’s New in Windows Server 2003 Group Policy
In Windows Server 2003, enhancements to Group Policy significantly improve the ability to plan, stage, deploy, manage, troubleshoot, and report on Group Policy implementations. The sections below describe key new features in the Group Policy infrastructure.
The new Group Policy Management Console (GPMC) makes Group Policy much easier to manage Group Policy implementations. The GPMC provides a unified view of GPOs, sites, domains, and OUs across an enterprise and can be used to manage either Windows Server 2003 or Windows 2000 domains.
Before GPMC, administrators were required to use several tools to manage Group Policy. The GPMC integrates the existing Group Policy functionality exposed in these tools into a single console. Together with new features such as backup, restore, copy, and scriptable operations, the GPMC simplifies Group Policy deployments.
GPMC Features
Feature
|
Description
|
Integrated MMC Snap-In
|
The Microsoft Management Console (MMC) provides a Group Policy-centric view of an enterprise with administrative features integrated cleanly for increased ease of use. The MMC’s user interface describes GPOs and associated links in a more intuitive manner and integrates with an updated Group Policy Object Editor.
|
GPMC Reporting
|
A rich HTML-based reporting environment for GPOs and their policy settings is included in GPMC.
|
Group Policy Results and Modeling
|
GPMC exposes Resultant Set of Policy (RSoP) data. First introduced in Windows XP, RSoP makes it easy for an administrator to determine the resulting set of policies for a given user or computer in both an actual and a what-if scenario. In GPMC, Group Policy Results displays the result of a query made directly against a computer/user. Group Policy Modeling enables what-if simulation of user/computer scenarios and can be an important tool when planning changes to a Group Policy implementation. Group Policy Modeling must be performed against a Windows Server 2003 domain controller.
|
Support for Backup, Staging, and Testing Group Policy Objects
|
GPMC includes backup and restore options for GPOs. Using this feature, administrators can maintain GPO templates—versions of GPOs for different configurations, such as highly managed desktops, laptops, Terminal Services on Windows Server 2003, Exchange Servers, and so on. New support for backup, copying, and importing GPOs lets administrators deploy configurations rapidly throughout an organization as needed, including between test and production environments and across forests..
|
Enhanced User Interface in the Group Policy Object Editor
|
Policy settings are more easily understood, managed, and verified with Web-view integration in the Group Policy Object Editor. Clicking a policy displays text that explains its function and supported operating systems (the latter through a new Supported On tag).
|
Scriptable Interfaces
|
Operations such as backup, restore, import, copy, and reporting of GPOs are fully scriptable, which lets administrators customize and automate management. Note that it is not possible to programmatically set individual policy settings within a GPO.
|
Support for Cross-forest Trusts
|
Administrators can manage Group Policy for multiple domains and sites within a given forest, all in a simplified user interface with drag-and-drop support. And with cross-forest trust, administrators can manage Group Policy across multiple forests from the same console.
|
WMI Filters
Administrators can now specify, create, and edit a WMI-based query to filter the affect of a GPO. With WMI filters, administrator can determine the scope of GPOs dynamically based on attributes of a target computer. For example, a WMI filter can be defined to include all machines with more than 500 megabytes (MB) of free disk space. In addition, Group Policy Modeling in the GPMC includes a WMI option so that administrators can perform a what-if analysis based on WMI filtering properties.
New Policy Settings
Over 200 new policy settings in Windows Server 2003 extend functionality to include the Control Panel, error reporting, Terminal Services, Remote Assistance, networking and dial-up connections, network logon, Group Policy, roaming profiles, client DNS settings, and more. To manage these settings, the Administrative Templates node of the Group Policy snap-in is used.
|
