Figure 2. “Common Managed Settings” is a GPO linked to the Engineering – Offsite OU. This view of GPMC shows the scope of the GPO.
GPMC consists of a new Microsoft® Management Console (MMC) snap-in and a set of programmable interfaces for managing Group Policy. GPMC can be used to manage both Windows Server 2003 and Windows 2000 domains. In either case, the administrative computer on which the tool itself runs must be running one of the following:
Windows Server 2003.
Windows XP Professional with Service Pack 1 (SP1), plus an additional post-SP1 hotfix, and the Microsoft .NET Framework.
The GPMC is available as a free download to all Windows Server 2003 customers at the Microsoft Download Center.
Group Policy Object Editor (Previously GPEdit)
The Group Policy Object Editor is a tool that hosts MMC extension snap-ins used to manage policy settings. All functionality is provided by extension snap-ins. Administrators edit policy settings using the Group Policy Object Editor.
All policy settings created by the Group Policy Object Editor are stored in a GPO. The policy settings that an administrator provides with the Group Policy Object Editor do not take effect until the target system applies policy.
Group Policy Results and Modeling
The GPMC now integrates the planning and logging capabilities provided by the RSoP service with two new options:
Group Policy Results. This option displays the resultant set of policy that was applied to a given user and computer and works by directly communicating with the target machine to retrieve the appropriate RSoP data. In GPMC, administrators can read RSoP logging data for objects in a domain or organizational unit. Individual nodes represent different RSoP queries for a given user/computer combination. Group Policy Results data is supported only for computers running Windows XP or Windows Server 2003 and later.
Group Policy Modeling. This option displays simulations of the policy deployment for any user and computer in a domain. GPMC provides access to simulated RSoP data by calling a service running on a Windows Server 2003 domain controller. Each Group Policy Modeling simulation is displayed as an individual node within the GPMC snap-in. The modeling option is available only for a forest that has the Windows Server 2003 schema for Active Directory.
Applying Group Policy
Group Policy is applied in an inherited and cumulative fashion and affects all computers and users in an Active Directory container. Policy is applied when the computer starts up and when the user logs on. When a user turns on the computer, the system applies computer policy. When a user logs on interactively, the system loads the user's profile, then applies user policy. Policy is reapplied on a periodic basis, which an administrator can set by using the Group Policy Object Editor, and can also reapplied on demand.
When applying policy, the system queries the directory service for a list of GPOs to process. If a computer or user access has been denied access to a GPO, the system does not apply the specified policy settings. If access is permitted, the system applies the policy settings specified by the GPO.
Note: Application deployment and startup and logon scripts occur only during startup or interactive user logon, not on a periodic basis. Folder redirection occurs only during interactive logon. This prevents undesirable results, such as uninstalling or upgrading an application that is in use. However, registry-based policy settings and security policy settings are applied periodically.
Group Policy Scope of Management
The scope of Group Policy can extend from a single computer—that is, the local GPO that all computers include—to Active Directory sites, domains, and OUs. Each of these different targeting options is called a scope of management (SOM). For example, a GPO might be linked to an Active Directory site to specify policy settings for proxy settings and network-related settings that are specific to that site. A GPO becomes useful only after it is linked to a SOM—the settings in the GPO are then applied according to the scope.
GPOs are processed in the order of local, site, domain, and then OU as Figure 3 shows. As a result, a computer or user receives the policy settings of the last Active Directory container processed—that is, a policy applied later overwrites policy applied earlier.
Figure 3. Here, the Marketing OU inherits GPO1, GPO2, GO3, and GPO5, while the Servers OU inherits GPO1, GPO2, GPO3, GPO4, and GPO6.
Applying Security and WMI Filters to GPOs
GPOs can be applied to Active Directory objects with greater precision through filtering. By default, a GPO affects all computers and users in a linked Active Directory container. However, administrators can filter Group Policy based on membership in security groups by setting discretionary access control list (DACL) permissions. They can also filter based on Windows Management Instrumentation (WMI) properties. With WMI, administrators can determine whether to apply a GPO to a specific computer or user based on its WMI properties. WMI filtering can be applied to either Windows Servers 2003 or Windows XP Professional machines (Windows 2000 machines ignore a WMI filter and apply the GPO regardless).
The combination of targeting of GPOs through SOM and selective filtering through security groups and WMI filtering gives administrators significant flexibility. They can decide which users and computers receive and are affected by Group Policy.
Developing Applications to Use Group Policy
Applications can be developed to take advantage of the most common type of policy setting, namely registry-based policy. For example, a programmer can create a component that includes “available” and “unavailable” functionality based on registry-based policy. Administrators then have a well-defined and simple process: They can use the GPMC to turn functionality on or off by for all affected users and computers. This type of policy is implemented using a built in registry client-side extension on every Group Policy client to process the data and manage the appropriate registry keys. Registry-based policy settings are stored in one of four secure Group Policy keys, which cannot be modified without administrative rights on the machine.
For more information, see the Implementing Registry-Based Group Policy article at http://www.microsoft.com/windows2000/techinfo/howitworks/management/rbppaper.asp.
Summary
Group Policy-based management simplifies such tasks as deploying system updates, installing applications, setting user profiles, and managing desktops and systems. As a key component of the Intellimirror management set of technologies, Group Policy extends administrative control and reduces redundant management tasks. As a result, existing IT resources can be used more efficiently, so administrative costs can be reduced across organizations.
By implementing Group Policy, both small and large organizations benefit from the following:
Greater leverage of an organization’s Active Directory investment. Group Policy allows for centralized or decentralized management of policy options.
Flexible scope of management. Group Policy handles a wide range of management scenarios that can be applied in businesses from small to large. Support for scalable, one-to-many management of users and computers across the enterprise can increase IT productivity and reduce IT costs. Yet Group Policy also offers flexible, granular control of management tasks, enabling quick responses to changing business needs.
An integrated tool for managing policy. GPMC integrates other Active Directory administrative tools, such as the Active Directory Users and Computers and Active Directory Site and Services Manager snap-ins. Administrators can also delegate control of GPOs.
Ease of use. With an updated, more straightforward interface, GPMC is easy to use, a benefit that both reduces the learning curve and increases productivity for administrators. New scriptable interfaces provide command-line management as well.
Reliability and security. Administrators can define and enforce IT policies, increasing the reliability and security of the IT environment. After Group Policy has been established for groups of users and computers, administrators can rely on the system to enforce those policy settings. New support for backup, staging, and testing GPOs makes Group Policy even more reliable.
Central control of IT configurations. By using Group Policy to standardize the user computing environments, support costs are reduced while user productivity and satisfaction are increased.
Together these advantages make Group Policy much easier to use and help IT organizations manage an enterprise more cost-effectively.
Related Links
See the following technical articles for more detail about Group Policy:
“Introduction to Windows 2000 Group Policy” at http://go.microsoft.com/fwlink/?LinkId=14958
“Enterprise Management with the Group Policy Management Console (GPMC)” at http://go.microsoft.com/fwlink/?LinkID=8630
“Administering Group Policy with GPMC” at http://go.microsoft.com/fwlink/?LinkId=14320
“Troubleshooting Group Policy” at http://go.microsoft.com/fwlink/?LinkId=14949
“Group Policy Infrastructure” at http://go.microsoft.com/fwlink/?LinkId=14950
“Migrating GPOs across Domains with GPMC” at http://go.microsoft.com/fwlink/?LinkId=14321
“Implementing Common Desktop Management Scenarios” at http://go.microsoft.com/fwlink/?LinkId=14951
“Implementing Registry-Based Group Policy” at http://go.microsoft.com/fwlink/?LinkId=15177
See also the following resources for further information:
Group Policy Newsgroup at http://go.microsoft.com/fwlink/?LinkId=15390
Group Policy page on the TechNet Web site at http://www.microsoft.com/technet/grouppolicy
“Frequently Asked Questions about the Group Policy Management Console” page at http://go.microsoft.com/fwlink/?LinkId=14955
“Group Policy Settings Reference for Windows Server 2003” page with an Administrative Templates reference to download at http://go.microsoft.com/fwlink/?LinkId=15165
For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003.
|
