This article introduces Microsoft® Windows Server™ 2003 Group Policy, a key feature of the IntelliMirror™ management technologies. Administrators use Group Policy to define options for managing configuration of servers, desktops, and groups of users. This article is intended for IT administrators new to Group Policy and provides an overview of this technology and its new features in Windows Server 2003.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, Intellimirror, Windows, Windows Server, and Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
The Group Policy management solution in Microsoft® Windows Server™ 2003 allows administrators to define configurations for both servers and user machines. Local policy settings can be applied to all machines, and for those that are part of a domain, an administrator can use Group Policy to set policies that apply across a given site, domain, or range of organizational units (OUs) in the Active Directory® directory service. Support for Group Policy is available on machines running Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional, Microsoft Windows® XP Professional, and Windows Server 2003.
Through this Active Directory infrastructure and Group Policy, administrators can take advantage of policy-based management to do the following:
Enable one-to-many management of users and computers throughout the enterprise.
Automate enforcement of IT policies.
Simplify administrative tasks, such as system updates and application installations.
Consistently implement security settings across the enterprise.
Efficiently implement standard computing environments for groups of users.
Group Policy can be used to define user-related policies as well as security, networking, and other policies applied at the machine level. In addition, Group Policy enables management of domain controllers and member servers as well as desktop user machines.
The new Group Policy Management Console (GPMC) provides a unified, graphical user interface for deploying and managing Group Policy implementations and enables script-based management of Group Policy operations. In addition, Windows Server 2003 adds even greater administrative control to Group Policy, including more than 200 new policy settings for the operating system. Additionally, support for Windows Management Instrumentation (WMI) filters provides a greater degree of control over how Group Policy is applied to users and computers.
Group Policy and Active Directory are key components of the IntelliMirror® management technologies. Through these technologies, IT administrators can implement standard computing environments for groups of users and computers. As a result, IntelliMirror can significantly boost user productivity and satisfaction while increasing administrator efficiency and reducing IT costs.
This article is intended for IT administrators new to Group Policy. It provides an overview of Intellimirror, introduces Group Policy, and describes new Group Policy features introduced with Windows Server 2003.
Intellimirror Management Technologies
Administrators are tasked with helping to keep people productive as they use their computers for day-to-day work. Intellimirror eases this task. Intellimirror enables administrators to provide users with consistent access to their applications, application settings, and user data from any managed computer—even when users are disconnected from the network. Because users can maintain constant access to all their information and applications, they receive the assurance that their data is safely maintained and available from a server. For IT organizations, eliminating the need to manually configure user settings, install applications, and transfer user files reduces overhead.
IntelliMirror technologies combine the advantages of centralized computing with the performance and flexibility of distributed computing. Implemented as a set of Windows technologies, Intellimirror allows administrators to create standard computing environments for groups of users and computers. When fully deployed, IntelliMirror provides policy-based management of users’ desktops and servers. Through centrally defined policies based on users’ group memberships and location, machines running Windows–based server and client operating systems (Windows 2000 and later) are configured automatically to meet a specific user’s requirements each time he or she logs on to a network.
The following table highlights the benefits to users when Intellimirror is implemented and identifies the technologies that enable these features. IntelliMirror uses different features in both the server and client, and these features can be used either separately or together depending on the requirements of the environment.
Intellimirror Benefits and Technologies
Users can work with a consistent computing environment from any computer, such as when their desktop or laptop computer is unavailable. Users profiles are stored on a server so that the profile is available from any machine. In cases where users are not assigned a specific computer, hardware and administration costs are reduced as well, because users can log on to any available Intellimirror–managed computer and work in a familiar environment.
Roaming User Profiles
Enhancements to the Windows Shell
Group Policy Software Installation
Users can continue to work efficiently even when network connections are intermittent or even disconnected. Under these conditions, uninterrupted access to user and configuration data can be enabled. Intellimirror eases the IT task of implementing centralized backup of user files while satisfying need for these files to remain available on users’ computers.
Enhancements to the Windows Shell
Minimized Data Loss
IT organizations can enable centralized backup of user data and configuration files. Centralized backups ease the IT workload and satisfy users’ need for files to remain available on their computers.
Administrators can enable automated installation and repair of applications, reducing support costs by using Windows Installer to repair application installations automatically.
Windows Installer Service
Add/Remove Programs in Control Panel
Group Policy Software Installation
Group Policy Overview
Administrators can manage computers centrally through Active Directory and Group Policy. Using Group Policy to deliver managed computing environments allows administrators to work more efficiently because of the centralized, one-to-many management it enables. Measurements of total cost of ownership (TCO) associated with administering distributed personal computer networks reveal lost productivity for users as one of the major costs for corporations. Lost productivity is frequently attributed to user errors, such as modifying system configuration files and rendering a computer unworkable, or to complexity, such as the availability of nonessential applications and features on the desktop. Because Group Policy defines the settings and allowed actions for users and computers, it can create desktops that are tailored to users’ job responsibilities and level of experience with computers.
Defining Group Policy
Administrators use Group Policy to define specific configurations for groups of users and computers by creating Group Policy settings. These settings are specified through the Group Policy Object Editor tool (formally known as GPedit) and contained in a Group Policy object (GPO), which is in turn linked to Active Directory containers, such as sites, domains, or OUs as Figure 1 shows. In this way, Group Policy settings are applied to the users and computers in those Active Directory containers. Administrators can configure the users’ work environment once and rely on the system to enforce the policies as defined.
Figure 1. GPOs are applied to sites, domains, and the OUs beneath them. Here, OU1 is affected by GPO1, GPO2, and GPO3. OU2 is affected by all four GPOs.
Group Policy Capabilities
Through Group Policy, administrators define the policies that determine how applications and operating systems are configured and keep users and systems secure. The following sections describe the key features of Group Policy.
The most common and the easiest way to provide policy for an application or operating system component is to implement registry-based policy. With the new Group Policy Management Console (GPMC), described later in this paper, and the Group Policy Object Editor, administrators can define registry-based policies for applications, the operating system, and its components. For example, an administrator can enable a policy setting that removes the Run command from the Start menu for all affected users.
Group Policy provides options for administrators to set security options for computers and users within the scope of a GPO. Local computer, domain, and network security settings can be specified. For added protection, administrators can apply software restriction policies that prevent users from running files based on the path, URL zone, hash, or publisher criteria. Administrators can make exceptions to this default security level by creating rules for specific software.
To defend against viruses, unwanted applications, and attacks on computers running Windows XP and Windows Server 2003, Group Policy includes new software restriction policies. Administrators can now use policies to identify software running in a domain and control its ability to execute.
Software Distribution and Installation
Administrators can manage application installation, updates, and removal centrally with Group Policy. Because organizations can deploy and manage customized desktop configurations, they spend less money supporting users on an individual basis. Software an be either assigned to users or computers (mandatory software distribution) or published to users (allowing users to optional install software through Add/Remove Programs in the Control Panel). Users get the flexibility they need to do their jobs without having to spend time configuring their system on their own.
Administrators can use Group Policy to deploy approved packages. For example, in a highly managed desktop environment where users don’t have permission to install applications, the Windows Installer service can perform an installation on the user's behalf. In addition, for highly managed workstations, Windows Installer integrates with the software restriction policies implemented through Group Policy to restrict new installations to a list of acceptable software.
Computer and User Scripts
Roaming User Profiles and Redirected Folders
Roaming user profiles provide the ability to store user profiles centrally on a server and load them when a user logs on. As a result, users experience a consistent environment no matter which computer they use. Through folder redirection, important user folders, such as the My Documents and Start menu, can be redirected to a server-based location. Folder redirection allows centralized management of these folders and gives an IT group the capability to easily backup and restore these folders on behalf of users.
Enhancements in Windows Server 2003 provide more robust roaming capabilities and simplified folder redirection. Together, these features allow mobile users or those not assigned to a particular computer see a familiar desktop when they log on and locate needed folders. Administrators also can take advantage of roaming user profiles to replace computers more easily. When a user logs on to a new computer for the first time, the server copy of the user's profile is copied to the new computer. In addition, administrators can redirect users’ My Documents folder to their home directory, a new feature.
When a network is unavailable, the Offline Folders feature provides access to network files and folders from a local disk. Users are assured access to critical information even when network connections are unstable or nonpermanent or when using a mobile computer. When users reconnect to their network, the client files and server files are synchronized, thereby keeping versions consistent and up-to-date.
Internet Explorer Maintenance
Administrators can manage and customize the configuration of Microsoft Internet Explorer on computers that support Group Policy. The Group Policy Object Editor includes the Internet Explorer Maintenance node, which administrators use to edit Internet Explorer security zones, privacy settings, and other parameters on a computer running Windows 2000 and later.
What’s New in Windows Server 2003 Group Policy
In Windows Server 2003, enhancements to Group Policy significantly improve the ability to plan, stage, deploy, manage, troubleshoot, and report on Group Policy implementations. The sections below describe key new features in the Group Policy infrastructure.
Unified Group Policy Management with the GPMC
The new Group Policy Management Console (GPMC) makes Group Policy much easier to manage Group Policy implementations. The GPMC provides a unified view of GPOs, sites, domains, and OUs across an enterprise and can be used to manage either Windows Server 2003 or Windows 2000 domains.
Before GPMC, administrators were required to use several tools to manage Group Policy. The GPMC integrates the existing Group Policy functionality exposed in these tools into a single console. Together with new features such as backup, restore, copy, and scriptable operations, the GPMC simplifies Group Policy deployments.
Integrated MMC Snap-In
The Microsoft Management Console (MMC) provides a Group Policy-centric view of an enterprise with administrative features integrated cleanly for increased ease of use. The MMC’s user interface describes GPOs and associated links in a more intuitive manner and integrates with an updated Group Policy Object Editor.
A rich HTML-based reporting environment for GPOs and their policy settings is included in GPMC.
Group Policy Results and Modeling
GPMC exposes Resultant Set of Policy (RSoP) data. First introduced in Windows XP, RSoP makes it easy for an administrator to determine the resulting set of policies for a given user or computer in both an actual and a what-if scenario. In GPMC, Group Policy Results displays the result of a query made directly against a computer/user. Group Policy Modeling enables what-if simulation of user/computer scenarios and can be an important tool when planning changes to a Group Policy implementation. Group Policy Modeling must be performed against a Windows Server 2003 domain controller.
Support for Backup, Staging, and Testing Group Policy Objects
GPMC includes backup and restore options for GPOs. Using this feature, administrators can maintain GPO templates—versions of GPOs for different configurations, such as highly managed desktops, laptops, Terminal Services on Windows Server 2003, Exchange Servers, and so on. New support for backup, copying, and importing GPOs lets administrators deploy configurations rapidly throughout an organization as needed, including between test and production environments and across forests..
Enhanced User Interface in the Group Policy Object Editor
Policy settings are more easily understood, managed, and verified with Web-view integration in the Group Policy Object Editor. Clicking a policy displays text that explains its function and supported operating systems (the latter through a new Supported On tag).
Operations such as backup, restore, import, copy, and reporting of GPOs are fully scriptable, which lets administrators customize and automate management. Note that it is not possible to programmatically set individual policy settings within a GPO.
Support for Cross-forest Trusts
Administrators can manage Group Policy for multiple domains and sites within a given forest, all in a simplified user interface with drag-and-drop support. And with cross-forest trust, administrators can manage Group Policy across multiple forests from the same console.
Administrators can now specify, create, and edit a WMI-based query to filter the affect of a GPO. With WMI filters, administrator can determine the scope of GPOs dynamically based on attributes of a target computer. For example, a WMI filter can be defined to include all machines with more than 500 megabytes (MB) of free disk space. In addition, Group Policy Modeling in the GPMC includes a WMI option so that administrators can perform a what-if analysis based on WMI filtering properties.
New Policy Settings
Over 200 new policy settings in Windows Server 2003 extend functionality to include the Control Panel, error reporting, Terminal Services, Remote Assistance, networking and dial-up connections, network logon, Group Policy, roaming profiles, client DNS settings, and more. To manage these settings, the Administrative Templates node of the Group Policy snap-in is used.
Using Group Policy
Administrators use Group Policy and Active Directory together to define policy across sites, domains, and OUs according to the following rules:
GPOs are stored on a per-domain basis.
Multiple GPOs can be associated with a single site, domain, or OU.
Multiple sites, domains, or OUs can use a single GPO.
Any site, domain, or OU can be associated with any GPO, even across domains (although doing so slows performance).
The effect of a GPO can be filtered to target particular groups of users or computers based on membership in a security group or through WMI filters.
To set Group Policy for a selected Active Directory object, an administrator must have read and write permission to access the system volume of domain controllers (Sysvol folder) and to modify rights to the currently selected directory object. The system volume folder is created automatically when you install a domain controller (or promote a server to domain controller).
Administrators can configure specific desktop environments and enforce policy settings on groups of computers and users on the network as follows:
Computer Configuration. Computer-related policies specify operating system behavior, desktop behavior, application settings, security settings, assigned applications options, and computer startup and shutdown scripts. Computer-related policy settings are applied when the machine is rebooted and during a periodic refresh of Group Policy.
User Configuration. User-related policies specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policy settings are applied when users log on to the computer and during the periodic refresh of Group Policy.
Administering Group Policy
To deploy and manage Group Policy, administrators use GPMC and the Group Policy Object Editor.
The GPMC integrates the Group Policy functionality provided by the following tools into a single console:
Active Directory Users and Computers
Active Directory Sites and Services
Resultant Set of Policy MMC snap-in
Administrators can perform core Group Policy tasks using GPMC without the use of these other tools. Figure 2 shows the GPMC interface for an OU called Engineering – Offsite.
Figure 2. “Common Managed Settings” is a GPO linked to the Engineering – Offsite OU. This view of GPMC shows the scope of the GPO.
GPMC consists of a new Microsoft® Management Console (MMC) snap-in and a set of programmable interfaces for managing Group Policy. GPMC can be used to manage both Windows Server 2003 and Windows 2000 domains. In either case, the administrative computer on which the tool itself runs must be running one of the following:
Windows Server 2003.
Windows XP Professional with Service Pack 1 (SP1), plus an additional post-SP1 hotfix, and the Microsoft .NET Framework.
The GPMC is available as a free download to all Windows Server 2003 customers at the Microsoft Download Center.
Group Policy Object Editor (Previously GPEdit)
The Group Policy Object Editor is a tool that hosts MMC extension snap-ins used to manage policy settings. All functionality is provided by extension snap-ins. Administrators edit policy settings using the Group Policy Object Editor.
All policy settings created by the Group Policy Object Editor are stored in a GPO. The policy settings that an administrator provides with the Group Policy Object Editor do not take effect until the target system applies policy.
Group Policy Results and Modeling
The GPMC now integrates the planning and logging capabilities provided by the RSoP service with two new options:
Group Policy Results. This option displays the resultant set of policy that was applied to a given user and computer and works by directly communicating with the target machine to retrieve the appropriate RSoP data. In GPMC, administrators can read RSoP logging data for objects in a domain or organizational unit. Individual nodes represent different RSoP queries for a given user/computer combination. Group Policy Results data is supported only for computers running Windows XP or Windows Server 2003 and later.
Group Policy Modeling. This option displays simulations of the policy deployment for any user and computer in a domain. GPMC provides access to simulated RSoP data by calling a service running on a Windows Server 2003 domain controller. Each Group Policy Modeling simulation is displayed as an individual node within the GPMC snap-in. The modeling option is available only for a forest that has the Windows Server 2003 schema for Active Directory.
Applying Group Policy
Group Policy is applied in an inherited and cumulative fashion and affects all computers and users in an Active Directory container. Policy is applied when the computer starts up and when the user logs on. When a user turns on the computer, the system applies computer policy. When a user logs on interactively, the system loads the user's profile, then applies user policy. Policy is reapplied on a periodic basis, which an administrator can set by using the Group Policy Object Editor, and can also reapplied on demand.
When applying policy, the system queries the directory service for a list of GPOs to process. If a computer or user access has been denied access to a GPO, the system does not apply the specified policy settings. If access is permitted, the system applies the policy settings specified by the GPO.
Note: Application deployment and startup and logon scripts occur only during startup or interactive user logon, not on a periodic basis. Folder redirection occurs only during interactive logon. This prevents undesirable results, such as uninstalling or upgrading an application that is in use. However, registry-based policy settings and security policy settings are applied periodically.
Group Policy Scope of Management
The scope of Group Policy can extend from a single computer—that is, the local GPO that all computers include—to Active Directory sites, domains, and OUs. Each of these different targeting options is called a scope of management (SOM). For example, a GPO might be linked to an Active Directory site to specify policy settings for proxy settings and network-related settings that are specific to that site. A GPO becomes useful only after it is linked to a SOM—the settings in the GPO are then applied according to the scope.
GPOs are processed in the order of local, site, domain, and then OU as Figure 3 shows. As a result, a computer or user receives the policy settings of the last Active Directory container processed—that is, a policy applied later overwrites policy applied earlier.
Figure 3. Here, the Marketing OU inherits GPO1, GPO2, GO3, and GPO5, while the Servers OU inherits GPO1, GPO2, GPO3, GPO4, and GPO6.
Applying Security and WMI Filters to GPOs
GPOs can be applied to Active Directory objects with greater precision through filtering. By default, a GPO affects all computers and users in a linked Active Directory container. However, administrators can filter Group Policy based on membership in security groups by setting discretionary access control list (DACL) permissions. They can also filter based on Windows Management Instrumentation (WMI) properties. With WMI, administrators can determine whether to apply a GPO to a specific computer or user based on its WMI properties. WMI filtering can be applied to either Windows Servers 2003 or Windows XP Professional machines (Windows 2000 machines ignore a WMI filter and apply the GPO regardless).
The combination of targeting of GPOs through SOM and selective filtering through security groups and WMI filtering gives administrators significant flexibility. They can decide which users and computers receive and are affected by Group Policy.
Developing Applications to Use Group Policy
Applications can be developed to take advantage of the most common type of policy setting, namely registry-based policy. For example, a programmer can create a component that includes “available” and “unavailable” functionality based on registry-based policy. Administrators then have a well-defined and simple process: They can use the GPMC to turn functionality on or off by for all affected users and computers. This type of policy is implemented using a built in registry client-side extension on every Group Policy client to process the data and manage the appropriate registry keys. Registry-based policy settings are stored in one of four secure Group Policy keys, which cannot be modified without administrative rights on the machine.
For more information, see the Implementing Registry-Based Group Policy article at http://www.microsoft.com/windows2000/techinfo/howitworks/management/rbppaper.asp.
Group Policy-based management simplifies such tasks as deploying system updates, installing applications, setting user profiles, and managing desktops and systems. As a key component of the Intellimirror management set of technologies, Group Policy extends administrative control and reduces redundant management tasks. As a result, existing IT resources can be used more efficiently, so administrative costs can be reduced across organizations.
Greater leverage of an organization’s Active Directory investment. Group Policy allows for centralized or decentralized management of policy options.
Flexible scope of management. Group Policy handles a wide range of management scenarios that can be applied in businesses from small to large. Support for scalable, one-to-many management of users and computers across the enterprise can increase IT productivity and reduce IT costs. Yet Group Policy also offers flexible, granular control of management tasks, enabling quick responses to changing business needs.
An integrated tool for managing policy. GPMC integrates other Active Directory administrative tools, such as the Active Directory Users and Computers and Active Directory Site and Services Manager snap-ins. Administrators can also delegate control of GPOs.
Ease of use. With an updated, more straightforward interface, GPMC is easy to use, a benefit that both reduces the learning curve and increases productivity for administrators. New scriptable interfaces provide command-line management as well.
Reliability and security. Administrators can define and enforce IT policies, increasing the reliability and security of the IT environment. After Group Policy has been established for groups of users and computers, administrators can rely on the system to enforce those policy settings. New support for backup, staging, and testing GPOs makes Group Policy even more reliable.
Central control of IT configurations. By using Group Policy to standardize the user computing environments, support costs are reduced while user productivity and satisfaction are increased.
Together these advantages make Group Policy much easier to use and help IT organizations manage an enterprise more cost-effectively.
See the following technical articles for more detail about Group Policy:
“Introduction to Windows 2000 Group Policy” at http://go.microsoft.com/fwlink/?LinkId=14958
“Enterprise Management with the Group Policy Management Console (GPMC)” at http://go.microsoft.com/fwlink/?LinkID=8630
“Administering Group Policy with GPMC” at http://go.microsoft.com/fwlink/?LinkId=14320
“Troubleshooting Group Policy” at http://go.microsoft.com/fwlink/?LinkId=14949
“Group Policy Infrastructure” at http://go.microsoft.com/fwlink/?LinkId=14950
“Migrating GPOs across Domains with GPMC” at http://go.microsoft.com/fwlink/?LinkId=14321
“Implementing Common Desktop Management Scenarios” at http://go.microsoft.com/fwlink/?LinkId=14951
“Implementing Registry-Based Group Policy” at http://go.microsoft.com/fwlink/?LinkId=15177
See also the following resources for further information:
Group Policy Newsgroup at http://go.microsoft.com/fwlink/?LinkId=15390
Group Policy page on the TechNet Web site at http://www.microsoft.com/technet/grouppolicy
“Frequently Asked Questions about the Group Policy Management Console” page at http://go.microsoft.com/fwlink/?LinkId=14955
“Group Policy Settings Reference for Windows Server 2003” page with an Administrative Templates reference to download at http://go.microsoft.com/fwlink/?LinkId=15165
For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003.