This paper describes Group Policy, one of the key IntelliMirror® management technologies provided for change and configuration management in Microsoft® Windows® 2000 operating system. Administrators use Group Policy to specify options for managed configurations for groups of computers and users. Group Policy includes options for registry-based policy settings, security settings, software installation, scripts, folder redirection, Remote Installation Services, and Internet Explorer maintenance.
This paper is intended for information technology managers and system administrators who are interested in using Group Policy to manage users’ desktop environments.
© 2000 Microsoft Corporation. All rights reserved.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Microsoft, Windows, IntelliMirror, Jscript. Active Directory, Visual C++, MS-DOS, Visual Basic, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective owners.
Microsoft Corporation • One Microsoft Way • Redmond, WA 98052-6399 • USA
0700
Introduction 1
Introduction 1
Administrative Requirements for Using Group Policy 1
What this Paper Contains 1
Overview of Group Policy Infrastructure and Mechanics 2
Overview of Group Policy Infrastructure and Mechanics 2
Linking Group Policy Objects to Active Directory Containers 3
Group Policy Hierarchy 4
Using Security Groups to Filter the Scope of the Group Policy Object 6
MMC Snap-in Extension Model 8
Group Policy Snap-in Namespace 8
Delegating Group Policy 13
Delegating Group Policy 13
Using Security Groups to Delegate Group Policy 14
Specifying Group Policy to Control the Behavior of MMC extensions 17
Group Policy Extension Snap-ins 20
Group Policy Extension Snap-ins 20
Administrative Templates 20
Security Settings 23
Software Installation 27
Scripts 27
Folder Redirection 31
Internet Explorer Maintenance 31
Remote Installation Services 33
Extending the Group Policy Functionality 35
Group Policy Processing 35
Group Policy Processing 35
Initial Processing of Group Policy 35
Background refresh of Group Policy 36
Slow Links and Remote Access Issues 38
Client-side Processing of Group Policy 40
Server Processing 43
Specifying a Domain Controller for Setting Group Policy 44
Specifying a Domain Controller for Setting Group Policy 44
Specifying a Domain Controller for Group Policy Editing by Using Preferences 44
Specifying a Domain Controller by Using Policy 45
Local Group Policy 48
Local Group Policy 48
Local Group Policy Object 48
Starting the Group Policy Snap-in on Windows 2000 Professional 49
Using the Group Policy Snap-in Focused on a Remote Computer 49
Local Group Policy Object Processing 50
Group Policy Loopback Support 51
Group Policy Loopback Support 51
Policy Settings for Group Policy 52
Policy Settings for Group Policy 52
Specifying Policy Settings for Group Policy 52
Group Policy and Active Directory Sites 57
Group Policy and Active Directory Sites 57
Setting up Group Policy on a Site 57
Design Considerations for Organizational Unit Structure and Use of Group Policy Objects 61
Design Considerations for Organizational Unit Structure and Use of Group Policy Objects 61
OU Structure 62
Design Principles 63
Design Examples 66
IntelliMirror Features without Active Directory 73
IntelliMirror Features without Active Directory 73
Roaming User Profiles and Logon Scripts 74
Folder Redirection 74
Internet Explorer Maintenance 74
Applying Administrative Templates (Registry-Based Policy) 74
Migrating Policy-Enabled Clients from Windows NT 4.0 to Windows 2000 78
Migrating Policy-Enabled Clients from Windows NT 4.0 to Windows 2000 78
Windows NT 4.0 and Windows 2000 Policy Comparison 78
Migrating to Windows 2000 80
Windows NT 4.0 Clients 83
Zero Administration Kit (ZAK) for Windows to Windows 2000 Upgrades 84
Appendix A: Security Settings and User Rights 88
Appendix A: Security Settings and User Rights 88
Security Settings in the Default Domain Controllers Policy 90
Help for Windows NT 4.0 Administrators 93
Frequently Asked Questions about Security Settings 94
Appendix B: Group Policy Settings for Internet Explorer 96
Appendix B: Group Policy Settings for Internet Explorer 96
Specifying Policy Settings for Internet Explorer Maintenance 96
Appendix C: Group Policy Storage 104
Appendix C: Group Policy Storage 104
Group Policy Container 104
Group Policy Template 104
Registry.pol Files 108
Appendix D: Windows NT 4.0, Zero Administration Kit, and Windows 2000 Namespace Comparison 111
Appendix D: Windows NT 4.0, Zero Administration Kit, and Windows 2000 Namespace Comparison 111
Appendix E: Frequently Asked questions 117
Appendix E: Frequently Asked questions 117
Infrastructure - Server side 117
Infrastructure - Client side 119
Group Policy Snap-in 121
General Issues 121
Glossary 123
Glossary 123
For More Information 130
For More Information 130
Management and Overview Papers 130
Technical Papers 132
