Group Policy Objects store information in two locations: a Group Policy Container and a Group Policy Template.
Group Policy Container
The Group Policy Container (GPC) is an Active Directory container that stores Group Policy Object properties; it includes sub-containers for computer and user Group Policy information. The Group Policy Container has the following properties:
Version information. This is used to ensure that the information is synchronized with the Group Policy Template information. Indicates the number of changes made to the GPO.
Status information. This indicates whether the Group Policy Object is enabled or disabled.
List of components (extensions) that have settings in the Group Policy Object.
File System path. The UNC path to the Sysvol folder.
Functionality version. This is the version of the tool that created the GPO. Currently, this is version 1.
For example, the Group Policy Container stores information used by the Software Installation snap-in to describe the state of the software available for installation. This data repository contains data for all applications, interfaces, and APIs that provide for application publishing and assigning.
Group Policy Template
Group Policy Objects also store Group Policy information in a folder structure called the Group Policy Template (GPT) that is located in the System Volume folder of domain controllers (Sysvol) in the \Policies sub-folder. The Group Policy Template is the container where Security Settings, Administrative Template-based policies, applications available for Software Installation, and script files are stored.
When you modify a GPO, the directory name given to the Group Policy Template is the GUID of the Group Policy Object that you modified. For example, assume that you modified a GPO associated with a domain called Seattle. The resulting GPT folder would be named as follows (the GUID is an example):
%systemroot%\sysvol\\Seattle.yourcompanyname.com\Policies\{47636445-af79-11d0-91fe-080036644603}
where the second sysvol is shared as SYSVOL. (The default location of the Sysvol folder is %systemroot%).
Gpt.ini File
At the root of each Group Policy Template folder is a file called Gpt.ini. For local Group Policy Objects, the Gpt.ini file stores information indicating the following:
Which client-side extensions of the Group Policy snap-in contain User or Computer data in the Group Policy object.
Whether the User or Computer portion is disabled.
Version number of the Group Policy snap-in extension that created the Group Policy Object.
For the local GPO, the Gpt.ini file contains the following information:
[General]
gPCUserExtensionNames //Includes a list of GUIDs that tells the client side engine which Client Side Extensions have User data in the GPO.
The format is: [{GUID of Client Side Extension}{GUID of MMC extension}{GUID of second MMC extension if appropriate}][repeat first section as appropriate].
GPCMachineExtensionNames //Includes a list of GUIDs that tells the client side engine which Client Side Extensions have Machine data in the GPO.
Options..//Refers to GPO options such as User portion disabled or Machine portion disabled.
GPCFunctionalityVersion //The Version number of the Group Policy extension tool that created the Group Policy object.
Gpt.ini for Active Directory GPOs
The Gpt.ini file for Active Directory GPOs contains the following entries, which are stored in the Active Directory:
Version=0 //Version number of the Group Policy Object
DisplayName //Display name of the GPO
Local Group Policy Objects
A local Group Policy Object exists on every computer, and by default it contains only security policy (that is, other types of policy settings are not configured by default). The local GPO is stored in %systemroot%\System32\GroupPolicy, and it has the following ACL permissions:
Administrators: full control
Operating system: full control
User: read
Group Policy Template Subfolders
The Group Policy Template folder contains the following subfolders:
User. Includes a Registry.pol file that contains the registry settings to be applied to users. When a user logs on to a computer, this Registry.pol file is downloaded and applied to the HKEY_CURRENT_USER portion of the registry.
The User folder may contain the following subfolders (depending on the GPO contents):
Applications. Contains the advertisement files (.aas files) used by the Windows installer. These are applied to users.
User Documents and Settings. Contains the Fdeploy.ini file, which includes status information about the Folder Redirection options for the current user’s special folders.
Microsoft\RemoteInstall. Contains the OSCfilter.ini file, which holds user options for operating system installation through Remote Installation Services.
Microsoft\IEAK. Contains settings for the Internet Explorer Maintainance Snap-in.
Scripts\Logon. Contains all the user logon scripts and related files for this Group Policy object.
Scripts\Logoff. Contains all the user logoff scripts and related files for this Group Policy object.
Machine. Includes a Registry.pol file that contains the registry settings to be applied to computers. When a computer initializes, this Registry.pol file is downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry.
The Machine folder may contain the following subfolders (depending on the GPO):
Scripts\Startup. Contains the scripts that are to run when the computer starts up.
Scripts\Shutdown. Contains the scripts that are to run when the computer shuts down.
Applications. Contains the advertisement files (.aas files) used by the Windows installer. These are applied to computers.
Microsoft\Windows NT\Secedit. Contains the Gpttmpl.inf file, which includes the default security configuration settings for a Windows 2000 domain controller.
Adm. Contains all of the .adm files for this Group Policy object.
The User and Machine folders are created at install time, and the other folders are created as needed when policy is set.
Registry.pol Files
The Administrative Templates snap-in extension of Group Policy saves information in the Group Policy Template in binary files referred to as Registry.pol files; they are stored in the Group Policy Template. These files contain the customized registry settings that you specify (by using the Group Policy snap-in) to be applied to the Machine (HKLM) or User (HKLU) portion of the registry.
Two Registry.pol files are created and stored in the Group Policy Template, one for Computer Configuration, which is stored in the \Machine subdirectory, and one for User Configuration, which is stored in the \User subdirectory.
Note: The format of the Registry.pol files in the Group Policy Template differs from that of previous versions of Windows NT and Windows 95 operating systems. NTconfig.pol or Config.pol files created by Windows NT 4.0 and Windows 95 can be applied only to the operating system on which they were created.
When you use the Administrative Templates extension of the Group Policy snap-in to define customized registry settings to be applied to the Machine (HKLM) or User (HKLU) portion of the registry, two Registry.pol files are created and stored in the Group Policy Template. One Registry.pol file is for Computer Configuration-related registry settings and is stored in the \Machine sub-directory, and the other is for User Configuration settings and is stored in the \User sub-directory.
The Windows 2000 Registry.pol file consists of a header and registry values.
The header contains version information and signature data, both DWORD values:
REGFILE_SIGNATURE 0x67655250
REGISTRY_FILE_VERSION 00000001 (increments each time the file format changes)
The registry values begin with an opening bracket ([) and end with a closing bracket (]):
[key;value;type;size;data]
where:
Key is the path to the registry key to use for the category. Do not include HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER in the registry path. The location of the file determines which of these keys is used.
The following value has special meaning for this field:
**DeleteKeys—a semi-colon-delimited list of values to delete.
For example: **DeleteKeys NoRun;NoFind.
Value is the name of the registry value. The following values have special meaning for this field:
**DeleteValues—a semi-colon-delimited list of values to delete. Use as a value of the associated key.
**Del.valuename—deletes a single value. Use as a value of the associated key.
**DelVals—deletes all values in a key. Use as a value of the associated key.
Type is a data type. The field can be any of the standard registry value types, for example:
REG_DWORD
REG_EXPAND_SZ
REG_SZ
Note that although the file format supports all the registry data types (such as REG_MULTI_SZ), the Administrative Templates node does not support these registry types: REG_BINARY, REG_MULTI_SZ.
Size is the size of the data field in bytes. For example, 4.
Data is the raw information. For example, 4 bytes of data 0x00000001.
It is possible that the valuename, type, data, and size could be missing or 0. In this case, only the key should be created.
This pattern of [] entries continues until the end of the file.
The following special values are used for deleting keys and values:
**DeleteKeys // Semi-colon-delimited list of keys to delete.
For example: **DeleteKeys REG_SZ NoRun;NoFind.
**DeleteValues // Semi-colon-delimited list of values to delete.
Used as a value of the designated key.
**Del.valuename // Deletes a single value name.
Used as a value of the designated key.
**DelVals // Deletes all values in a key.
Used as a value of the designated key.
The Registry.pol file contains data to be written to the registry based on the settings specified with the Group Policy snap-in, and the names of any scripts and their command lines (in the form of registry keys and values).
How Registry.pol Files Are Created
The following section outlines how to form Registry.pol files:
When you start the Group Policy snap-in, a temporary registry tree is created that consists of two nodes: USER and MACHINE.
As you navigate the Administrative Templates node of the Group Policy snap-in, .adm file nodes are displayed. The .adm files within the Group Policy snap-in nodes are loaded dynamically when a particular node is selected, and the .adm file is then cached.
When a policy is selected in the details pane (the right side of the MMC console window), the temporary registry is queried to determine whether the selected policy already has registry values assigned to it; if it does, those values are displayed in the Policy dialog box.
If the selected policy does not have a registry value assigned to it, the default value from the .adm file or from the associated MMC snap-in extension is used.
After you modify a policy, the registry values that you specify are written to the appropriate portion of the temporary registry (either MACHINE or USER).
When you close the Group Policy snap-in, the temporary registry hives are exported to the Registry.pol files in the appropriate folders of the Group Policy Template.
The next time you start the Group Policy snap-in for the same Group Policy Object for which you have previously set Group Policy settings, the registry information from the corresponding Registry.pol files is imported into the temporary registry tree. Therefore, when you view the policies, they reflect the current state.
Appendix D: Windows NT 4.0, Zero Administration Kit, and Windows 2000 Namespace Comparison
The following tables list comparisons of the Windows NT 4.0, the Zero Administration Kit (ZAK), and the Windows 2000 policy-related namespace.
The following notation is used in the tables:
P = Policy
SYS = not in Administrative Templates (system configured)
N/A = not available
Policy Option – Windows NT4.0 and
ZAK namespace
|
Windows 2000 namespace
|
|
Notes
|
Default User
|
Control Panel\Display\Restrict Display\
|
User Configuration\Administrative Templates\Control Panel\Display
|
|
|
Deny access to display icon
|
Prohibit user from running Display control panel
|
P
|
|
Hide Background Tab
|
Same
|
P
|
|
Hide Screen Saver Tab
|
Same
|
P
|
|
Hide Appearance Tab
|
Same
|
P
|
|
Hide Settings Tab
|
Same
|
P
|
|
Desktop\Wallpaper
|
Wallpaper Name
|
N/A
|
|
|
Tile Wallpaper
|
N/A
|
|
|
Desktop\Color Scheme
|
Scheme name
|
N/A
|
|
|
Shell\Restrictions
|
Remove Run command from Start menu
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
|
Remove folders from Settings on Start menu
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
|
Remove Taskbar from Settings on Start menu
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
Disable changes to Task Bar and Start menu settings.
|
Remove Find command from Start menu
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
Remove Search menu from Start menu.
|
Hide drives in My Computer
|
User Configuration\Administrative Templates\Windows Components\Explorer
|
P
|
Hide these specified drives in My Computer.
|
Hide Network Neighborhood
|
User Configuration\Administrative Templates\Desktop
|
P
|
My Network Places.
|
No Entire Network in Network Neighborhood
|
User Configuration\Administrative Templates\Windows Components\Explorer
|
P
|
My Network Places.
|
No Workgroup contents in Network Neighborhood
|
User Configuration\Administrative Templates\Windows Components\Explorer
|
P
|
My Network Places.
|
Hide all items on Desktop
|
User Configuration\Administrative Templates\Desktop
|
P
|
|
Disable Shut Down command
|
User Configuration\Administrative Templates\Start Menu & Task Bar
User Configuration\Administrative Templates\System\Logon/Logoff
|
P
|
Disable shutdown.
Remove shutdown.
|
Don’t save settings at exit
|
User Configuration\Administrative Templates\Desktop
|
P
|
|
System\Restrictions
|
User Configuration\Administrative Templates\System
|
|
|
Disable Registry editing tools
|
Same
|
P
|
|
Run only allowed Windows applications
|
Same
|
P
|
|
Windows NT Shell\Custom User Interface
|
Custom Shell
|
N/A
|
|
Shell name.
|
Windows NT Shell\Custom Folders
|
Custom Programs Folder
|
N/A
|
|
|
Custom Desktop Icons
|
User Configuration\Windows Settings\Folder Redirection\Desktop
|
SYS
|
|
Hide Start menu subfolders
|
N/A
|
|
|
Custom Startup Folder
|
N/A
|
|
|
Custom Network Neighborhood
|
N/A
|
|
Called “My Network Places folder” in Windows 2000.
|
Custom Start menu
|
User Configuration\Windows Settings\Folder Redirection\Start Menu
|
SYS
|
|
Windows NT Shell Restrictions
|
Only use approved Shell extensions
|
User Configuration\Administrative Templates\Windows Components\Windows Explorer
|
P
|
|
Remove File menu from Explorer
|
User Configuration\Administrative Templates\Windows Components\Windows Explorer
|
P
|
Disable File menu in Shell folders.
|
Remove common program groups from Start menu
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
Hide versus Remove.
|
Disable Context Menus for the Taskbar
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
|
Disable Explorer’s default context menu
|
User Configuration\Administrative Templates\Windows Components\Explorer
|
P
|
Disable context menu in Shell folders.
|
Remove the Map Network Drive and Disconnect Network Drive options
|
User Configuration\Administrative Templates\Windows Components\Explorer
|
P
|
Disable net connections/disconnections.
|
Disable link file tracking
|
N/A
User Configuration\Administrative Templates\Windows Components\Explorer
|
P
|
Do not involve the domain controller with distributed link tracking.
Do not rack shell shortcuts during roaming.
|
Windows NT System
|
User Configuration\Administrative Templates\System\Logon/Logoff
|
|
|
Parse Autoexec.bat
|
N/A
|
|
|
Run logon scripts synchronously
|
Computer Configuration\Administrative Templates\System\Logon
|
P
|
Many others added for Windows 2000
|
Disable Task Manager
|
Same
|
P
|
|
Show welcome tips at logon
|
N/A
|
|
|
ZAK Policies\Windows NT\
|
User Profiles through System Policies
|
AppData Folder
|
User Configuration\Windows Settings\Folder Redirection.
|
SYS
|
Custom Application Folder.
|
Favorites Folder
|
N/A
|
|
.
|
NetHood Folder
|
User Configuration\Windows Settings\Folder Redirection\
|
|
|
PrintHood Folder
|
N/A
|
|
|
Recent Folder
|
N/A
|
|
|
SendTo Folder
|
N/A
|
|
|
Internet Explorer Security\Active Content
|
Many new Internet Explorer Policies in User Configuration\Administrative Templates\Windows Components\Internet Explorer
|
Allow download of ActiveX content
|
N/A
|
|
|
Enable ActiveX Controls and Plug-ins
|
N/A
|
|
|
Run ActiveX scripts
|
N/A
|
|
|
Enable Java Programs
|
N/A
|
|
|
Internet Explorer Security\Active Content Security Level
|
Select Security Level
|
N/A
|
|
|
Drives\Restrictions\Show only selected drives
|
Choose drives that will be shown
|
User Configuration\Administrative Templates\Windows Components\Windows Explorer
|
P
|
Hide these specified drives in My Computer.
|
ZAK Policies\Windows\Load
|
Enter Program to be Run on Startup
|
N/A
|
|
|
Default Computer
|
Network\System policies update\Remote update
|
Update mode
|
N/A
|
|
|
Path for manual update
|
N/A
|
|
|
Display error messages
|
N/A
|
|
|
Load balancing
|
N/A
|
|
|
System\SNMP
|
Communities
|
N/A
|
|
|
Permitted managers
|
N/A
|
|
|
Traps for Public community
|
N/A
|
|
|
System\RUN
|
Items to run at startup
|
N/A
|
|
|
Windows NT Network\Sharing
|
Create hidden drive shares (workstation)
|
N/A
|
|
|
Create hidden drive shares (server)
|
N/A
|
|
|
Windows NT Printers
|
Disable browse thread on this computer
|
N/A
|
|
|
Scheduler priority
|
N/A
|
|
|
Beep for error enabled
|
N/A
|
|
|
Windows NT Remote Access
|
Max number of unsuccessful authentication retries
|
N/A
|
|
|
Max time limit for authentication
|
N/A
|
|
|
Wait interval for callback
|
N/A
|
|
|
Auto Disconnect
|
N/A
|
|
|
Windows NT Shell\Custom shared folders
|
Custom shared Programs folder
|
N/A
|
|
|
Custom shared desktop icons
|
N/A
|
|
|
Custom shared Start menu
|
N/A
|
|
|
Custom shared Startup folder
|
N/A
|
|
|
Windows NT System\Logon
|
Logon banner—Caption, Text
|
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
|
SYS
|
Message text for users attempting to log on.
Message title for users attempting to log on.
|
Enable shutdown from Authentication dialog box
|
User Configuration\Administrative Templates\Start Menu & Task Bar
|
P
|
Disable/Remove the Shutdown Command.
|
Do not display last logged on user name
|
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
|
SYS
|
Do not display last user name in logon screen.
|
Run logon scripts synchronously
|
Computer Configuration\Administrative Templates\System\Logon\
|
P
|
|
Windows NT System\File System
|
Do not create 8.3 file names for long file names
|
N/A
|
|
|
Allow extended characters in 8.3 file names
|
N/A
|
|
|
Do not update last access time
|
N/A
|
|
|
Windows NT User Profiles
|
Computer Configuration\Administrative Templates\Logon\
|
|
|
Delete cached copies of roaming profiles
|
Same
|
P
|
|
Automatically detect slow network connections
|
Automatically detect slow network connections for user profiles.
|
P
|
|
Slow network connection time-out
|
Same
|
P
|
|
Time-out for dialog boxes
|
Same
|
P
|
|
Appendix E: Frequently Asked questions
This section presents frequently asked questions on Group Policy.
Infrastructure - Server side Is it possible to set up individual computer or user policies?
You cannot set up any Group Policy directly on a computer or user object; a Group Policy object can only be associated with sites, domains, and organizational units. To apply a GPO to a subset of users or computers (or even a single user or computer) within a site, domain, or OU, you can use security filtering.
For information filtering Group Policy, see the section in this document on Using Security Groups to Filter the Scope of the Group Policy Object.
What are the inheritance rules for Group Policy and the Active Directory?
Group Policy is processed in the following order: Local Group Policy object, site, domain, OU, and additional child OUs. This means that the local Group Policy object is processed first, and the OU to which the computer or user belongs (the one that it is a direct member of) is processed last. All of this is subject to the following exceptions:
Any domain-based Group Policy object (not local GPO) may be enforced by using the No Override option so that its policies cannot be overwritten. When more than one GPO has been marked as enforced, the GPO that is highest in the Active Directory hierarchy takes precedence.
At any site, domain, or OU, Group Policy inheritance may be selectively designated as Block Inheritance. However, blocking inheritance does not prevent policy from No Override GPOs from applying; this is because enforced GPOs are always applied, and cannot be blocked.
If you apply policies to an OU that contains only groups (of any kind) and no users, are the policies applied to the members of the group?
No, Group Policy Objects (GPOs) are applied only to the users and computers that are members of the organizational unit. A different mechanism is used to filter the effect of GPOs, based on membership in security groups. The preceding question addresses this issue.
Can you apply a GPO directly to a security group?
No, GPOs are applied only to the users and computers that are members of a site, domain, or organizational unit (SDOU). However, you can filter the scope of a GPO based on membership of those users in a security group, by adjusting the discretionary access control list (DACL) permissions for that group on the GPO. This design was chosen for performance reasons.
You can also filter the scope of a GPO on a site, domain, or OU by using the Security tab on the GPO Properties page to set DACL permissions and selecting an access control entry called Apply Group Policy.
For more information, see Using Security Groups to Filter the Scope of the Group Policy Object at the beginning of this document.
Why can't I delete the default GPO (Default Domain Policy), no matter which administrative group I belong to?
By default, the Delete Access Control entry has not been allowed to the Administrators groups. Administrators do have all other rights. The reason for this is to prevent the accidental deletion of this GPO, which contains important and required settings for the domain. If it is truly required that the GPO be deleted because the settings have been set in other GPOs, the Delete access control entry must be given back to the appropriate group.
Why do I sometimes get the prompt “The Domain Controller for Group Policy operations in not available. You may cancel this operation for this session or retry using one of the Following domain controller choices."?
The Group Policy snap-in uses the primary domain controller emulator Operations Master token when editing a GPO. For information, see Specifying a Domain Controller for Setting Group Policy, and Group Policy Snap-in and the Operations Master earlier in this paper.
What is the best method of copying or replicating policies between domains?
While no part of a GPO is replicated outside of a domain, it is possible to establish a link to a GPO in a domain other than your own. Use the Add button on the target site, domain, or OU Group Policy Properties page. Use the Look in list box to navigate to the domain in which the GPO exists; then browse to it, and select it. There are performance implications associated with linking GPOs across domains. All computers and users affected by the cross-domain linked GPO must access the other domain and pull the GPO information from it. It is, therefore, important to consider WAN issues before you establish such a link.
For a limited way to copy policies, see the section called Saving and Moving the Scenario GPOs to Another Domain in the “Using Group Policy Scenarios” white paper, which is found at http://www.microsoft.com/windows2000/library/howitworks/management/grouppolicy.asp.
The ability to have enterprise-wide GPOs and the ability to copy GPOs will be considered for the next release of Windows 2000 Server.
Infrastructure - Client side How can I get more information regarding the processing of Group Policy into the Event log of a client computer?
You can set the following registry key for this by using the Registry Editor tool (regedit.exe):
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
RunDiagnosticLoggingGroupPolicy REG_DWORD 1
Setting this key causes additional information to be logged to the event log when Group Policy is running.
In what order are policies processed during computer startup and user logon?
The policy processing sequence is the following:
The network starts—Remote Procedure Call System Service (RPCSS) and Multiple UNC (Universal Naming Convention) Provider (MUP) must be started.
Apply computer Group Policy—this is done synchronously by default.
Run startup scripts—these are run hidden and synchronously by default. This means that each script must complete or time out before the next one starts.
CTRL+ALT+DEL is pressed.
After the user is validated, the profile is loaded.
Apply user Group Policy—this is done synchronously by default. Group Policy is processed in the following order: Windows NT 4.0, local, site domain, OU, and so on. UI is displayed while policies are being processed.
Note: Windows NT 4.0 style policies process both computer and user settings, potentially overwriting the Active Directory-based Group Policy settings that were applied at computer startup.
Run logon scripts—Group Policy-based logon scripts are run hidden (unlike in Windows NT 4.0) and asynchronously by default. The user object script, which is run in a normal window (like Windows NT 4.0), is run last.
Start the shell.
Notes: Policy settings exist for reversing the synchronous or asynchronous defaults for running scripts and applying policy. For more details on policy options for scripts see the Scripts section of this paper.
By default, scripts time out after 600 seconds. A policy setting exists that lets you change this default.
Policy settings also exist for specifying whether scripts are run hidden, minimized, or in a normal window.
You can specify a Group Policy to disable Windows NT 4.0-style policies.
How often is Group Policy applied, and how doe I change it?
For users and all computers (except domain controllers), policy is applied by default every 90 minutes with a variable offset of 30 minutes. For domain controllers, the default is every 5 minutes. You can change these defaults by setting a Group Policy within the Administrative Templates node of the Group Policy snap-in.
The application of Group Policy cannot be scheduled or pushed to clients. Exceptions to this include the Software Installation and Folder Redirection snap-ins. The Scripts extension runs during the background refresh, but the scripts are actually run by Winlogon at the appropriate time.
How long does it take to process Group Policies?
This depends on the number of GPOs being processed for a specified computer or user and on the number of policies set with each GPO.
A great deal of work on performance issues pertaining to Group Policy was done for the release of the product. This performance information has been published in an Microsoft Press book called “Building Enterprise Active Directory™ Services: Notes from the Field.” Chapter Five: Active Directory Client Network Traffic includes information pertaining to logon scripts, policy files, and the effects of Group Policy on logon traffic.
Which policies do I see when viewing the policies that are set when the Group Policy snap-in is run focused on a local computer?
This shows the information in the local Group Policy object, but not the cumulative effect of what has been applied to the computer or user. This feature will be investigated for the next release of the product. For Windows 2000, it shows the settings that a local administrator has set for that computer and all users of that computer. In the evaluation process, when the computer is joined to a domain, all the policy settings are subject to being overwritten by domain-based policy (any policy set in the site, domain, or OU).
Group Policy Snap-in What happened to the policies such as Logon Banner or Disable CTRL+ALT+DEL that were available in Windows NT 4.0?
These and other policies that are security-related have been moved to the Security Settings node, under Local Policies\Security Options. This includes the following policies:
Disable CTRL+ALT+DEL.
Do not display last user name in logon screen.
Message text, caption, title for users logging on (legal notice).
Allow system to be shutdown without having to log on.
For more information, see Appendix D: Windows NT 4.0, Zero Administration Kit, and Windows 2000 Namespace Comparison.
General Issues Can I transfer System Policies to Group Policy Objects?
You cannot migrate Windows NT 4.0 System Policies directly to Windows 2000. In Windows NT 4.0, System Policies were stored in one .pol file with group information embedded. One way to extract policy settings from Windows NT 4.0 .pol files is by using the Gpolmig.exe tool included in the Windows 2000 Server Resource Kit Tools. Gpolmig.exe is used to migrate settings from Windows NT policy files to the Windows 2000 Group Policy object structure.
Windows NT 4.0 clients on Windows 2000 Server and Windows 2000 Professional computers on Windows NT 4.0 server will continue to work as they did before, using the Netlogon share.
With Windows 2000 Server, when a Windows NT 4.0 client is upgraded to Windows 2000, it will get only Active Directory-based Group Policies and not Windows NT 4.0-style policies.
What is the plan for providing users with the ability to determine the resultant set of policies for a computer and user?
In the next release, we will provide an isolation layer that exposes all resultant Group Policy data by using a standard schema. The Windows Management Instrumentation (WMI)6 technology and schema will be used to implement this interface to the Group Policy Resultant Set of Policy (RSoP) data.
Using this approach provides a consistent data interface for developers to use when creating RSoP tools.
In addition, Microsoft will build a basic administrator's RSoP tool that uses the WMI-based infrastructure and provides the following capabilities:
Generates the actual RSoP for a given target, for example, a particular computer or user. This addresses the question of which policies were applied.
Views the potential state. This answers the question of which policies would be applied for a user, a computer, and a user on a specific computer, given a particular target.
Indicates the source GPOs for each of the resultant policies.
Do Group Policies override User Profile settings?
Yes.
Where is the System Policy Editor (Poledit.exe) located, and why would I need to use it?
The Windows NT 4.0 System Policy Editor, Poledit.exe, is located in the %systemroot% directory. The Windows NT 4.0-style .adm files are located in the %systemroot%\inf directory (the same location as in Windows NT 4.0). The System Policy Editor user interface is not exposed in Windows 2000 server. Administrators still have to use Poledit.exe to create registry-based policies for all clients running Windows NT 4.0, Windows 95, and Windows 98.
To create a properly formatted .pol file for Windows 95 or Windows 98, Poledit.exe must be run on a Windows 95 or Windows 98 client. For more details about this process and Windows NT 4.0 System Policy, see the white paper called “Implementing Profiles and Policies for Windows NT 4.0,” available at http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp.
For Windows NT 4.0 and Windows 2000, Poledit.exe may be run on either system. The resultant .pol file must then be copied to the domain controller's Netlogon share.
Is there a programmatic way to add, edit, or delete GPOs?
No process is available to script Group Policy Objects. However, you can programmatically add, edit, or delete GPOs by using the IGroupPolicyObject interface defined in the Gpedit.h file. For details on the Group Policy APIs, see the Microsoft Platform SDK at http://msdn.microsoft.com/developer/sdk/platform.htm.
Some of these functions can be performed with the Windows 2000 Server Resource Kit command line tool called GPOTool.exe. You can use GPOTool.exe to do the following:
Perform Group Policy object checks for consistency, including reading directory services properties (version, friendly name, extension, SYSVOL data (Gpt.ini), and GUIDs), comparing directory services and SYSVOL version numbers, and performing other consistency checks.
Check Group Policy object replication. The tool reads the Group Policy object instances from each domain controller and compares them (selected GPC properties and full recursive compare for GPT).
View Group Policy object information, including such properties as functionality version and extension GUIDs.
Browse Group Policy objects based on friendly name or GUID. A partial match is also supported for both name and GUID.
Set options for preferred domain controllers. By default, all available domain controllers in the domain are used; this can be overwritten with the supplied list of domain controllers from the command line.
Viewing policies in different domains by using a command-line option.
Run in verbose mode. A command-line option can turn on verbose information about the policies being processed.
For more information about the GPOTool.exe and other Windows 2000 Resource Kit software tools, see http://www.microsoft.com/windows2000/library/resources/reskit/tools/default.asp.
Glossary
This section presents terminology used in this document.
Active Directory
The Windows 2000 directory service that stores information about all objects on the computer network and makes this information easy for administrators and users to find and apply. With the Active Directory, users can gain access to resources anywhere on the network with a single logon. Similarly, administrators have a single point of administration for all objects on the network, which can be viewed in a hierarchical structure.
administrative templates (.adm files)
Template files that provide settings pertaining to Windows 2000, Windows NT version 4.0, and Windows 95 and Windows 98 operating system and registry structure. The .adm file specifies the registry settings that can be modified through the Group Policy snap-in user interface. The .adm file consists of a hierarchy of categories and subcategories that together define how the options are displayed through the Group Policy snap-in user interface. It also indicates the registry locations where changes should be made if a particular selection is made, specifies any options or restrictions (in values) that are associated with the selection, and in some cases, specifies a default value to use if a selection is activated.
Administrative Templates snap-in extension
A Group Policy snap-in extension that includes all registry-based Group Policy, which you use to define settings that control the behavior and appearance of the desktop, including the operating system and applications.
The Administrative Templates snap-in extension includes functionality for managing disk quotas.
application assignment
In Windows 2000, you can use the Software Installation snap-in extension of the Group Policy snap-in to assign applications to users so that the applications appear to be installed and available on the user's desktop whenever a user logs on.
You assign applications to a particular Group Policy Object (GPO), which is, in turn, associated with a selected directory container (site, domain, or organizational unit). When you assign applications, the application is advertised to every user managed by the GPO. This installs only enough information about the application to make application shortcuts appear on the Start menu and the necessary file associations appear in the registry. When users managed by the GPO log on to a computer running Windows 2000, the application appears on their Start menu. When users select the application from the Start menu for the first time, the application is installed. Advertised applications can also be installed by clicking on a document managed by the application (either by file extension or by COM-based activation).
application publishing
In Windows 2000, you can use the Software Installation snap-in extension of the Group Policy snap-in to publish applications to users. Published applications are those that the administrator makes available for on-demand use.
Published applications have no presence on the users' computers. That is, no shortcuts or Start menu references to the application are present on the desktop. A published application is advertised to the Active Directory. The advertised attributes are used to locate the application and all the information required for installing it. After the application is advertised in the Active Directory, users can activate it by document association, just as an assigned application. Users can also set up the program using the Add/Remove Programs Control Panel tool on their desktop.
.cab file
A .cab file contains one or more files, all of which are downloaded together in a single compressed cabinet file. Included in the cabinet is an .inf file that provides further installation information. The .inf file may refer to files in the .cab and to files at other uniform resource locators (URLs).
discretionary access control list (DACL)
A part of the security descriptor that specifies the groups or users that can access an object, as well as the types of access (permissions) granted to those groups or users. See also security descriptor.
disk quotas
Within the Administrative Templates node of the Group Policy snap-in are policy options for managing disk quotas, which administrators can use to monitor and limit disk space use for NTFS volumes formatted as NTFS version 5.0. After you enable disk quotas, you can set options for disk quota limits and warnings.
domain
A grouping of servers and other network objects under a single name. Domains provide the following benefits:
You can group objects into domains to help reflect your company’s organization in your computer network.
Each domain stores only the information about the objects located in that domain. By partitioning the directory information this way, the Active Directory scales up to as many objects as you need to store information about on your network.
domain trees
You can combine multiple domains into structures called domain trees. The first domain in a tree is called the root of the tree, and additional domains in the same tree are called child domains. A domain immediately above another domain in the same tree is referred to as the parent of the child domain.
All domains within a single domain tree share a hierarchical naming structure. Domains that share a common root share a contiguous namespace. Domains in a tree are joined together through two-way, transitive trust relationships. These trust relationships are two-way and transitive, therefore, a domain joining a tree immediately has trust relationships established with every domain in the tree.
Folder Redirection snap-in extension
A Group Policy snap-in extension that you use to place the Windows 2000 special folders in network locations other than their default location (%systemroot%/Documents and Settings) on the local computer.
globally unique identifier (GUID)
A 128-bit integer that identifies a particular object class and interface. GUIDs are virtually guaranteed to be unique. A GUID can be generated using either the uuidgen.exe utility from the Platform Software Development Kit, or the guidgen tool included in the Microsoft Visual C++® development system. For more information about GUIDs, see the OLE Programmer’s Reference, Volume One; the Platform Software Development Kit documentation; and Inside OLE, 2d ed. by Kraig Brockschmidt, Redmond, Wash.: Microsoft Press, 1995.
Group Policy
A component used in Windows 2000 to define options for managed desktop configurations for groups of users and computers. To specify Group Policy options, you use the Group Policy MMC snap-in.
Group Policy engine
The part of Group Policy that runs in the Winlogon process.
Group Policy Object
The Group Policy settings that you create by using the Group Policy snap-in are contained in a Group Policy object (GPO), which is in turn associated with selected Active Directory containers: sites, domains, and organizational units (OUs).
Group Policy MMC snap-in
To create a specific desktop configuration for a particular group of users and computers, you use the Group Policy MMC snap-in.
You can specify Group Policy settings for the following:
Registry-based policies—Includes Group Policy for the Windows 2000 operating system and its components and for applications. To manage these settings, use the Administrative Templates node of the Group Policy snap-in.
Security settings—Includes options for local computer, domain, and network security settings.
Software Installation and Maintenance options—Used to centrally manage application installation, updates, and removal.
Script options—Includes scripts for computer startup and shutdown and user logon and logoff.
Folder Redirection options—Allows administrators to redirect users’ special folders to the network.
Internet Explorer Maintenance—Used to manage and customize Internet Explorer on Windows 2000-based computers.
Remote Installation Services—Used to control the behavior of the Remote Operating System Installation feature as displayed to client computers
Internet Explorer Maintenance extension snap-in
Administrators use Internet Explorer Maintenance to manage and customize Microsoft Internet Explorer on Windows 2000-based computers.
Microsoft Management Console (MMC)
A common console framework for system-management applications. The primary goal of the Microsoft Management Console is to support simplified administration and lower cost of ownership through tool integration, task orientation, support for task delegation, and overall interface simplification. The MMC console hosts the administrative tools (these are called MMC snap-ins); the console itself provides no management functionality.
MMC snap-in
Tools that extend the MMC console and provide administrative functionality. A snap-in functions independently from other snap-ins.
MMC extension snap-in
A tool that enhances the functionality of a parent snap-in. An extension depends on a parent snap-in for contextual data.
organizational unit (OU)
A type of directory object contained within domains. OUs are logical containers into which you can place users, groups, computers, and even other organizational units.
registry
A database in which Windows NT internal configuration information and computer- and user-specific settings are stored.
registry hive
A section of the registry that is saved as a file. The registry subtree is divided into hives (named for their resemblance to the cellular structure of a beehive). A hive is a discrete body of keys, subkeys, and values.
Remote Installation Services
A new optional component included in Windows 2000 Server that administrators can use to remotely install a local copy of the Windows 2000 Professional operating system on supported computers throughout their organization. Administrators can deploy a new version of an operating system upgrade to large numbers of clients at one time from a centralized location.
Administrators can use Group Policy to specify the client installation options that groups of users can access. These options are determined by the specific Remote OS Installation Group Policy settings that administrators define for the site, domain, or OU to which the users belong, in conjunction with the specific security group or user account.
schema
The formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. The Active Directory includes a default schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and security policies. The Active Directory schema is dynamically extensible; this means that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either programmatically with the Schema Manager snap-in tool included with Windows NT Server.
scripts
Batch files (.bat) or executable (.exe) files that run when a computer starts up or shuts down or when a user logs on or off at any type of workstation on the network. Windows 2000 supports Windows Scripting Host Visual BasicScripting Edition (VBScript) and Jscript, while continuing to support MS-DOS command scripts and executable files.
security descriptor
A set of access-control information attached to every container and object on the network. A security descriptor controls the type of access allowed to users and groups. Administrators assign security descriptors to objects stored in the Active Directory in order to control access to resources or objects on the network.
A security descriptor lists the users and groups that are granted access to an object (a file, printer, or service, for example), and the specific permissions assigned to those users and groups. See also discretionary access control list and system access control list.
Security Settings extension snap-in
A Group Policy extension snap-in that you use to define security configuration for computers within a Group Policy object. A security configuration consists of settings applied to each security area supported for Windows 2000 Professional or Windows 2000 Server. This configuration is included within a GPO.
site
In Windows 2000 you register your network’s physical topology by defining sites. A site is defined as one or more IP subnets. Windows 2000 uses site information to direct requests from one computer to be fulfilled by another computer at the same site. For example, when a workstation logs on, the Active Directory uses the TCP/IP address of the workstation, along with the site information you have entered, to locate a domain controller on the local site. This local controller is used to service the workstation’s requests.
Scripts extension snap-in
A Group Policy extension snap-in that you use to assign scripts to run at computer startup or shutdown or upon user logon or logoff.
Software Installation extension snap-in
A Group Policy extension snap-in that you use to centrally manage software distribution in your organization.
system access control list (SACL)
Part of a security descriptor that specifies which user accounts or groups to audit when accessing an object, the access events to be audited for each group or user, and a Success or Failure attribute for each access event, based on the permissions granted in the object’s DACL.
total cost of ownership (TCO)
Refers to the administrative costs associated with computer hardware and software purchases, deployment and configuration, hardware and software updates, training, maintenance, and technical support.
Windows Installer packages (.msi files)
Packages that contain all the information necessary to describe to the Windows Installer how to set up an application in every conceivable situation: various platforms, different sets of previously installed products, earlier versions of a product, and numerous default installation locations. The Software Installation extension snap-in to the Group Policy snap-in uses .msi packages.
Zero Administration Windows
Microsoft’s solution for lowering the total cost of ownership is an initiative called Zero Administration Windows. The broad goals for Zero Administration Windows are to significantly lower the cost of initial configuration from today’s levels and to decrease administrative overhead when the network is running in a steady state. After initial computer configuration, a combination of automatic application setup, scripting, and desktop policies significantly lowers the costs associated with managing workstations.
For More Information
For the latest information on Windows 2000 Server, Change and Configuration Management, and IntelliMirror, see the Windows 2000 Server Web site at http://www.microsoft.com/windows2000/guide/server/overview/default.asp.
The following table lists a series of papers that introduce the Microsoft Windows management services and change and configuration management. These papers are intended for managers and technical decision-makers who need to understand the business requirements for, and the benefits of, management features, as well as the Microsoft management architecture, tools, and solutions. We recommend that you read these in the order listed below.
Title
|
Content
|
Point your browser to:
|
Introduction to Windows Management Services
|
An overview of the management roles and disciplines, as well as the architecture for management solutions that will be available, either as part of the operating system or as an add-on.
|
http://www.microsoft.com/windows2000/library/howitworks/management/manageintro.asp.
|
Windows 2000 Desktop Management Overview
|
An overview of change and configuration management and an introduction to how Microsoft products, such as Windows 2000 IntelliMirror, Remote OS Installation and Systems Management Server address this management discipline.
|
http://www.microsoft.com/windows2000/library/howitworks/management/ccmintro.asp.
|
Introduction to IntelliMirror
|
An overview of the features of Windows 2000 IntelliMirror and scenarios for how organizations can benefit from IntelliMirror.
|
http://www.microsoft.com/windows2000/library/howitworks/management/intellimirror.asp.
|
Remote Operating System Installation Overview
|
An overview of the features of Remote Operating System Installation and scenarios illustrating how organizations can benefit from Remote Operating System.
|
http://www.microsoft.com/windows2000/library/howitworks/management/remoteover.asp.
|
Systems Management Server: Executive Overview
|
An overview of the features of Systems Management Server, and discussion of its benefits.
|
http://www.microsoft.com/smsmgmt/exec/default.asp and http://www.microsoft.com/smsmgmt/default.asp.
|
Technical Papers
The following table lists additional technical papers that are or will be available for administrators and Information Technology (IT) managers who are interested in understanding the details of Windows management services features and technologies.
More information on
|
Is or will be available in this web site:
|
Active Directory
|
http://www.microsoft.com/windows2000/library/technologies/activedirectory/default.asp.
|
Step-by-Step Guide to Understanding the Group Policy Feature Set
|
http://www.microsoft.com/windows2000/library/planning/management/groupsteps.asp.
|
Using Group Policy Scenarios
|
http://www.microsoft.com/windows2000/library/howitworks/management/grouppolicy.asp.
|
Microsoft Windows Installer Service
|
http://www.microsoft.com/windows2000/library/howitworks/management/installer.asp.
|
Software Installation and Maintenance
|
http://www.microsoft.com/windows2000/library/operations/management/siamwp.asp
|
Remote OS Installation Service
|
http://www.microsoft.com/windows2000/library/planning/management/remoteos.asp.
|
User Settings and User Data
|
http://www.microsoft.com/windows2000/library/operations/management/settings.asp
|
Windows Management Instrumentation (WMI)
|
http://www.microsoft.com/windows2000/library/technologies/management.
|
Implementing Profiles and Policies for Windows NT 4.0
|
http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp.
|
|
