This paper is part of a series that describes Windows 2000 Group Policy. The first paper, “Introduction to Windows 2000 Group Policy,” presented an overview of Group Policy. This paper provides more detailed technical information.
Group Policy provides directory-based desktop configuration management. In Windows 2000, you use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry-based policies, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory™ service system containers—sites, domains, and organizational units (OUs)—you can apply these settings to the users and computers in those Active Directory containers. To create GPOs, you use the Group Policy Microsoft Management Console1 (MMC) snap-in.
Administrative Requirements for Using Group Policy
To make use of all of its features, Group Policy requires Active Directory and Windows 2000 clients. To set Group Policy for a selected Active Directory container, you must have a Windows 2000 domain controller installed, and you must have read and write permission to access the system volume of domain controllers (Sysvol folder) and modify rights to the currently selected directory container. The system volume folder is automatically created when you install a Windows 2000 domain controller (or promote a server to domain controller).
Note: Group Policy depends on Active Directory; therefore, it is crucial to understand Active Directory and its structure. It is highly recommended that you familiarize yourself with Active Directory concepts before implementing Group Policy.
To learn about Active Directory directory services, see the Active Directory white papers at http://www.microsoft.com/windows2000/library/howitworks. Information on planning and implementing Active Directory is available in the Windows 2000 Server Resource Kit Deployment Planning Guide at http://www.microsoft.com/windows2000/library/resources/reskit/dpg/default.asp.
What this Paper Contains
This paper presents information on the following topics:
Overview of Group Policy Infrastructure and Mechanics
Delegating Group Policy
Group Policy Extension Snap-ins
Group Policy Processing
Specifying a Domain Controller for Setting Group Policy
Local Group Policy
Group Policy Loopback Support
Policy Settings for Group Policy
Group Policy and Active Directory Sites
Design Considerations for Organizational Unit Structure and Use of Group Policy Objects
IntelliMirror Features without Active Directory
Migrating Policy-Enabled Clients from Windows NT 4.0 to Windows 2000
Security Settings and User Rights
Group Policy Settings for Internet Explorer
Group Policy Storage
Windows NT 4.0, Zero Administration Kit, and Windows 2000 Namespace Comparison
Frequently Asked Questions
Overview of Group Policy Infrastructure and Mechanics
Group Policy uses a document-centric approach to creating, storing, and associating policy settings. Similar to the way in which Microsoft Word stores information in .doc files, Group Policy settings are contained in Group Policy objects (GPOs). By analogy, the Group Policy snap-in is to GPOs as Microsoft Word is to .doc files.
GPOs are associated with the following Active Directory containers: sites, domains, or OUs. The settings within the GPOs are then evaluated by the affected clients, using the hierarchical nature of the Active Directory.
To create Group Policy you use the Group Policy MMC snap-in, either as a stand-alone tool or as an extension to an Active Directory-related snap-in (such as the Active Directory Users and Computers snap-in or the Active Directory Sites and Services snap-in). The preferred method is to use the Group Policy snap-in as an extension to an Active Directory snap-in. This allows you to browse the Active Directory for the correct Active Directory container, and then define Group Policy based on the selected scope. To access Group Policy from either the Active Directory Users and Computers snap-in console or in the Active Directory Site and Services snap-in console, select the Group Policy tab from the Properties page of a site, domain, or organizational unit.
Linking Group Policy Objects to Active Directory Containers
Any site, domain, or OU may be associated with any Group Policy Object. As shorthand, we will use the acronym SDOU to mean a site, domain, or OU.
A given GPO can be associated (linked) to more than one site, domain, or OU. Conversely, a given site, domain, or OU can have multiple GPOs linked to it. In the case where multiple GPOs are linked to a particular site, domain, or OU, you can prioritize the order of precedence in which these GPOs are applied.
By linking GPOs to Active Directory sites, domains, and OUs, you can implement Group Policy settings for as broad or as narrow a portion of the organization as you want:
A GPO linked to a site applies to all users and computers in the site.
A GPO applied to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in child OUs. Note that policy is not inherited across domains.
A GPO applied to an OU applies directly to all users and computers in the OU and by inheritance to all users and computers in child OUs.
GPOs are stored on a per-domain basis, however, you can link a site, domain, or OU to a GPO in another trusted domain, although this is not recommend in general for performance reasons.
To link a GPO to a site, use the Active Directory Sites and Services snap-in. To link a GPO to a domain or OU, use the Active Directory Users and Computers snap-in. In either tool, right-click the site, domain, or OU to which you want to link the GPO, and select Properties. Then select the Group Policy tab, which you use to create, edit, and manage GPOs.
The following illustration shows the Group Policy model of linking sites, domains, and OUs to Group Policy objects.
F
igure 1. Linking Active Directory containers to Group Policy Objects
|
