Group Policy Structures
by Michael Day
Group Policy implementation is a very important part of the Windows 2000 Active Directory. True, a Windows 2000 Domain can exist and run fairly smoothly without ever needing to look at applying Group Policies but they are available to make your life easier as a Network Administrator. This article will start to explain the structures of Group Policies and will be followed by a subsequent article providing examples of some group policies.Group Policy implementation is a very important part of the Windows 2000 Active Directory.
Note: Group Policies only apply to Windows 2000 Computers. If you have Windows 9x or NT you need to use the System Policy Editor, which I will discuss in a future article.
Using Group Policies you can restrict user access to files and programs they shouldn't need to access like most of the control panel (IE. the System Applet). You can also use them to distribute software and updates to all the users or computers that need to use them, which will lessen the amount of time you spend going to the individual desks. Also provided is the ability to configure Microsoft Internet Explorer settings like the default home page (which can be locked to standardize the browsers), custom toolbar images, default favorites (like suppliers websites), and many others.
Group Policy Inheritance
Group Policies are applied in the following order, the last one applied can overwrite policies from any level above.
The Default Order is:
Local System Policies (created on the individual machine)
First Organizational Unit (OU)
Second OU, and so on down to the OU the Computer or User is in.
Note upper level policies (Domain, First OU) can be blocked by lower level policies so that they won't get applied to some OU's. I am using policy blocking to prevent the default user policy to apply to members of the IS Department who need to be able to run all applications for diagnosing problems.
The more Group Policies that apply to a computer or user though the slower the bootup or logon will be. Microsoft recommends setting the domain policy to only those items that will be applied to everyone and creating OU policies for items that vary by departments or offices.
Group Policies are separated into two main areas, Computer and User.
The Computer policies are applied when the machine boots up and a specified intervals during operation. One part of the Computer policy is the startup and shutdown scripts which will run a normal script file whenever the computer is started or shutdown. This could be used to map network drives before the user signs on if there is a common set of drives mapped.
The User policies are applied when the user logs on and again at specified intervals during operations. Also the User policy allows you to define logon and logoff scripts which could be used to replace or augment the user based scripts that have been available since Windows NT.
The default interval for policy refreshing is 90 minutes give or take 30 minutes (60-120 minutes) but that is configurable within the policies themselves.
Important exceptions to standard policies
Here are some Important exceptions to the normal order of group policies.
First, certain policies can only be applied at the domain level yet are available to select at all levels. These are Account Policies/Password Policy and Account Policies/Account Lockout Policy. This means that you can't have special Account Policies for different Departments.
Second, higher level policies can be set with No Override which will force that policy to be applied regardless of what the lower level policies say.
Third, by default policies are applied to all users in the OU that they exist in but you can modify the security settings to just apply to specific users or groups. How to do this is explained in the article How to apply Group Policies to Groups instead of OU's.
How to create a new Policy
Creating a new group policy is a vary simple and straightforward process. First you need to have a Windows 2000 Domain Controller, this will not work in a Windows NT domain. Second you need to have Read and Write access to the Sysvol Share and Modify Access to the Active Directory Container Object.
Assuming you have filled those requirements, you need to start Active Directory Users and Computers. Then right click on the Domain or OU you want to create the policy for, select the Group Policy Tab and click on create (to create a brand new policy) or click on the existing policy and click on edit to modify it. If you are creating a brand new policy you need to give it a meaningful name. My policy for the Terminal Services in Edmonton is call EdmTermServer, Calgary's is called CalTermServer.
You have the option to only use the User part of the policy, the Computer part of the policy or both parts of the policy. If you are only going to edit one section you will find some performance improvement by removing the unused portion (User or Computer)
All that is left to do is define what areas of the policy are applied and what parts are ignored.
What happens when a policy is removed?
Unlike the System Policies in Windows NT or Windows 9x, if you decide that a part of your group policy is no longer desired all you need to do is go in and unselect that portion and it will no longer be applied. In the System Policies you needed to set it to the exact opposite of what is was to remove it.