Examining Windows Server 2003 Group Policy Enhancements

Events
- JupiterEvents
- internet.com/webcasts
Jobs
Partners
Solutions
- eBooks
- Video
Shop

News
Trends
Tutorials
Stats
Hardware
Reviews
Unix Roundup
Hot Topics
Forum
Product Watch
Glossary

Web
Mail
Real-Time Communication
Application
FTP
Proxy
Collaboration
List
Telnet
Operating System
Server Attic

Sitemap
Contact Us
Home
Technology Jobs

Reprise: Leopard vs. Vista on Security

Zeroshell and My Interop Security Hangover

Ripping Passwords With Your Friend John

More Open Networks Today

Become a Marketplace Partner

Remote Data Backup - Fast Flexible Easy

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Partner With Us
Computer Hardware
KVM Switch over IP
Online Shopping
PDA Phones & Cases
Boat Donations
Online Education
Data Center Solutions
Promos and Premiums
Holiday Gift Ideas
Baby Photo Contest
Home Improvement
Promote Your Website
Desktop Computers
Computer Deals

Continuous Real-time Data Protection and Disaster Recovery
Whitepaper: Learn how building a solid foundation from a flexible solution can not only integrate all elements within your datacenter - computing, storage, power and management - but prepares your data to survive and recovery... »

Virtualization - It's Not Just for Enterprises Anymore
Whitepaper: Read how virtualization can help companies of all sizes vastly increase server utilization levels, delay or avoid hardware purchases, and expand infrastructure capacity without increasing physical space requirements. »

Rightsizing Blades for the Mid-market
Whitepaper: Examine the requirements for servers, storage, and blade systems in the mid-market and how to apply blades your data center in a cost effective manner. »

VMware Infrastructure 3, Planning
Whitepaper: Read about planning, deployment, and operation of an Adaptive Infrastructure based on VMware Infrastructure and HP servers, storage, and management technologies. »

Disaster recovery made easy with HP BladeSystem and VMware virtualization
Webcast: Learn how you can leverage HP BladeSystem and VMware ESX Server to build a cost effective DR solution that can grow with your business. »

Windows Server 2003 Group Policy Enhancements, Part IV
Examining Windows Server 2003 Group Policy Enhancements, Part III
Examining Windows 2003 Server Group Policy Enhancements, Part II

IBM Energy Efficiency Self-Assessment Tool. How energy-efficient is your data center? This self-assessment tool is designed to identify areas where you can improve the operational effectiveness of your systems.

ServerWatch > Tutorials

May 2, 2003
Examining Windows Server 2003 Group Policy Enhancements
By Marcin Policht

Even though the release of Windows 2003 will not bring revolutionary changes to the Windows operating system platform (especially compared to the transition from Windows NT 4.0 to Windows 2000), functionality, manageability, and scalability enhancements to the new operating system are significant. One of the areas where this is especially visible is Group Policy management. In this series of articles I will provide an overview of new Group Policy features.

I will start by covering additional settings available in Group Policies (their number has increased by over 150). I will follow with presentation of new tools simplifying Group Policy planning, management, and troubleshooting - WMI filters, Resultant Set of Policies, and Group Policy Management Console.

Group Policy has been the primary method of managing the Active Directory environment since the release of Windows 2000. Microsoft continues this approach in Windows 2003 based domains, by increasing the scope of available options. The quickest way to get an overview is to launch the Group Policy Editor for one of the Active Directory containers (site, domain, or organizational unit). You can do this using one of the following three methods (the first two are identical on the Windows 2000 platform):

Launch Active Directory Users and Computers (or Active Directory Sites and Services) from the Administrative Tools menu, right-click on domain, Organizational Unit (or site) to which the GPO has been applied, select Properties from the context-sensitive menu, and click on the Group Policy tab. From there, you can either edit an existing Group Policy Object or create a new one.

Launch an empty Microsoft Management Console (by running mmc.exe from the Start->Run box) and add the Group Policy Object Editor snap-in. This will trigger the Group Policy Wizard which will prompt you for the location of the Group Policy Object you want to edit.

With the advent of Windows 2003, there is a new, more friendly way of accessing Group Policy objects via Group Policy Management Console. One of its numerous benefits is the ability to view all Group Policy Objects from a single interface. Once you find the target GPO, right-clicking on it will provide you with an "Edit" menu option. Selecting it will launch Group Policy Editor with this GPO open. The RTM version of the Group Policy Management Console is provided as a separate download from the Microsoft Web site. It can be used to manage both Windows 2000 (SP2 or later) and Windows 2003 Active Directory Group Policy objects, however it has to be installed on either Windows 2003 Server or Windows XP Professional SP1 system with the .NET Framework and post SP1 hotfix XP QFE Q326469 (which updates gpedit.dll) installed. I will cover its functionality in details in the next article in this series.

Note that in order to get a full overview of Group Policy settings, you should not use Group Policy Editor for the local computer, since certain settings (such as for example Folder Redirection) will not be available.

The following Group Policy settings are new in Windows 2003 server based domains:

Computer Configuration

Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies - control security (e.g. authentication and encryption methods used in wireless networks),
Windows Settings\Security Settings\Software Restriction Policies - prevent or allow applications to be run on target computers, based on a number of configurable criteria, such as file paths, hashes, certificates, Internet zones they originated from, or registry keys they use. This can be extremely useful in preventing virus infections and unauthorized software use.
Administrative Templates\Windows Components\Application Compatibility - determine the ability to run applications that were designed for legacy operating systems (including preventing access to all 16-bit applications),
Administrative Templates\Windows Components\Internet Information Services - control the ability to install IIS,
Administrative Templates\Windows Components\Terminal Services - provide the ability to control practically every single aspect of Terminal Services functionality,
Administrative Templates\Windows Components\Windows Messenger - prevent or allow the use and automatic launch at startup of Windows Messenger
Administrative Templates\Windows Components\Windows Media Digital Rights Management - control Digital Rights Management Internet Access
Administrative Templates\Windows Components\Windows Media Player - affect several aspects of Windows Media Player operations, such as automatic updates, desktop shortcut creation, etc.
Administrative Templates\Windows Components\Windows Update - critical from the management and security point of view, allow you to control frequency, time, and source of Windows updates
Administrative Templates\System\User Profiles - determine different aspects of local and roaming profiles behavior, such as impact of slow links, permissions, etc.
Administrative Templates\System\Scripts - contained previously (in Windows 2000 group policies) in Administrative Templates\System\Logon folder, controlling the way machine startup and shutdown scripts are executed
Administrative Templates\System\Net Logon - control Active Directory features that are intended to optimize domain login process, such as site membership, DC Locator DNS records, or caching domain controller information on the client workstation.
Administrative Templates\System\Remote Assistance - affect solicited and offered Remote Assistance options and their security configuration such as level of control, helper list, or maximum ticket time
Administrative Templates\System\System Restore - allows you to disable user configuration of System Restore or turn it off altogether
Administrative Templates\System\Error Reporting - used mainly for troubleshooting and monitoring, affect level of error message notifications
Administrative Templates\System\Remote Procedure Call - affect how RPC errors are handled
Administrative Templates\System\Windows Time Service - allow configuration of NTP server and client settings
Administrative Templates\Network\DNS Client - expanded well beyond what was available in Windows 2000 (in Administrative Templates\System\DNS Client folder which allowed only mandating the suffix used to identify the computer in DNS). With these settings you can control practically all DNS related features, such as client's DNS suffix search order, registration of PTR records, connection-specific DNS suffix, etc.
Administrative Templates\Network\QoS Packet Scheduler - affect Quality of Service parameters, such as maximum reservabe bandwidth or timer resolution.
Administrative Templates\Network\SNMP - determine SNMP communities, permitted SNMP managers, and SNMP traps for public commmunities.

User Configuration
- Administrative Templates\Windows components\Application Compatibility - prevent or allow access to 16-bit applications
- Administrative Templates\Windows Components\Help and Support Center - used to eliminate annoying "Did you know" messages
- Administrative Templates\Windows components\Terminal Services - user specific Terminal Services settings, such as a program to be started once the RDP connection is established or level of remote control allowed
- Administrative Templates\Windows components\Windows Messenger - just as equivalent settings on the computer level, these control whether Windows Messenger is allowed to run (or run at startup)
- Administrative Templates\Windows components\Windows Media Player - affect user specific options of Windows Media Player functionality, such as user interface, playback options, and networking options (such as proxy settings)
- Administrative Templates\Shared Folders - control publishing shared folders and DFS roots in Active Directory.
- Administrative Templates\System\User Profiles - control profile size and directories excluded from roaming profile (included in Administrative Templates\System\Logon/Logoff folder in Windows 2000 Group Policy)
- Administrative Templates\System\Scripts - control synchronous and visible execution of user login and logoff scripts (also included in Administrative Templates\System\Logon/Logoff folder in Windows 2000 Group Policy)
- Administrative Templates\System\Ctr+Alt+Del Options - allow removing individual buttons in the Windows Security dialog box
- Administrative Templates\System\Logon - the settings grouped previously (in Windows 2000 Group Policy) in Administrative Templates\System\Logon/Logoff folder, control list of programs running at logon
- Administrative Templates\System\Power Management - determines whether the logged-on user is prompted for passwords when computer resumes from hibernate or suspend state
Besides the settings listed above, there are also interesting enhancements to the group policy settings that existed in Windows 2000. For example, it is possible to specify that user-assigned software is installed fully at logon (instead of beeing only advertised). This resolves the problem common with portable computers, where a software program is advertised at logon but the user does not launch it until the computer is disconnected from the network (this is done by checking the "Install this application at logon" checkbox on Deployment tab of the user-assigned Software Program Properties). You can also provide an URL for support for each software installation. This URL will appear in the Add or Remove Programs applet in the control panel - which might help reduce software deployment related support calls.
In the next article in this series I will cover other enhancements to Windows 2003 Group Policies, such as WMI Filtering, Resultant Set of Policies and the Group Policy Management Tool.

Tools:

Add serverwatch.com to your favorites

Add serverwatch.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x

Tutorials Archives

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions

Whitepapers and eBooks
Microsoft Article: HyperV-The Killer Feature in WinServer �08 Avaya Article: How to Feed Data into the Avaya Event Processor Microsoft Article: Install What You Need with Win Server �08 HP eBook: Putting the Green into IT Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1 Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency		Avaya Article: Setting Up a SIP A/S Development Environment IBM Article: How Cool Is Your Data Center? Microsoft Article: Managing Virtual Machines with Microsoft System Center HP eBook: Storage Networking , Part 1 Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts
Intel Video: Are Multi-core Processors Here to Stay? On-Demand Webcast: Five Virtualization Trends to Watch HP Video: Page Cost Calculator Intel Video: APIs for Parallel Programming		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2 MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits
Sun Download: Solaris 8 Migration Assistant Sybase Download: SQL Anywhere Developer Edition Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook		Red Gate Download: SQL Compare Pro 6 Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors IBM Article: Collaborating in the High-Performance Workplace		HP Demo: StorageWorks EVA4400 Microsoft How-to Article: Get Going with Silverlight and Windows Live MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES