Even though the release of Windows 2003 will not bring revolutionary changes to the Windows operating system platform (especially compared to the transition from Windows NT 4.0 to Windows 2000), functionality, manageability, and scalability enhancements to the new operating system are significant. One of the areas where this is especially visible is Group Policy management. In this series of articles I will provide an overview of new Group Policy features.
Windows 2003 might not be a radical departure from its predecessors, but it still brings some significant enhancements. Marcin Policht takes a look at what’s new in Group Policy Management.
I will start by covering additional settings available in Group Policies (their number has increased by over 150). I will follow with presentation of new tools simplifying Group Policy planning, management, and troubleshooting – WMI filters, Resultant Set of Policies, and Group Policy Management Console.
Group Policy has been the primary method of managing the Active Directory environment since the release of Windows 2000. Microsoft continues this approach in Windows 2003 based domains, by increasing the scope of available options. The quickest way to get an overview is to launch the Group Policy Editor for one of the Active Directory containers (site, domain, or organizational unit). You can do this using one of the following three methods (the first two are identical on the Windows 2000 platform):
- Launch Active Directory Users and Computers (or Active Directory Sites and Services) from the Administrative Tools menu, right-click on domain, Organizational Unit (or site) to which the GPO has been applied, select Properties from the context-sensitive menu, and click on the Group Policy tab. From there, you can either edit an existing Group Policy Object or create a new one.
- Launch an empty Microsoft Management Console (by running mmc.exe from the Start->Run box) and add the Group Policy Object Editor snap-in. This will trigger the Group Policy Wizard which will prompt you for the location of the Group Policy Object you want to edit.
- With the advent of Windows 2003, there is a new, more friendly way of accessing Group Policy objects via Group Policy Management Console. One of its numerous benefits is the ability to view all Group Policy Objects from a single interface. Once you find the target GPO, right-clicking on it will provide you with an “Edit” menu option. Selecting it will launch Group Policy Editor with this GPO open. The RTM version of the Group Policy Management Console is provided as a separate download from the Microsoft Web site. It can be used to manage both Windows 2000 (SP2 or later) and Windows 2003 Active Directory Group Policy objects, however it has to be installed on either Windows 2003 Server or Windows XP Professional SP1 system with the .NET Framework and post SP1 hotfix XP QFE Q326469 (which updates gpedit.dll) installed. I will cover its functionality in details in the next article in this series.
Note that in order to get a full overview of Group Policy settings, you should not use Group Policy Editor for the local computer, since certain settings (such as for example Folder Redirection) will not be available.
The following Group Policy settings are new in Windows 2003 server based domains:
- Computer Configuration
- Windows SettingsSecurity SettingsWireless Network (IEEE 802.11) Policies – control security (e.g. authentication and encryption methods used in wireless networks),
- Windows SettingsSecurity SettingsSoftware Restriction Policies – prevent or allow applications to be run on target computers, based on a number of configurable criteria, such as file paths, hashes, certificates, Internet zones they originated from, or registry keys they use. This can be extremely useful in preventing virus infections and unauthorized software use.
- Administrative TemplatesWindows ComponentsApplication Compatibility – determine the ability to run applications that were designed for legacy operating systems (including preventing access to all 16-bit applications),
- Administrative TemplatesWindows ComponentsInternet Information Services – control the ability to install IIS,
- Administrative TemplatesWindows ComponentsTerminal Services – provide the ability to control practically every single aspect of Terminal Services functionality,
- Administrative TemplatesWindows ComponentsWindows Messenger – prevent or allow the use and automatic launch at startup of Windows Messenger
- Administrative TemplatesWindows ComponentsWindows Media Digital Rights Management – control Digital Rights Management Internet Access
- Administrative TemplatesWindows ComponentsWindows Media Player – affect several aspects of Windows Media Player operations, such as automatic updates, desktop shortcut creation, etc.
- Administrative TemplatesWindows ComponentsWindows Update – critical from the management and security point of view, allow you to control frequency, time, and source of Windows updates
- Administrative TemplatesSystemUser Profiles – determine different aspects of local and roaming profiles behavior, such as impact of slow links, permissions, etc.
- Administrative TemplatesSystemScripts – contained previously (in Windows 2000 group policies) in Administrative TemplatesSystemLogon folder, controlling the way machine startup and shutdown scripts are executed
- Administrative TemplatesSystemNet Logon – control Active Directory features that are intended to optimize domain login process, such as site membership, DC Locator DNS records, or caching domain controller information on the client workstation.
- Administrative TemplatesSystemRemote Assistance – affect solicited and offered Remote Assistance options and their security configuration such as level of control, helper list, or maximum ticket time
- Administrative TemplatesSystemSystem Restore – allows you to disable user configuration of System Restore or turn it off altogether
- Administrative TemplatesSystemError Reporting – used mainly for troubleshooting and monitoring, affect level of error message notifications
- Administrative TemplatesSystemRemote Procedure Call – affect how RPC errors are handled
- Administrative TemplatesSystemWindows Time Service – allow configuration of NTP server and client settings
- Administrative TemplatesNetworkDNS Client – expanded well beyond what was available in Windows 2000 (in Administrative TemplatesSystemDNS Client folder which allowed only mandating the suffix used to identify the computer in DNS). With these settings you can control practically all DNS related features, such as client’s DNS suffix search order, registration of PTR records, connection-specific DNS suffix, etc.
- Administrative TemplatesNetworkQoS Packet Scheduler – affect Quality of Service parameters, such as maximum reservabe bandwidth or timer resolution.
- Administrative TemplatesNetworkSNMP – determine SNMP communities, permitted SNMP managers, and SNMP traps for public commmunities.
- User Configuration
- Administrative TemplatesWindows componentsApplication Compatibility – prevent or allow access to 16-bit applications
- Administrative TemplatesWindows ComponentsHelp and Support Center – used to eliminate annoying “Did you know” messages
- Administrative TemplatesWindows componentsTerminal Services – user specific Terminal Services settings, such as a program to be started once the RDP connection is established or level of remote control allowed
- Administrative TemplatesWindows componentsWindows Messenger – just as equivalent settings on the computer level, these control whether Windows Messenger is allowed to run (or run at startup)
- Administrative TemplatesWindows componentsWindows Media Player – affect user specific options of Windows Media Player functionality, such as user interface, playback options, and networking options (such as proxy settings)
- Administrative TemplatesShared Folders – control publishing shared folders and DFS roots in Active Directory.
- Administrative TemplatesSystemUser Profiles – control profile size and directories excluded from roaming profile (included in Administrative TemplatesSystemLogon/Logoff folder in Windows 2000 Group Policy)
- Administrative TemplatesSystemScripts – control synchronous and visible execution of user login and logoff scripts (also included in Administrative TemplatesSystemLogon/Logoff folder in Windows 2000 Group Policy)
- Administrative TemplatesSystemCtr+Alt+Del Options – allow removing individual buttons in the Windows Security dialog box
- Administrative TemplatesSystemLogon – the settings grouped previously (in Windows 2000 Group Policy) in Administrative TemplatesSystemLogon/Logoff folder, control list of programs running at logon
- Administrative TemplatesSystemPower Management – determines whether the logged-on user is prompted for passwords when computer resumes from hibernate or suspend state
Besides the settings listed above, there are also interesting enhancements to the group policy settings that existed in Windows 2000. For example, it is possible to specify that user-assigned software is installed fully at logon (instead of beeing only advertised). This resolves the problem common with portable computers, where a software program is advertised at logon but the user does not launch it until the computer is disconnected from the network (this is done by checking the “Install this application at logon” checkbox on Deployment tab of the user-assigned Software Program Properties). You can also provide an URL for support for each software installation. This URL will appear in the Add or Remove Programs applet in the control panel – which might help reduce software deployment related support calls.
In the next article in this series I will cover other enhancements to Windows 2003 Group Policies, such as WMI Filtering, Resultant Set of Policies and the Group Policy Management Tool.