by Michael Day
implementation is a very important part of the Windows 2000 Active
Directory. True, a Windows 2000 Domain can exist and run
fairly smoothly without ever needing to look at applying Group
Policies but they are available to make your life easier as a
Network Administrator. This article will start to explain the
structures of Group Policies and will be followed by a subsequent
article providing examples of some group policies.
Group Policy implementation is a very important part of the Windows 2000 Active Directory.
Note: Group Policies only
apply to Windows 2000 Computers. If you have Windows 9x or NT
you need to use the System Policy Editor, which I will discuss in a
Using Group Policies you can
restrict user access to files and programs they shouldn’t need to
access like most of the control panel (IE. the System Applet).
You can also use them to distribute software and updates to all the
users or computers that need to use them, which will lessen the
amount of time you spend going to the individual desks. Also
provided is the ability to configure Microsoft Internet Explorer
settings like the default home page (which can be locked to
standardize the browsers), custom toolbar images, default favorites
(like suppliers websites), and many others.
Group Policy Inheritance
Group Policies are applied in the
following order, the last one applied can overwrite policies
from any level above.
The Default Order
Local System Policies (created on the
Organizational Unit (OU)
Second OU, and so on down to the OU
the Computer or User is in.
Note upper level policies (Domain, First OU) can
be blocked by lower level policies so that they won’t get applied to
some OU’s. I am using policy blocking to prevent the default
user policy to apply to members of the IS Department who need to be
able to run all applications for diagnosing problems.
The more Group Policies that apply to a computer
or user though the slower the bootup or logon will be.
Microsoft recommends setting the domain policy to only those items
that will be applied to everyone and creating OU policies for items
that vary by departments or offices.
Group Policies are separated into
two main areas, Computer and User.
The Computer policies are
applied when the machine boots up and a specified intervals during
operation. One part of the Computer policy is the startup and
shutdown scripts which will run a normal script file whenever the
computer is started or shutdown. This could be used to map
network drives before the user signs on if there is a common set of
The User policies are applied
when the user logs on and again at specified intervals during
operations. Also the User policy allows you to define logon
and logoff scripts which could be used to replace or augment the
user based scripts that have been available since Windows NT.
The default interval for policy refreshing is 90
minutes give or take 30 minutes (60-120 minutes) but that is
configurable within the policies themselves.
Important exceptions to standard
Here are some Important exceptions to the normal
order of group policies.
First, certain policies can only be applied at
the domain level yet are available to select at all levels.
These are Account Policies/Password Policy and Account
Policies/Account Lockout Policy. This means that you can’t
have special Account Policies for different Departments.
Second, higher level policies can be set with No
Override which will force that policy to be applied regardless of
what the lower level policies say.
Third, by default policies are applied to all
users in the OU that they exist in but you can modify the security
settings to just apply to specific users or groups. How to do
this is explained in the article How to
apply Group Policies to Groups instead of OU’s.
How to create a new Policy
Creating a new group policy is a vary simple and
straightforward process. First you need to have a Windows 2000
Domain Controller, this will not work in a Windows NT domain.
Second you need to have Read and Write access to the Sysvol Share
and Modify Access to the Active Directory Container Object.
Assuming you have filled those requirements, you
need to start Active Directory Users and Computers. Then right
click on the Domain or OU you want to create the policy for, select
the Group Policy Tab and click on create (to create a brand new
policy) or click on the existing policy and click on edit to modify
it. If you are creating a brand new policy you need to give it
a meaningful name. My policy for the Terminal Services in
Edmonton is call EdmTermServer, Calgary’s is called
You have the option to only use the User part of
the policy, the Computer part of the policy or both parts of the
policy. If you are only going to edit one section you will
find some performance improvement by removing the unused portion
(User or Computer)
All that is left to do is define what areas of
the policy are applied and what parts are ignored.
What happens when a policy is
Unlike the System Policies in Windows NT or
Windows 9x, if you decide that a part of your group policy is no
longer desired all you need to do is go in and unselect that portion
and it will no longer be applied. In the System Policies you
needed to set it to the exact opposite of what is was to remove