Planning Distributed Security

Previous Topic Next Topic

Group Policy

A Group Policy object contains an extensive profile of security permissions that apply primarily to the security settings of a domain or a computer (rather than to users). A single Group Policy object can be applied to all of the computers in an organizational unit. Group Policy gets applied when the individual computer starts up, and periodically is refreshed if changes are made without restarting.

How Group Policy Works

Group Policy objects are associated with domains and organizational units (folders) in the Active Directory Users and Computers snap-in to MMC. The permissions granted by the Group Policy are applied to the computers stored in that folder. Group Policy can also be applied to sites using the Active Directory Sites and Services snap-in.

Group Policy settings are inherited from parent folders to child folders, which might in turn have their own Group Policy objects. A single folder could have more than one Group Policy object assigned to it. For more information on Group Policy precedence and how conflicts are resolved among multiple policy objects, see Windows 2000 Help.

Group Policy is the complementary component to security groups. Group Policy lets you apply a single security profile to multiple computers. It enforces consistency and provides easy administration.

Group Policy objects contain permissions and parameters that implement multiple types of security strategies.

Prerequisites for Implementing Group Policy

Group Policy is a feature of the Windows 2000 Active Directory. Active Directory must be installed on a server before you can edit and apply Group Policy objects.

How to Implement Group Policy

To view a sample organizational unit and its associated Group Policy, open the Active Directory Users and Computers MMC snap-in and right-click the Domain Controllers OU. Open the property sheet and click the Group Policy tab. Select the Default Domain Controllers Policy and click Edit. This opens the Group Policy snap-in to MMC. In this module, navigate to the Security Settings container:

Group Policy object
 — Computer Configuration
 — Windows Settings
  — Security Settings

Under Security Settings there are nine subdirectories of security policy settings. These nine groups are briefly described later in this chapter.

Implementing Group Policy consists of creating a new Group Policy object (or modifying an existing one), enabling appropriate settings within the object, and then linking the Group Policy object to an organizational unit that contains computers in the domain.

Considerations About Group Policy

Create organizational units to contain computers with similar roles in the enterprise. Use one organizational unit for your domain controllers. Create another one for application servers. Another organizational unit could contain all your client computers. Apply a single Group Policy object to each of these groups to implement consistent security settings.

It is recommended that you minimize the number of Group Policy objects that apply to users and computers. Do this first, because each computer and user Group Policy object must be downloaded to a computer during startup and to user profiles at user logon time. Multiple Group Policy objects increase computer startup and user logon time. Second, applying multiple Group Policy objects can create policy conflicts that are difficult to troubleshoot.

In general, Group Policy can be passed down from parent to child sites, domains and organizational units. If you have assigned a specific Group Policy to a high level parent, that Group Policy applies to all organizational units beneath the parent, including the user and computer objects in each container. For more information on inheritance of Group Policy settings, see "Defining Client Administration and Configuration Standards" in this book.

Security templates (described later in this chapter) could be useful to you as models of security settings appropriate to different types of Group Policy.

Your network security deployment plan needs to describe significant policy choices for each policy category and subcategory. You can include the following information in your security plan:

© 1985-2000 Microsoft Corporation. All rights reserved.