Comparing Stand-Alone and Active Directory-Based Management Features

Table 23.4 summarizes the management features that are available by using Windows 2000 Professional with Active Directory versus Windows 2000 Professional without Active Directory.

Table 23.4 Comparison of Windows 2000 Professional and Active Directory–Based Management Features

All of the Group Policy snap-ins that can be used on a local computer can also be used when Group Policy is focused on an Active Directory container.

However, the following activities require Windows 2000 Server, an Active Directory infrastructure, and a client running Windows 2000:

• Software installation and maintenance, that is, the ability to centrally manage software for groups of users and computers.
• User data and settings management, including folder redirection, which allows special folders to be redirected to the network.
• Remote Operating System Installation.

For more information about change and configuration options, see "Applying Change and Configuration Management" in this book.

If you use local Group Policy initially and then make the computer a member of a domain with Active Directory and Group Policy implemented, local Group Policy is processed first, and the domain-based Group Policy is processed next. If there is a conflict between the domain and local Group Policy, the domain policy prevails. However, if a computer subsequently leaves the domain, the local Group Policy is reapplied.

Critical Decision If you upgrade clients to Windows 2000 Professional before you upgrade to Windows 2000 Server, and you expect to transition to a managed Active Directory environment later, you must plan your Group Policy strategy carefully so that users cannot alter their computers before more stringent controls are in place. For example, if you deploy Windows 2000 Professional in an unmanaged environment and later want to move these computers into a managed Active Directory domain, you might need to reinstall the operating system and applications to ensure that unauthorized changes have not been made to the system configuration.

Using Group Policy on Stand-alone Computers

Although it is not recommended, there might be instances when you need to deploy Group Policy on stand-alone computers.

On a stand-alone computer running Windows 2000 Professional, local Group Policy objects are located at \%SystemRoot%\System32\GroupPolicy. You can use the following when the Group Policy snap-in is focused on a local computer:

• Security settings. You can only define security settings for the local computer, not for a domain or network.
• Administrative templates that allow you to set more than 450 operating system behaviors.
• Scripts. You can use scripts to automate computer startup and shutdown, as well as how the user logs on and off.

The following are examples of business rules that you might enforce through local Group Policy:

• The users of this computer cannot access the Run command.
• A virus program runs every time this computer is restarted.
• Hide common program groups in the Start menu.

To manage Group Policy on local computers, you need administrative rights to those computers. You can access the Group Policy snap-in, focused on the local computers, using the following procedure:

To access Group Policy snap-ins

1. From the Start menu, click Run, type MMC, and then click OK.
2. In the Console menu of the MMC window, click Add/Remove Snap-in.
3. On the Stand-alone tab, click Add.
4. In the Add Snap-in dialog box, click Group Policy, and then click Add.
5. When the Select Group Policy Object dialog box appears, click Local Computer to edit the local Group Policy object.
6. Click Finish.
7. Click Close.
8. Click OK. The Group Policy snap-in opens with its focus on the local Group Policy object.
9. This procedure also allows the Group Policy snap-in to be opened on a remote computer. At step 5, click Browse, and then choose the wanted computer.

Note

Local Group Policy does not allow you to do security filtering or to have multiple sets of Group Policy objects (as do Active Directory–based Group Policy objects). You can, however, set Discretionary Access Control Lists (DACLs) on the folder %SystemRoot%\System32\GroupPolicy so that specified groups either will or will not be affected by the settings contained within the local Group Policy object. This option is useful if you need to control and administer computers used in situations, such as kiosk environments, that are not connected to a LAN. Unlike Group Policy administered from Active Directory, this uses only the Read attribute, which makes it possible for the local Group Policy object to affect ordinary users but not local administrators. The local administrator can first set the policy settings they want, then set the DACLs to the local Group Policy object directory so that administrators as a group no longer have Read access. For the administrator to make subsequent changes to the local Group Policy object, he or she first needs to take ownership of the directory to give themselves Read access, make the changes, and then remove Read access.

© 1985-2000 Microsoft Corporation. All rights reserved.