Group Policy |
Group Policy allows you to stipulate users' environments only once, and to rely on the operating system to enforce them thereafter.
Group Policy objects are not profiles. A profile is a user environment setting that a user can change, such as: desktop settings, registry settings in NTUser.dat files, profiles directory, My Documents, or Favorites. You, as the administrator, manage and maintain Group Policy, an MMC hosted administrative tool used to set policy on groups of users and computers.
By default, Group Policy is inherited from site, to domain, and finally to the organizational unit level. The order and level in which you apply Group Policy objects (by linking them to their targets) determines the Group Policy settings that a user or computer actually receives. Furthermore, policy can be blocked at the Active Directory site, domain, or organizational unit level; or policy can be enforced on a per Group Policy object basis. This is done by linking the Group Policy object to its target and then setting the link to no override.
By default, Group Policy affects all computers and users in the site, domain, or organizational unit, and does not affect any other objects in that site, domain, or organizational unit.
Note
In particular, Group Policy does not affect security groups.
Instead, you use security groups to filter Group Policy; that is, to alter its scope. This is done by adjusting the Apply Group Policy and the Read permissions on the Group Policy object for the relevant security groups, as explained later in this chapter.
Note
The location of a security group in Active Directory is irrelevant to Group Policy.
Microsoft® Windows NT® 4.0 introduced the System Policy Editor (Poledit.exe), a tool that you use to specify user and computer configurations that it stores in the Windows NT registry. Using the System Policy Editor, you control the user work environment and enforce system configuration settings for all domain computers running Windows NT Workstation 4.0 or Windows NT Server 4.0. System Policy settings are registry settings that define the behavior of various components of the desktop environment.
In Windows 2000, you can create a specific desktop configuration for a particular group of users and computers by using the Group Policy
The System Policy settings you specify with the System Policy Editor (Poledit.exe):
Note
Windows NT 4.0 registry settings can be problematic when a user's security group membership changes. You might need to manually update or remove the registry settings.
The Group Policy
The policy settings you specify using Group Policy represent the primary method for enabling centralized change and configuration management in Windows 2000.
Group Policy settings:
Note
Windows NT 4.0 System Policy settings in the registry sometimes persisted past their useful life because these settings remained in effect until they were explicitly changed. Windows 2000 Group Policy settings do not persist past their useful life because Windows writes them to the following secure registry locations, and removes them when a Group Policy object no longer applies. The registry locations are \Software\Policies and \Software\Microsoft\Windows\CurrentVersion\Policies.
For a detailed comparison of Windows NT 4.0 System Policy as compared to Windows 2000 Group Policy, see "Applying Change and Configuration Management" in the Microsoft® Windows® 2000 Server Resource Kit Deployment Planning Guide.