Group Policy
Group Policy |
|
The root node of the Group Policy
<Group Policy object name> [<server name>] Policy
For example:
Default Domain Policy [MSMSRV01.Reskit.com] Policy
The next level of the namespace has two nodes: Computer Configuration and User Configuration. These are the parent folders that you use to configure specific desktop environments and to enforce Group Policy on groups of computers and users, respectively, on the network.
Computer configuration includes all computer-related policy settings that specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings. Computer-related Group Policy is applied when the operating system initializes and during the periodic refresh cycle, explained later in this document. In general, computer policy takes precedence over conflicting user policy. Figure 22.1 shows the Group Policy Snap-in Console Computer Configuration.
Figure 22.1 The Group Policy Snap-in Console Computer Configuration
User configuration includes all user-related policy settings that specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts. User-related Group Policy is applied when users log on to the computer and during the periodic refresh cycle. Figure 22.2 shows the Group Policy Snap-in Console User Configuration.
Figure 22.2 The Group Policy Snap-in Console User Configuration
In certain strictly managed computing environments, it is useful to mandate a specific desktop configuration regardless of which user logs on to the computer. Schools, libraries, public kiosks, some laboratories, and reception areas are candidates for policy of this sort. You implement this by appending (or, more severely, replacing) the User Configuration settings for the user account with the User Configuration settings for the computer account. This process is called loopback and it is explained in "Group Policy Loopback Support" later in this chapter.
There are several child nodes under the Computer Configuration and User Configuration parent nodes. These include:
A Group Policy
Administrative Templates These include registry-based Group Policy, which you use to mandate registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications. There are over 450 of these settings available for you to configure, and you can add more using .adm files. To avoid undesirably persistent registry settings, any additional registry settings should be placed in \Software\Policies or \Software\Microsoft\Windows\CurrentVersion\Policies. See Group Policy Overview in this chapter about undesirably persistent registry settings.
Security Settings You use the Security Settings extension to set security options for computers and users within the scope of a Group Policy object. You can define local computer, domain, and network security settings.
Software Installation You use the Software Installation
Scripts You can use scripts to automate computer startup and shutdown and user logon and logoff sessions. You can use any Windows Script Host–supported language you like. Your options include Microsoft® Visual Basic® Scripting Edition (VBScript), JavaScript, Perl, and
Remote Installation Services You use Remote Installation Services (RIS) to control the behavior of the Remote Operating System Installation feature as displayed to client computers. Group Policy requires a genuine Windows 2000 client, not merely a client of Active Directory running on a previous version of Windows.
Internet Explorer Maintenance You use Internet Explorer Maintenance to administer and customize Microsoft® Internet Explorer on Windows 2000–based computers.
Folder Redirection You use Folder Redirection to redirect Windows 2000 special folders from their default user profile location to an alternate location on the network, where you can centrally manage them. Windows 2000 special folders include My Documents, Application Data, Desktop, and Start Menu.
In Windows 2000, the Administrative Templates node of the Group Policy
Figure 22.3 Administrative Template Group Policy Settings
Note
The Windows NT 4.0 System Policy Editor uses files called administrative templates (.adm files) to determine which registry settings you can modify by presenting a namespace for those settings in the System Policy Editor. Windows 2000 .adm files have new features, such as Explain text. The Windows 2000 Resource Kit CD-ROM includes a searchable reference file, GP.chm, with details about the administrative templates settings included with Windows 2000 Server.
The Administrative Templates nodes of the Group Policy
The .adm file is a Unicode text file that specifies a hierarchy of categories and subcategories that together define how the options are displayed through the Group Policy
Note
See the Explain tab of each Group Policy setting's Properties page for more details on the policy settings within the .adm file.
The Administrative Templates nodes of the Group Policy
Windows NT 4.0 registry settings remain in effect until they are explicitly reversed. Windows 2000 registry settings, by contrast, are removed and rewritten each time policy changes. Be aware of this possibly undesirable behavior if you consider using Windows NT 4.0–type registry settings on Windows 2000–based computers.
For more information, see "Using Windows NT 4.0 Administrative Templates in the Windows 2000 Group Policy Console" later in this chapter.
Both Remote Installation Services (RIS) and Disk Quotas use the registry. RIS has a node in the Group Policy console, but no client-side extension; that is, no .dll on the client computer. This is not surprising, because the client typically won't have an operating system. Disk Quotas is an example of a component with a client-side extension (Dskquota.dll), but no node in the Group Policy console.
Remote Installation Services (RIS) is an optional component included in the Windows 2000 Server operating system. You can use the RIS extension of Group Policy to control which screen options (such as Automatic Setup, Custom Setup, and Restart Setup) are available to users during the client installation wizard.
When a client computer enabled with Preboot Execution Environment (PXE) remote-boot technology accesses the RIS server to install the operating system, the Remote Installation Services server checks for Group Policy pertaining to remote installation options defined for the user. The Boot Information Negotiation Layer (BINL) service running on the RIS server performs this work. It impersonates the user who logs on to the RIS client-side pre-boot user interface, and evaluates the Group Policy objects to calculate the resulting policy. Based on the resulting policy, it determines which screens are sent to the pre-boot RIS client code for display to the user.
RIS policies are stored in the Sysvol folder at the following location: Policies\{<GUID of GPO>}\User\Microsoft\RemoteInstall\oscfilter.ini. For detailed information about Remote Installation Services, see "Remote OS Installation" in this book.
You can define a security configuration within a Group Policy object. A security configuration consists of settings applied to one or more security areas supported on Windows 2000 Professional or Windows 2000 Server. The specified security configuration is then applied to computers as part of Group Policy enforcement.
The Security Settings extension of the Group Policy
The security areas that can be configured for computers include:
Account Policies These are computer security settings for password policy, lockout policy, and Kerberos policy in Windows 2000 domains.
Note
These settings are only set at the domain level. If they are set at the organizational unit level, they are ignored.
Local Policies These include security settings for audit policy (Audit successful or failed logon attempts), user rights (who has network access to the computer) assignment, and security options (the ability to connect to a computer anonymously).
Event Log This controls settings such as size and retention method for the Application, Security, and System event logs. You can access these logs using Event Viewer.
Restricted Groups Allows you to control who needs to and who does not need to belong to security sensitive groups, as well as which other groups a security sensitive group needs to belong to. This allows administrators to enforce a membership policy regarding sensitive groups, such as Enterprise Administrators or Payroll. For example, it might be decided that only two users should be members of the Enterprise Administrators group. You can define the Enterprise Administrators group as a restricted group that contains only those two members. If a third user is added to the group (for example, to accomplish some task in an emergency situation), that user is automatically removed from the Enterprise Administrators group the next time policy is enforced. This mechanism can also be used to enforce group memberships on workstations in the domain (that is, enforcing that certain administrators from the domain are in the local Administrators groups on workstations).
System Services These control startup mode and access permissions for system services, such as who is allowed to stop and start the fax service.
Registry This is used to configure security settings for registry keys, including access control, audit, and ownership.
File System This is used to configure security settings for file-system objects, including access control, audit, and ownership.
Windows 2000 includes several incremental security templates. By default, these templates are stored in
These security templates are to be applied to Windows 2000–based computers that are configured with the Windows 2000 default security settings. They modify the default security settings incrementally, not cumulatively.
Note
You should not apply these incremental templates to Windows 2000 systems that have been upgraded from Windows NT 4.0.
You should only apply these incremental templates onto Windows 2000 systems that have been clean-installed onto NTFS partitions. For NTFS computers that have been upgraded from Windows NT 4.0 or earlier, a Basic security template can be applied to configure the upgraded computer with the Windows 2000 default security settings. This is described in the following section. You cannot secure Windows 2000 systems that are installed on FAT file systems.
