The concept behind Group Policies is that administrators configure settings
once, and then the settings apply continuously to the users. Furthermore, Group
Policy can be applied to computers, so you can control the settings no
matter who logs on. The way that Group Policies works is to alter settings in the registry.
The old saying "Prevention is better than cure", certainly applies to Group
Policies. A good Group Policy will give greater productivity for the users, and
save you time on routine administration. Think of all the damage
and time wasting caused by users experimenting with control panel settings.
I once saw a user set the screen refresh rate faster than the monitor hardware
could cope with,
his screen literally went up in smoke! If only the administrator had
set a group policy, they could have disabled the Display Tab and thus prevented
an expensive mistake.
One neglected aspect of group policy is that you can and pro-active and
configure settings to be kind to the users, in this case you could create a
policy that sets the refresh rate at 80, rather than the flickery default value
of 60.
Just wading through the 100's of Policies is a Herculean task. My
suggestion is to commission two opposite approaches. Get a 'Techie' who understands Windows
2003
to go through the policy and select those settings that he thinks appropriate. Then
ask a manager to produce a vision or wish list of what the desktop should look like.
Finally, bring the two
disparate mind sets together weld them into your Group Policy.
Navigate to the Active Directory Users and Computers. Right click
the Domain object, Properties, Group Policy (Tab)
now 'click' the Edit (button) and you will see the policy settings. A less risky method of easing your way
into Group Policies would be to create
a test OU, and then make a brand new policy.
Firstly,
the GPMC is designed for Windows Server 2003 and later rather than Windows 2000. Either
execute GPMC.msi from the \program files\folder or download the GPMC add-on from Microsoft's site.
It is well worth the effort in installing to gain the the extra setting to manage
your Group Policies.
The Group Policy Management Console (GPMC) unifies Group Policy management
across your Active Directory forest. Before GPMC, administrators needed many tools in order
to manage Group Policy; the Microsoft Active Directory Users and
Computers, the Delegation Wizard, and the ACL Editor. Not only does the GPMC integrate the
existing Group Policy tools, but it also brings these exciting new capabilities:
A user interface that makes it easier to use and manage Group Policy.
New WMI filtering means that you can apply policies to particular machine,
or only if there is enough disk space.
Backup, restore, import, and copy Group Policy Objects (GPOs).
Simplified management of Group Policy-related security.
Reporting for GPO settings and Resultant Set of Policy (RSoP) data.
Programmatic access to the above GPO operations. Note that it is not
possible to programmatically set individual policy settings within a GPO.
Microsoft provides a snap-in called RSoP for showing a given combination of
policy settings. I find that if you install the GPMC, then you do not
really need this RSoP. However if you do need it the RSoP is intuitive to
use and comes in two modes:
Logging mode. In logging mode, the RSoP snap-in tracks the policies
that you apply. In this mode, the tool shows the actual policies for a given
user or computer.
Planning mode. In planning mode, the snap-in indicates the set of
policies that would be applied if you deployed the policy. You can
perform what-if analyses on the user and computer; the domain, and
organizational unit.
I am so pleased that Windows 2000's Secedit is now obsolete, the syntax was
horrendous. Gpupdate completely replaces Secedit on Server 2003 and XP.
Mostly I just use Gpupdate as a simple command on its own, occasionally I tweak
it with the following switches:
/target:computer or /target:user applies only the user or computer
section of your policy. Normally I would use plain Gpupdate without the
optional target switch.
/logoff Useful for settings that do not apply until the user logs
on again.
/boot Handy for configuration which need the computer to restart.
I think of Block Inheritance as the 'anarchists setting'. This is
because OU's further down the chain can prevent settings at the domain from
taking effect. The knack of using Block Inheritance is to select the OU
container and not the individual policy.
Enforce Policy (No-override)
I think of Enforce Policy as 'Big brother fights back' this setting prevents
any 'anarchists' from changing a setting further down the OU chain. The
trick to enforcing is to right click the individual policy, not the OU.
Changing the Security permissions on policies is one of the best kept secrets
of Group Policies. Microsoft call it
'filtering' the policy so it only applies to certain users. The default setting is 'Authenticated Users'
Apply Group Policy. A question: is the
Administrator an 'Authenticated User'? Of course he is. This is how
enthusiastic policy setters lock themselves by applying severe policies at the
Domain level and forgetting that they are an authenticated User'. The secret is to remove 'Authenticated User' and add
the groups you actually want the policy to affect.
What's new with delegation of permissions is there is a new built-in global
group called Group Policy Creator Owners. My own view is that I would
confine configuring Group policies to a small select group of experts and not
allow delegation of Group Policies to people in OUs. My point is that
usually I am all for delegation, creating users - yes, reset passwords -
excellent use of delegation, but delegate Group Policies - no.
Guy Recommends: Solarwinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
If there is a business case for an application then create a Policy and
deliver the package to the Start Menu. Techies likes this approach because
they can then apply service packs and upgrades from one central place.
These policies operate from the Software Settings folder. If you want
everyone who logs on to use an application, then Assign it to a computer;
however if the user needs special software wherever they logon, Assign it at the
User Configuration folder.
If you want more information, my Active Directory eBook has much more
information on Group Policies, including screen shots of how and where to
configure policies.
Window 8 Group Policy Drive Maps
The modern group policy method of drive mapping does not require any
scripting. In Windows Server 2008 you can launch the Group Policy
Management Console and configure Drive Maps by clicking with a mouse.
See more on Windows 8 Group
Policy Drive Maps.
If you like this page then please share it with your friends
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
