Administrators who want to plan their Windows 2003 Group Policy.
Experienced network managers who wish to lockdown their users' Start menu.
Network Architects who need to turn a desktop vision into
reality.
Those upgradingand want an overview of Windows Group policies.
‡
What Are Windows 2003 Group Policies?
If you desire, Group Policies can control every aspect of a computer desktop. Whilst the
plan is to control the configuration of both the user and the computer
settings; the technique is to define each setting once in an
Active Directory Group Policy. For example, if you need to change everyone's proxy
server, the add the IP addresses to a Group Policy rather than edit every
Internet Explorer manually.
Group Policy Overview
It may help to remember that Group
Policies manipulate registry values, so if the
item that you want to control is in the registry, then it can be set by a policy.
Where registry keys do not have ready-made policies, it is possible to create
your own policy templates.
However, designing your own templates would be a specialist job for your developers.
Some say there are 700+ built-in polices for XP, while others tell me that there are over 850. What
ever the exact total, the point is that Group Policies are here to stay, and that each new version of
Windows will
bring yet more settings to organize the desktop. Here are the commonest
policy categories for XP / Windows Server 2003. Incidentally Windows Server 2003 SP1 added hundreds more Group Policies, particularly to the Inetres (Internet Explorer) section.
Desktop settings, which icons appear, and which are features are hidden.
Software assigned to the user, which programs are available from the start menu.
Folder redirection, where is the 'My documents' are stored?
Settings which dictate the operating system behaviour, for example, disable
unnecessary services such as IIS or telnet.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of SolarWinds' offer.
My mission is to bring each Group Policy category or folder to life. I want to
save you time by concentrating on what I consider are the best settings in each
Group Policy folder.
Look out for 'Guy's top selections' on each page. Occasionally, I
express an opinion that a policy is
of limited use - no sitting on the fence! However, even if a policy is
only needed for specialist configurations, I still point out its purpose,
just in case it applies to your situation.
Before you begin evaluating policies, I urge you to decide on the security rating of
your organization. It is important to have a reference point,
otherwise it will be difficult to gain a perspective of
what makes sense for your users. My advice is aimed at those
who need medium security setting for their domains; therefore, if you are a
high or low security company then make the necessary adjustments when
assessing my selections.
Remember, that the more security that you enforce, the more work there
will be for you. For instance, do not insist on 14 letter, complex
passwords, just because they are the highest settings. However, if
there is a good business case for this level of security, then fair enough,
but does take on extra help desk staff to cope with the resultant password
lockouts.
If you have Active Directory then you will want to control group policy
via GPMC on the domain controller. However, if you are responsible
for Windows 7 in a Workgroup or HomeGroup then you will choose
the local group policy editor - gpedit.msc.
Types of Group Policy Settings
There are broadly three reasons for changing group policy settings,
firstly, adding features present in Vista and XP, but absent in Window 7.
Secondly, using group policy to remove stuff that is inappropriate for that
machine, for example, if you have no speakers: 'Remove volume control icon'.
Thirdly, employing the traditional group policy role of restricting users,
for example, 'Prevent users from changing the taskbar'.
See more on Windows 7
Group Policies.
Computer Group Policies
One half of Group Policies deal with settings which
lockdown the machine. As with all Computer Configuration Policies,
Administrative Templates affect all users who logon - including the
administrator.
Pre-requisites
for creating policies
The advice and screen shots in this section are designed for Windows
Server 2003, however many of the settings are available in Windows 2000.
You have installed the GPMC (Group Policy Management Console)
You create a test OU. (Not essential, but safer than using the
default domain policy.)
right-click your OU, Properties, Group Policy. Click on Open.
right-click on your OU, and select 'Create and Link a GPO Here..'
right-click your policy, then edit.
Kiwi Syslog Server
Free Utility to Analyze Your Network Messages
Syslog messages contain useful information for troubleshooting network
problems. When something goes wrong then surely there will be an
error message in the syslog datagram - if only we can find that record
and interpret the event.
Here is a utility to capture and analyze
network messages. The Kiwi Syslog Server filters messages and
creates advanced alerts. View your syslog data via web access.
Example
Group Policy - Disable
Server Shutdown Event Tracker
This example allows you to disable the annoying shutdown tracker found on Windows Server 2003.
Before you disable the Shutdown Dialog box,
check out your group policy. Ask yourself, would this be a Computer
policy or a User policy?
The answer is Shutdown Event Tracker is a Computer policy. So
launch the Group Policy editor and navigate thus:
a) You
select the OU which containers the Windows 2003 server.
b) You navigate to
the Computer not the user part of group policy.
Complete Group Policy path to disable Shutdown Event Tracker:
Local Computer Policy
Computer
Configuration
Administrative Templates
System
»
Next step
If you are itching to start configuring Group Policies, the best place to
begin is here at User Configuration,
Administrative Templates.
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
