Who is this page for?
Far too many people get only a vague idea of what group policies can do before they charge off and apply them. Then disaster strikes. The settings either do not work, or worse, produce undesirable effects which they cannot reverse. So I am pleased that you are taking the time to understand the principles behind group policies.
Write down any policies you experiment with so that you can find them again!
The concept behind Group Policies is that administrators configure settings once, and then the settings apply continuously to the users. Furthermore, Group Policy can be applied to computers, so you can control the settings no matter who logs on. The way that Group Policies works is to alter settings in the registry.
The old saying "Prevention is better than cure", certainly applies to Group Policies. A good Group Policy will give greater productivity for the users, and save you time on routine administration. Think of all the damage and time wasting a user could spend trying out different control panel settings. The worst case that I have seen was a user who set the refresh rate too fast on a monitor; his screen literally went up in smoke!
Just wading through the 100’s of Policies is a Herculean task. My suggestion is to commission two opposite approaches. Get a ‘Techie’ who understands Windows 2000 to go through the policy and select those settings that he thinks appropriate. Then ask a manager to produce a vision or wish list of what the desktop should look like. Finally, bring the two disparate mind sets together weld them into your Group Policy.
Navigate to the Active Directory Users and Computers. right-click the Domain object, Properties, Group Policy (Tab) now ‘click’ the Edit (button) and you will see the policy settings. A less risky method of easing your way into Group Policies would be to create a test OU, and then make a brand new policy.
I think of Block Inheritance as the ‘anarchists setting’. This is because OU’s further down the chain can prevent settings at the domain from taking effect. You may be surprised to see that Block Inheritance affects all the Policies in the OU.
Changing the Security permissions on policies is one of the best kept secrets of Group Policies. Microsoft call it ‘filtering’ the policy so it only applies to certain users. The default setting is ‘Authenticated Users’ Apply Group Policy. A question: is the Administrator an ‘Authenticated User’? Of course he is. This is how enthusiastic policy setters lock themselves by applying severe policies at the Domain level and forgetting that they are an authenticated User’. The secret is to remove ‘Authenticated User’ and add the groups you actually want the policy to affect.
If there is a business case for an application then create a Policy and deliver the package to the Start Menu. Techies like this approach because they can then apply service packs and upgrades from one central place. These polices operate from the Software Settings folder. If you want everyone who logs on to use an application, then Assign it to a computer; however if the user needs special software wherever they logon, Assign it at the User Configuration folder.
If you want more information, my Active Directory eBook has much more information on Group Policies, including screen shots of how and where to configure policies.
See also Windows Server 2003 Group Policy – Big Section