Windows Server 2003 – Group Policy Overview

Who is This Group Policy Page For?

  • Administrators who want an overview of Windows 2003 Group Policy
  • Experienced network managers who want lockdown desktops
  • Network Architects who need to turn a desktop vision into reality

Topics for Group PolicyGroup Policy Management Console Windows 2003


The Big Picture

The concept behind Group Policies is that administrators configure settings once, and then the settings apply continuously to the users.  Furthermore, Group Policy can be applied to computers, so you can control the settings no matter who logs on.  The way that Group Policies works is to alter settings in the registry.

The old saying "Prevention is better than cure", certainly applies to Group Policies.  A good Group Policy will give greater productivity for the users, and save you time on routine administration.  Think of all the damage and time wasting caused by users experimenting with control panel settings.  I once saw a user set the screen refresh rate faster than the monitor hardware could cope with, his screen literally went up in smoke!   If only the administrator had set a group policy, they could have disabled the Display Tab and thus prevented an expensive mistake.

One neglected aspect of group policy is that you can and pro-active and configure settings to be kind to the users, in this case you could create a policy that sets the refresh rate at 80, rather than the flickery default value of 60.

Getting Started

Just wading through the 100’s of Policies is a Herculean task.  My suggestion is to commission two opposite approaches.  Get a ‘Techie’ who understands Windows 2003 to go through the policy and select those settings that he thinks appropriate.  Then ask a manager to produce a vision or wish list of what the desktop should look like.  Finally, bring the two disparate mind sets together weld them into your Group Policy.

Navigate to the Active Directory Users and Computers.  right-click the Domain object, Properties, Group Policy (Tab) now ‘click’ the Edit (button) and you will see the policy settings.  A less risky method of easing your way into Group Policies would be to create a test OU, and then make a brand new policy.

Group Policy Management Console (GPMC)GPMC Group Policy Management Console

Firstly, the GPMC is designed for Windows Server 2003 and later rather than Windows 2000.  Either execute GPMC.msi from the \program files\folder or download the GPMC add-on from Microsoft’s site.  It is well worth the effort in installing to gain the the extra setting to manage your Group Policies.

The Group Policy Management Console (GPMC) unifies Group Policy management across your Active Directory forest. Before GPMC, administrators needed many tools in order to manage Group Policy; the Microsoft Active Directory Users and Computers, the Delegation Wizard, and the ACL Editor.  Not only does the GPMC integrate the existing Group Policy tools, but it also brings these exciting new capabilities:

  • A user interface that makes it easier to use and manage Group Policy.
  • New WMI filtering means that you can apply policies to particular machine, or only if there is enough disk space.
  • Backup, restore, import, and copy Group Policy Objects (GPOs).
  • Simplified management of Group Policy-related security.
  • Reporting for GPO settings and Resultant Set of Policy (RSoP) data.
  • Programmatic access to the above GPO operations. Note that it is not possible to programmatically set individual policy settings within a GPO.
  • Windows 8 Group Policy Preferences.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

RSoP Snap-in (Resultant Set of Policy)

Microsoft provides a snap-in called RSoP for showing a given combination of policy settings.  I find that if you install the GPMC, then you do not really need this RSoP.  However if you do need it the RSoP is intuitive to use and comes in two modes:

  • Logging mode. In logging mode, the RSoP snap-in tracks the policies that you apply. In this mode, the tool shows the actual policies for a given user or computer.
  • Planning mode. In planning mode, the snap-in indicates the set of policies that would be applied if you deployed the policy. You can perform what-if analyses on the user and computer; the domain, and organizational unit.


I am so pleased that Windows 2000’s Secedit is now obsolete, the syntax was horrendous.  Gpupdate completely replaces Secedit on Server 2003 and XP.  Mostly I just use Gpupdate as a simple command on its own, occasionally I tweak it with the following switches:

/target:computer  or /target:user applies only the user or computer section of your policy.  Normally I would use plain Gpupdate without the optional target switch.

/logoff   Useful for settings that do not apply until the user logs on again.

/boot   Handy for configuration which need the computer to restart.

/force reapplies all settings.

Modifying Policy Inheritance

Block Inheritance

I think of Block Inheritance as the ‘anarchists setting’.  This is because OU’s further down the chain can prevent settings at the domain from taking effect.  The knack of using Block Inheritance is to select the OU container and not the individual policy.

Enforce Policy (No-override)

I think of Enforce Policy as ‘Big brother fights back’ this setting prevents any ‘anarchists’ from changing a setting further down the OU chain.  The trick to enforcing is to right-click the individual policy, not the OU.

Fine tuning Policy Permissions – Filtering

Changing the Security permissions on policies is one of the best kept secrets of Group Policies. Microsoft call it ‘filtering’ the policy so it only applies to certain users.  The default setting is ‘Authenticated Users’ Apply Group Policy.  A question:  is the Administrator an ‘Authenticated User’?   Of course he is.  This is how enthusiastic policy setters lock themselves by applying severe policies at the Domain level and forgetting that they are an authenticated User’.  The secret is to remove ‘Authenticated User’ and add the groups you actually want the policy to affect.

What’s new with delegation of permissions is there is a new built-in global group called Group Policy Creator Owners.  My own view is that I would confine configuring Group policies to a small select group of experts and not allow delegation of Group Policies to people in OUs.  My point is that usually I am all for delegation, creating users – yes, reset passwords – excellent use of delegation, but delegate Group Policies – no.

Monitor Your Network with the Real-time Traffic AnalyzerSolarwinds Real-time Traffic Analyzer

The main reason to monitor your network is to check that your all your servers are available.  If there is a network problem you want an interface to show the scope of the problem at a glance.

Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging your precious network’s bandwidth.  A GUI showing the top 10 users makes interesting reading.

Another reason to monitor network traffic is to learn more about your server’s response times and the use of resources.  To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWindsfree Real-time NetFlow Analyzer.

Assigning Software

If there is a business case for an application then create a Policy and deliver the package to the Start Menu.  Techies likes this approach because they can then apply service packs and upgrades from one central place.  These policies operate from the Software Settings folder.  If you want everyone who logs on to use an application, then Assign it to a computer; however if the user needs special software wherever they logon, Assign it at the User Configuration folder.

If you want more information, my Active Directory eBook has much more information on Group Policies, including screen shots of how and where to configure policies.

Window 8 Group Policy Drive Maps

The modern group policy method of drive mapping does not require any scripting.  In Windows Server 2008 you can launch the Group Policy Management Console and configure Drive Maps by clicking with a mouse.  See more on Windows 8 Group Policy Drive Maps.

If you like this page then please share it with your friends


More Windows Server 2003 topics:

• Windows Server 2003 Roles   • IIS v 6.0 Explained   • Upgrade from NT 4.0 •   Install Server 2003

• Active Directory – Intro   • Active Directory – DNS   • Group Policy in Windows 2003   • FSMO Roles

• Windows Secondary Logon Service   • Windows Server 2003 OU   • .NET Explained   • Computer Jokes