Group Policy
Group Policy is part of Microsoft's IntelliMirror technology which aim to reduce the overall cost of supporting users of Windows. Group policy provides centralised management of computers and users in an Active Directory environment.
Group policy can control a target object's (user or computer) registry (HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER), registry and NFTS security, audit and security policy, software installation, logon/logoff scripts, folder redirection, and Internet Explorer settings. The policy settings are stored in Group Policy Objects (GPOs). Each GPO may be linked to multiple sites, domains or organizational units. In this way, potentially thousands of machines or users can be updated via a simple change to a single GPO. This reduces the administrative burden and costs associated with managing these resources.
User and computer objects may only exist once in the Active Directory but often fall into the scope of several GPOs. The user or computer object applies each applicable GPO. Conflicts between GPOs are resolved at a per attribute level.
Group Policy is also used as the basis for management of a group of technologies, referred to as IntelliMirror. These technologies relate to management of disconnected machines or roaming users and include Roaming User Profiles, Folder Redirection and Offline Folders.
Group Policies are analysed and applied at startup for computers and during logon for users. The client machine refreshes periodically (90-120 minutes) most of the Group Policy settings.
Group Policy is supported on Windows 2000, Windows XP (Professional) and Windows Server 2003.
Group Policy Extensions
Group Policy supports the concept of a Client Side Extension (CSE). These are extensions to the Group Policy framework that provide specifical functionality to the Group Policy administrator (for the most part, CSEs are transparent to the administrator since the GPMC and GPEdit merge them into a unified "namespace"). The following extensions are supplied with the operating system:
- Administrative Templates extension - for the modification of registry keys
- Software installation extension - the centralized management of software
- Security extension - control of security policy
- Internet Explorer Maintainence - management of Internet Explorer
- Scripts extension - invocation of machine and user scripts.
- Enmu
Best Practices for Designing Group Policies
- Write the policy as high as possible. (at Domain or OU level)
- Work with e-Security to define policy. Security policies defined at highest level.
- Define Generic Policies as high as possible.
- The policies do not affect default administrator accounts
- Block inheritance at OU if needed. Can be Enforced at parent level. Enforced policies can not be blocked.
- Higher Policy in list takes precedence. (order in the list is important)
- Deny Apply Group Policy at Group level for IT Management Team
- Staging environment for Group Policies. Good Idea!
- You can NOT write policy at:
- Built in
- Computers
- Users
- Groups
- You CAN write policies at:
- OU Level
- Create an OU Design that requires least GPOs.
- Site Level GPOs requires enterprise administrations permissions.
- Domain Level GPOs requires domain administrations permissions.
- OU Level GPOs requires appropriate permissions. Delegation of Administration.
- GPOs take effect in the following order:
- Local Machine
- Sites
- Domain
- OU
- Machine Based Policy take effect on Reboot
- User Based Policy take effect on Logon
The Three Phases of Using Group Policy
Group Policy can be considered in three distinct phases - GPO creation, targeting of the GPO and application of the GPO.
Creating and Editing GPOs
GPOs are created and edited through two tools - the Group Policy Object Editor (GPEdit) and the freely downloadable Group Policy Management Console (GPMC). GPEdit is used to create and edit single Group Policy Objects one at a time. Prior to GPMC administrators wanting to document/inventory previously deployed GPOs would have to use Active Directory Users and Computers (ADUC) to interrogate each organisational unit one right-click at a time. The GPMC enhances GPO management by providing 'big picture' tools for group policies. GPMC provides GPO settings summarisation, a simplied security pane for group filtering, GPO backup/restoration/cloning and more within a GUI that mimics ADUC. Editing a GPO from within GPMC still launches GPEdit.
Targeting GPOs
After a GPO has been created it can be linked to an Active Directory site, domain or OU. It is most common for GPOs to be linked to OUs.
GPO Application
The Group Policy client operates on a "pull" model - every so often (a randomized delay of between 90 and 120 minutes) it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs which will thereafter affect the behavior of policy-enabled operating system components and applications.
External links
- Microsoft Group Policy page
- The Group Policy Management Console (GPMC)
- Using Group Policy to Deploy Applications
- GPanswers.com:Community Forum and Training Dedicated to Group Policy
- GPOGuy.com:Information and resource site related to Group Policy;home of GPTalk Listserv
- Best Practices for Designing Group Policy - Summarizes best practices for planning the implementation of Group Policy in an Active Directory environment.
- Optimizing Group Policy Performance