Group Policy

Group Policy Purpose Group Policy enables policy-based administration that uses Microsoft Active Directory. Group Policy uses directory services and security group membership to provide flexibility and support extensive configuration information. Policy settings are specified by an administrator; unlike profile settings, which are often specified by a user. Policy settings are created using the Microsoft Management Console (MMC) snap-in for Group Policy. Resultant Set of Policy (RSoP) is an enhanced Group Policy infrastructure that uses Windows Management Instrumentation (WMI) to allow administrators to easily determine the policy settings that apply to, or will apply to, a user or computer. Where Applicable All Windows-based applications can use the Group Policy infrastructure to configure their policy settings.

About Group Policy Centralized policy-based administration enables an administrator to control the following settings: •

Registry-based policy settings. Specify registry-based settings using the Administrative Templates node of the Group Policy Object Editor.

•

Security settings. Define security settings for the local computer, domain, and network.

•

Software installation. Deploy applications as either assigned (you mandate the installation) or published (you provide applications that users can choose to install). Update or remove applications.

•

Scripts. Specify scripts to run at computer startup and operating system shutdown, and when a user logs on or logs off.

•

Remote Installation Services. Control the behavior of the remote installation feature, as displayed to client computers.

•

Internet Explorer maintenance. Manage and customize Microsoft Internet Explorer on computers running Microsoft Windows 2000 and later, and export settings for clients running Windows 95/98/Me or Microsoft Windows NT 4.0.

•

Folder redirection. Redirect Shell special folders to the network.

The administrator can apply these settings to groups of computers or users using the infrastructure provided by the Microsoft Active Directory. The administrator can manage these settings from a single location, without physically touching the computers in the organization. Application developers should adhere to system-level policy settings. In addition, they can provide policy settings that are specific to their applications

Group Policy Objects A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID. Group Policy settings are contained in GPOs. A GPO can represent policy settings in the file system and in the Active Directory. Settings within GPOs are evaluated by clients using the hierarchical nature of the Active Directory. The structure of a GPO can be represented as shown in the following illustration.

To create Group Policy, administrators can use the Group Policy Object Editor, which can be a stand-alone tool. However, it is recommended that you use the Group Policy Object Editor as an extension to an Active Directory-related MMC snap-in because this will allow you to browse the Active Directory for the correct Active Directory container and define Group Policy based on the selected scope of management (SOM). Examples of Active Directory-related snap-ins include the Active Directory Users and Computers snap-in and the Active Directory Sites and Services snap-in. Note that policy settings are divided into policy settings that affect a computer and policy settings that affect a user. Computer-related policies specify system behavior, application settings, security settings, assigned applications, and computer startup and shutdown scripts. User-related policies specify system behavior, application settings, security settings, assigned and published applications, user logon and logoff scripts, and folder redirection. The convention is that computer-related settings override user-related settings. Storage of Group Policy objects Each computer that runs Windows XP Professional, Windows XP 64-bit Edition (Itanium), or the Windows Server 2003 operating systems, has exactly one local Group Policy object (GPO). It is stored in systemroot\System32\GroupPolicy. Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.

Group Policy container The Group Policy container is a directory service object. It includes subcontainers for computer and user Group Policy information. The Group Policy container contains the following data:

• Version information--Used to verify that the information is synchronized with Group Policy template information. • Status information--Indicates whether the Group Policy object is enabled or disabled for this site, domain, or organizational unit. • List of components--Specifies which extensions to Group Policy have settings in the Group Policy object. The Group Policy container stores information for Group Policy Software Installation and for Folder Redirection, which are extensions of the Group Policy Object Editor. Group Policy template The Group Policy template is a folder of domain controllers for the storage domain of the Group Policy object. A typical Group Policy template folder might look like the following example: systemroot\Sysvol\SYSVOL\Streetmarket.com\Policies\ {34975054-fd77-df75-54fe-074936850457}

Subfolders of the Group Policy template The Group Policy template folder contains subfolders, including, but not limited to, the following: • Adm--Contains all the .adm files for this Group Policy template. • Scripts--Contains all the scripts and related files for this Group Policy template. • User--Includes a Registry.pol file that contains the registry settings that are to be applied to users. When a user logs on to a computer, this Registry.pol file is downloaded and applied to the HKEY_CURRENT_USER portion of the registry. The User folder contains an Applications subfolder. • User\Applications--Contains the application advertisement script files (.aas) that are used by the operating system-based installation service. These files are applied to users. • Machine--Includes a Registry.pol file that contains the registry settings that are to be applied to computers. When a computer initializes, this Registry.pol file is downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry. The Machine folder contains an Applications subfolder.

• Machine\Applications--Contains the .aas files that are used by the operating system-based installation service. These files are applied to computers.