Previous Page
Next Page

6.1. An Introduction to Group Policy

Group policies consist of five distinct components:


Administrative templates

Configure registry-based policies. You'll see what this really entails in a bit.


Folder redirection

Alters the target location of various elements in the UI, such as My Documents, to other places on the network.


Scripts

Execute when computers are first booted and shut down. They also can run during user logon and logoff.


Security settings

Configure permissions, rights, and restrictions for computers, domains, and users.


Software policies

Assign application packages to users and computers.

The data for each component is stored in a Group Policy Object (GPO). In domain-based GPs, GPOs are stored at various levels in Active Directory, but they're always associated with a domain. GPOs are affiliated with a variety of objects within Active Directory, including sites, domains, domain controllers, and OUs, and they can be linked to multiple sites, to the domains themselves, and to OUs. For non-domain-based (i.e., local) GPs, you simply configure those settings on individual servers.

GPOs store their contents in two parts: as files as part of a Group Policy Template (GPT) , and as objects inside a specialized container in Active Directory called a Group Policy Container (GPC) . GPTs are stored in the C:\WINDOWS\SYSVOL directory on each domain controller and contain settings related to software installation policies and deployments, scripts, and security information for each GPO. The GPTs usually contain subfolders called Adm, USER, and MACHINE, to separate the data to be applied to different portions of the computers' registriesthe USER portion is applied to keys in HKEY_CURRENT_USER, and the MACHINE portion is applied to keys in HKEY_LOCAL_MACHINE, while the Adm portion specifies other properties of the template itself. The GPCs simply contain information, such as version, status, or extensions for the policy itself, regarding the GPO's link to Active Directory containers. Each GPC is referred to by a string called a globally unique identifier, or GUID. Data stored in the GPC rarely needs to be modified and is used to indicate whether a specific policy object is enabled, as well as to control the proper version of the GPT to apply.

Local computer policies are stored in the %SystemRoot%\System32\GroupPolicy directory because they apply only to the computer on which they're stored and they need not be replicated. Local policies are also more limited in scope and ability, as you'll see later in this chapter.

When you first set up an Active Directory domain, two default GPOs are created: one that is linked to the domain itself, and therefore affects all users and computers within the domain; and one that is linked to the Domain Controllers OU, which affects all domain controllers within a domain.

6.1.1. A Comparison: Group Policies and System Policies

How do GPs compare to the old Windows NT 4.0 system policies? For one, with GPs, Active Directory handles pushing and synchronizing updates across domain controllers. With system policies, the file NTCONFIG.POL was pushed out, usually by the FRS, to all domain controllers from the NETLOGON share of the PDC. Sometimes, though, FRS simply would forget to actually replicatequite a bit of manual intervention was involved. With GP, Active Directory handles replication itself.

Second, domain-based GPs have a reversal feature: if you remove a policy's application to an object within the directory, any changes made by that policy are undone. System policies under Windows NT were permanent changes to the registry: once a policy was applied, there was no wayshort of manually changing back any modified keysto "de-apply" the policy. This was called tattooing .

Third, it's easier to control the timing of GP deployment than of system policies. With NT system policies, the setting changes were applied only twice: during computer boot and during a user logon. By contrast, GPs are applied at regular intervals. Workstations poll the domain every one to two hours to see if there are new policies, and if there are, the workstations simply apply the policies without protest. In addition, you don't have to deal with NT's peculiarities regarding policy application and domains. Unlike NT, machines can obtain policies from the domain they are in, and users can obtain policies from the domain they are in, and there's no confusion between the two; NT had a nasty habit of applying policies from only one domain (the one the machine was in), which might be different from the user's machine.

Fourth, the registry entries written to by NT system policies and Windows 2000 or Windows Server 2003 GPs are different. GPs are written to four different trees of the registry, the first two of which are the default location:

  • HKEY_LOCAL_MACHINE\Software\Policies

  • HKEY_CURRENT_USER\Software\Policies

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

If Windows runs into problems writing to the first two keys, it will attempt to apply information to the latter two keys instead.

NT system policies can write to any part of the registry, but GPs simply delete and rewrite the four trees of the registry when changes are made. The four areas of the registry are secure and written to only by the operating system, whereas other parts of the registry can be modified by users and applications.

That's not entirely the case, actually. You can indeed write to any part of the registry you want using GP with custom ADM templates, but that is beyond the scope of this book.


Additionally, it is very difficult to limit the scope of NT system policies. GP has the ability to granularly apply policies to specific objects.

Finally, one sour note: domain-based GPs work only with workstations and servers running Windows 2000 or later that are members of an Active Directory domain. Although you can apply local GP to non-domain machines, the functionality is more limited and replication of GPOs among non-domain machines is not automatic. If you have older machines running operating systems prior to Windows 2000, you'll need to stick with system policies until you migrate those systems to a later platform. You can, however, store NT and Windows 9x system policies on machines running Windows Server 2003.


Previous Page
Next Page