Windows 2003 Group Policies allow the administrators to efficiently manage a group of people accessing a resource. Group policies can be used to control both the users and the computers.
They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go.
Group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of the Run command from the start menu. This will ensure that the users will not find Run command on that computer.
Domain-based Group Policies allow the domain / enterprise administrators to manage all the users and the computers of a domain / forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains and OUs through group policies.
There are more than 2000 pre-created group policy settings available in Windows Server 2003 / Windows XP. A default group policy already exists. You only need to modify the values of different policy settings according to your specific requirements. You can create new group policies to meet your specific business requirements. Group policies allow you to implement:
Registry based settings: Allows you to create a policy to administer operating system components and applications.
Security settings: Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria or URL zone.
Software restrictions: Allows you to create a policy that would restrict users running unwanted applications and protect computers against virus and hacking attacks.
Software distribution and installation: Allows you to either assign or publish software application to domain users centrally with the help of a group policy.
Roaming user profiles: Allows mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server.
Internet Explorer maintenance: Allows administrators to manage the IE settings of the users' computers in a domain by setting the security zones, privacy settings and other parameters centrally with the help of group policy.
Using Local Group Policy
Local Group Policies affect only the users who log in to the local machine but domain-based policies affect all the users of the domain. If you are creating domain-based policies then you can create policy at three levels: sites, domains and OUs. Besides, you have to make sure that each computer must belong to only one domain and only one site.
A Group Policy Object (GPO) is stored on a per domain basis. However, it can be associated with multiple domains, sites and OUs and a single domain, site or OU can have multiple GPOs. Besides this, any domain, site or OU can be associated with any GPO across domains.
When a GPO is defined it is inherited by all the objects under it and is applied in a cumulative fashion successively starting from local computer to site, domain and each nested OU. For example if a GPO is created at domain level then it will affect all the domain members and all the OUs beneath it.
After applying all the policies in hierarchy, the end result of the policy that takes effect on a user or a computer is called the Resultant Set of Policy (RSoP).
To use GPOs with greater precision, you can apply Windows Management Instrumentation (WMI) filters and Discretionary Access Control List (DACL) permissions. The WMI filters allow you to apply GPOs only to specific computers that meet a specific condition. For example, you can apply a GPO to all the computers that have more than 500 MB of free disk space. The DACL permissions allow you to apply GPOs based on the user's membership in security groups.
Windows Server 2003 provides a GPMC (Group Policy Management Console) that allows you to manage group policy implementations centrally. It provides a unified view of local computer, sites, domains and OUs (organizational units). You can have the following tools in a single console:
- Active Directory Users and Computers
- Active Directory Sites and Services
- Resultant Set of Policy MMC snap-in
- ACL Editor
- Delegation Wizard
The screenshot below shows four tools in a single console.
A group policy can be configured for computers or users or both, as shown here: