Print - Implementing Group Policy

Over the past several weeks, I have provided an overview of Group Policy and explained how you can use it for everything from distributing software to securing your network environment. Microsoft has built a tremendous amount of capability into Group Policy, and it's a technology that requires a thorough understanding and a great deal of planning before you implement it. I could spend several weeks delving deeper into Group Policy without giving it the full coverage that it warrants. Because we don't have that time, I'll conclude the series this week by focusing on some of the planning and technical issues that you need to be aware of before you get started with Group Policy.

Setting Your Priorities
The Group Policy Editor (GPE) snap-in includes several settings that you can set within a Group Policy Object (GPO). In addition to the security and software distribution capabilities we discussed last week, you can control everything from clients' desktop appearances to what logon and logoff scripts run. With all the available options, deciding what to implement in your environment can be overwhelming.

A good approach is to develop your own top 10 lists. For example, what 10 issues generate the most support calls to your Help desk, are the highest priority security risks, or cause the most lost productivity for your users? After you develop your lists, identify those issues from your lists that a proper Group Policy implementation could eliminate or greatly reduce. You might decide to limit users' access to the Run command or remove access to the Control Panel Add/Remove Programs applet. If users need access to certain directories or shared resources, you might want to use logon or startup scripts to map drives. Or, perhaps you want to configure NetMeeting and Internet Explorer (IE) settings to specify controls or disable desktop sharing from a centralized location. By focusing on the most important issues for your environment, you can design an implementation that gives you the greatest Return on Investment (ROI). Implemented in this manner, Group Policy helps build the business case for moving to Windows 2000 and Active Directory (AD).

Designing AD with Group Policy in Mind
The Group Policy settings that you apply to a user or computer are based on the user's or computer's location within the AD structure. Group Policies process in the order of site, domain, and Organizational Unit (OU). So, if you apply a Group Policy that removes the Run command from the Start menu at the site level, adds it at the domain level, and then removes it at the OU level, the Run option will disappear from the Run menu when a user logs on who is a member of the OU because that setting applies at the OU level, and it's the last Group Policy that the system applies. If you have a nested OU structure with Group Policies set at each OU level, the Group Policies process from parent to child, and the policy associated with the immediate parent OU that the user or computer object belongs to is the last one that the system applies.

By now, you should realize the importance of identifying your Group Policy objectives before you design your AD structure. If you implement your AD without considering Group Policy, you are likely to end up with a structure of unnecessary complexity that requires disruptive troubleshooting. Particularly, consider Group Policy when you design your OU structure. OUs are primarily beneficial from an administrative perspective, specifically in delegating administration and assigning Group Policy (because the Group Policy settings you apply at the OU level are, by default, the last ones that the system applies).

Group Policy and Groups
You might expect that you use group membership to assign Group Policies, when in fact you don't assign Group Policies to groups, but rather to sites, domains, and OUs. But groups do let you filter Group Policy settings, which is important. Imagine that you want to prevent users from changing configuration settings, so you create a Group Policy that limits access to the Control Panel. Such a limitation is generally a good solution, unless a user who's logged on at the time is a member of the technical support group and needs to have access to the Control Panel to resolve a problem. To avoid this situation, you can set permissions in the GPO's properties to control who in the site, domain, or OU the settings apply to. For users or computers to receive the settings you apply, they must have Read and Apply Group Policy permissions to that GPO. The authenticated users group has these permissions by default, so to prevent a specific GPO from applying to users, you have to add their group and remove the Apply Group Policy permission from them.

Group Policy is a tremendously powerful feature of Win2K. Implemented correctly, it can provide compelling justifications for moving to Win2K and AD. But implementing it correctly requires a great deal of understanding and planning. For more information, see Microsoft's Group Policy white paper at the Microsoft Web site. If you have specific questions, submit them by clicking "Respond to this article" under Reader Feedback, and I'll respond within a day or two.

Hi, thanks for the nice review... anyway here at school where i'm admin i'm having a problem implemeting the Group Policy, when I go to the properties of the domain controller (vep.com) in the controle base (got the dutch version so not sure about the right terms...) and go to the tab group policy it can't find the domain controller. We also can't 'manage' the network-computers from the server, he can't find the network-pad. we're completely in despere bacause even microsoft don't want to help (hehe that isn't new!) anyway thanks a lot for your help...

Mr Macintosh, thanks for the information you have posted, its articles like this that make the net a great tool. I would like to take you up on your offer of submitting a question. On 2k professional, can you not configure which users are to use a gpo? Wen you go to the gpo props, the security tab is not there. SO this means that even the admin of the local domain is subject to the gpolicy, yes? THanks for taking the time. jason in Little Rock

Hi Jason, It sounds like you may be looking at the local security policy. If you wanted to apply a particular set of Group Policy settings to a W2K Pro, or several W2K Pro machines the place to start would to create a Organizational Unit and place the Pro machines in it within you AD. If you create a new GPO and link it to this OU, you should be able go to the properties of the OU, go to the Group Policy tab, higlight the gpo, chose properties and then you should have a security tab. Then you can use groups to filter who gets those GP settings applied. There is a walkthrough at http://www.microsoft.com/WINDOWS2000/library/planning/management/groupsteps.asp#heading6 that talks about this. If you are already doing this, and you still aren't seeing the permissions tab, post more info and we'll figure out whats going on. Hope that helps, Robert McIntosh

Hello Mr. McIntosh, Great article. I have some confusion on GPO's I thought you may be able to help with if you have the time. I have gone to the Server and created an OU. I then created a user called "test" within that OU. I then went to the properties of the OU, Group Policies tab of the properties and created a GPO with some very simple configs for testing (disabled the "My Documents" folder on the desk top. When I go to a win2000 client machine and log on as user Test the GPO doesn't get applied. I have even used the gpresult tool and it looks like only the local policies are being applied. Do you know what might possibly have been missed? Thanks in advance for any help you might be able to provide.

Hello Robert I upgraded to WIN2k on our school server and implemented a new GPO on an OU in which I create a Global Group in which I placed users and then created Local Group and placed the global groups in them. My dummie account is not taking it, so I tried your suggestion and created a OU and moved all my computers from the computer folder in the AD to the new one and linked the GPO and then I set the security so that the local group would have the GPO Applied to it but it still wouldn't take. My understanding is that I can setup a GPO from the AD or MMC? I did it from the AD.
I have tried No inheritance and no override and it still won’t work. All the workstations are win2kpro.

Hi, My question is hopefully simple. My organization supports many remote field locations where there is no dedicated LAN access. Most users connect to a central LNotes server via DSL or model, and a few sites have frame relay WAN access to critical applications. Current O/S is W9x. We are looking to upgrade to W2K (maybe XP). Are there Group (or local) policy features in W2K that can be exstablished and enforced on these remote machines even if they are not connected to a network. i.e. when we initially image these machines with W2K can we configure a policy that will follow the machine? Our goal is to establish a standard image for remote users that will 'follow the machine' so to speak, preventing the user from installing undesireable/non-company approved software, hence lessening our help desk support costs. Please advise, thank you we look forward to your reply!

Sir/madam, First of all i would like to tell thank you for sharing nice information. I already implemented group policy I found very good. Now question aries how to backup group policy setting. suppose I would like to backup group policy applied for a particular OU in some abc ADS & want to restore grouppolicy setting on some OU on DEF ADS. then how should I do? awating your reply. thanks for nice information.

Hello Friends, i want to know how to implement a gropu policy in 2000 server so if anyone has full documentation how to impmement a Grouppolicy plz send it over ti my mail address.

It gave me a bit of info but i am really looking to find out how to actually implement the GPO's and whether you have to log on and off the server with all the users to create the profile. That is if you have to use Roaming Profile. Please Help.

Hi i just set up a group policy on server2003 for a group in active directory. The only things i have set up are folder redirects but when i logon as a user in the group on my network the re-directs don't work. Do i have to change any settings on the workstations on my network to make group policy or should it just pick up the settings when each user logs on. this is the first time i've used server2003 i'm not doing too bad apart from this problem. Would be very grateful if you could help or could recomend anywhere to find help. Thank you

I have windows 2000 advanced server and 2000 Professional as a Clients. Now I want to put some restriction to the Particular group. Could u pls tell me that how do configure the Group Policy Objects or Group policy Editor in step by step. From top to Bottom. I tried lot but it is not apply for the Particular groups. If u give the solution i will be happy. Bye

Thanks for the articles on policys.They help me prepare for my 2000 server exam.

Hi I would like to add an additional admin in our domain to administer our web servers only. I created a OU and added the servers and that admin to that OU. How do I create the GPO to give that user admin privs on the webservers only in our domain. Any help would be appreciated, Scott

Hi, i made a Group policy for a OU BUT, yes they have a but they don'T publish! I add a computer and a user in the OU and no change all is their. What i do wrong?

Hello, I need to add proxy exceptions to a GPO. However, when I add the machine accounts it's not taking affect. I believe I must some how link it to a group and add the users?

How to implement gpo to an OU where the user is local administrator & i want to restrict user from changing desktop settings, IE home page settings & registry setting

i have created a group policy to limit use of Internet explorer but have encountered that when i import the current content ratings to a particular web site it only enables me to see the front page disabling my ability to navagate around the particular web site web site .please help

I face this problem and cannot solved. pls any one help I have gone to the Server and created an OU. I then created a user called "test" within that OU. I then went to the properties of the OU, Group Policies tab of the properties and created a GPO with some very simple configs for testing (disabled the "My Documents" folder on the desk top. When I go to a win2000 client machine and log on as user Test the GPO doesn't get applied. I have even used the gpresult tool and it looks like only the local policies are being applied. Do you know what might possibly have been missed? Thanks in advance for any help you might be able to provide. biplobk2000@yahoo.com