So far we’ve discussed what group policy does, how it works, and how to use it, but we haven’t discussed the specific ways in which it can help you better manage your network.
First of all, Group Policy might not be what you think it is. If you are moving from Windows NT 4.0 environments to Windows Server 2003 environments, you should know right up front that Group Policy is not the same as Windows NT System Policy. Windows NT System Policy is very limited and quite frankly not even on the same playing field as Group Policy. If you have worked with Windows 2000 or later versions of the Windows operating system, you might have already seen some of what Group Policy can do and not realized it, or you might have heard someone incorrectly blame Group Policy for his woes.
The simple truth is that Group Policy does what you tell it to do. You manage Group Policy by configuring policy settings. A policy setting is an individual setting that you apply, such as restricting access to the Run dialog box. Most policy settings have three basic states:
Enabled. The policy setting is turned on, and its settings are active. You typically enable a policy setting to ensure that it is enforced. Once enabled, some policy settings allow you to configure additional options that fine-tune how the policy setting is applied.
Disabled. The policy setting is turned off, and its settings are not applied. Typically, you disable a policy setting to ensure that it is not enforced.
Not Configured. The policy setting is not being used. No settings for the policy are either active or inactive and no changes are made to the configuration settings targeted by the policy.
By themselves, these states are fairly straightforward. But some people think Group Policy is complex because these basic states can be affected by inheritance and blocking (which we touched on briefly and will discuss in detail in Chapter 3). Keep these two rules about inheritance and blocking in mind, and you’ll be well on your way to success with Group Policy:
If inherited policy settings are strictly enforced, you cannot override them—the inherited policy setting is applied regardless of the policy state set in the current GPO.
If inherited policy settings are blocked in the current GPO and not strictly enforced, the inherited policy setting is overridden—the inherited policy setting does not apply, and only the policy setting from the current GPO is applied.
Now that you know exactly how to apply individual policy settings, let’s look at the administrative areas to which you can apply Group Policy. Whether you are talking about Local Group Policy or domain-based Group Policy, the areas of administration are similar, but you can do much more with domain-based Group Policy. As mentioned previously, however, you cannot use Local Group Policy to manage any features that require Active Directory; this restriction is the primary limiting factor in what you can and cannot do with Local Group Policy.
Using Group Policy, you can manage these key administrative areas:
Computer and user scripts. Configuring logon/logoff scripts for users and startup/shutdown scripts for computers.
Folder redirection. Moving critical data folders for users to network shares where they can be better managed and backed up regularly (domain-based Group Policy only).
General computer security. Establishing security settings for accounts, event logs, restricted groups, system services, the registry, and file systems. (With Local Group Policy, you can only manage general computer security for account policies.)
Local security policies. Setting policy for auditing, user rights assignment, and user privileges.
Internet Explorer maintenance. Configuring the browser interface, security, important URLs, default programs, proxies, and more.
IP security. Setting IP security policy for clients, servers, and secure servers.
Public key security. Setting public key policies for autoenrollment, the Encrypting File System (EFS), enterprise trusts, and more.
Software installation. Automated deployment of new software and software upgrades (domain-based Group Policy only).
Remote Installation Services. Setting the options available during client installation.
Wireless networking (IEEE 802.11). Setting wireless network policies for access points, clients, and preferred networks (domain-based Group Policy only).
Software restriction. Restricting the software that can be deployed and used. Local Group Policy does not support user-based software restriction policies, only computer-based software restriction policies.
Through a special set of policies called Administrative Templates, you can also manage just about every aspect of the Windows graphical user interface (GUI), from menus to the desktop, the taskbar, and more. The Administrative Template policy settings affect actual registry settings, so the available policies are nearly identical whether you are working with Local Group Policy or domain-based Group Policy. You can use Administrative Templates to manage:
Control Panel. Controlling access to and the options of Control Panel. You can also configure settings for Add Or Remove Programs, Display, Printers, and Regional And Language Options.
Desktop. Configuring the Windows desktop, the availability and configuration of Active Desktop, and Active Directory search options from the desktop.
Network. Configuring networking and network client options, including offline files, DNS clients, and network connections.
Printers. Configuring printer publishing, browsing, spooling, and directory options.
Shared folders. Allowing publishing of shared folders and Distributed File System (DFS) roots.
Start menu and taskbar. Configuring the Start menu and taskbar, primarily by removing or hiding items and options.
System. Configuring policies related to general system settings, disk quotas, user profiles, logon, power management, system restore, error reporting, and more.
Windows components. Configuring whether and how to use various Windows components, such as Event Viewer, Task Scheduler, and Windows Updates.