Navigating Group Policy can be a nightmare. Heck, just trying to figure out where things are can be a challenge, not to mention trying to figure out why so and so's computer doesn't have a policy applied when everyone else's does. Often you have to work with several different tools to try to figure things out. All in all, it can be a very frustrating experience.

Enter Group Policy Management Console (GPMC), Microsoft's solution for making Group Policy management easier. GPMC does for Group Policy what the Computer Management console did for system, storage, and service management; namely, it gives you a central interface for working with Group Policy. The really good news is that GPMC can be used to manage Windows Server 2003–based as well as Windows 2000–based Group Policy implementations. This means you can use it even if you haven't fully upgraded to Windows Server 2003.

I don't know how many administrators and help desk staff I've heard ask, "How do I keep people from running certain programs?" The problem they're describing stems from the fact that sometimes users install things they shouldn't, such as music-sharing software and other tools that should never be used in business environments—not only because of what the tools allow people to do but because of what the tools do to the computers on which they are installed.

In Windows 2000, there aren't a lot of choices. But it's a different story with Windows XP and Windows Server 2003. You can now use software restriction policies to control which programs users can install. For example, you can specify that desktop users can install only Microsoft Office applications and the Palm Desktop. Then, if users attempt to install other applications, they will not be able to do so.

User profiles can be configured as local, mandatory, or roaming, each of which has its pluses and minuses, as you'll learn in Chapter 37. Unfortunately, there are some quirks about profiles that make them less than fun things to deal with. For example, if you are using EFS, you pretty much have to use a roaming profile (unless you copy your encryption certificate to every machine you use seriously). But roaming profiles can grow quite large (which slows you down), and they can break (which can ruin your day). So, sometimes when you are using a roaming profile, such as when you are on a slow connection, you'll want to be able to say, "Hey, don't use my roaming profile!"

In Windows Server 2003, you can configure Group Policy to handle this and other similar profile tasks for you. For starters, you can specify that only local user profiles should be used on a particular computer, which ensures roaming profiles are loaded only when you want them to be. You can also specify through policy that the system must prompt you before downloading a roaming profile when a slow link is detected (and you can configure policy that specifies exactly what a slow link is; i.e., whether it is a 56 kilobits per second [Kbps], 128 Kbps, or 512 Kbps connection). To make changes to Group Policy, you use the Group Policy Object Editor, which is discussed in Chapter 38.