Group Policy is a core part of Microsoft’s IntelliMirror technology.You can use Group Policy to manage all aspects of the Server environment for Windows Server, including Registry settings, software installation, scripts, security settings, and so on.The possibilities of what can be done with Group Policy are almost limitless.With VBScript or Jscript, you can write entire applications to execute via Group Policy.You can install software automatically across the network and apply patches to applications. When deciding on the Group Policies you plan to enforce on your network, you should keep in mind that the more policies applied, the more network traffic, and hence the longer it could take for users to log onto the network. Group policies are stored in Active Directory as Group Policy Objects (GPO).These objects are the instructions for the management task to perform. Group Policy is implemented in four ways:
Local Group Policy:
Using local Group Policy involves setting up Group Policy on the local machine.This is not very useful for managing computers on a network. Local Group Policy is configured on the local computer.
Site Group Policy:
Site Group Policy is when the Group Policy object is linked to the site. Site Group Policies can generate unwanted network traffic, so use these only when absolutely necessary.
Domain Group Policy:
Domain Group Policy is when the Group Policy object is linked to the domain.This will apply the Group Policy object to all computers and users within a domain.This is especially useful for enforcing company-wide settings.This is one of the two most commonly used applications of Group Policy.
Group Policy When the Group Policy object is linked to the organizational unit (OU). Organizational unit Group Policy is especially useful for applying a Group Policy object to a logical grouping (organizational unit) of users or computers.
When a Windows Server machine logs on to a Windows AD, any legacy Windows 2000 Group Policies will be applied to and work on Windows Server. The new Windows Group Policy snap-in will work on a Windows 2000 AD as well as Windows 2003.You can use the Windows Group Policy snap-in to connect to any Group Policy object in the Active Directory.You can also create a new Group Policy object using this snap-in. When you connect to a GPO using this snap-in, the ADM files are automatically updated using the newer versions of these files found on Windows XP.
Windows has over 200 policies.These policies are reflected in the new ADM files that are updated on the domain.The Windows admin snap-in shows what policies work on which clients. Best practice in a mixed environment: Use the Latest Windows Group Policy snap-in to administer Group Policy because it will display what policies are supported on what clients.
Group Policy Order
When Group Policies are applied in Windows Server, they are applied in a specific order.This is important to note because the order applied can affect the resulting policy. Group Policy is applied in the following order:
■ Windows NT 4 Policies (if any exist)
■ Windows 2000 Policies
■ Local Group Policies
■ Site Group Policies
■ Domain Group Policies
■ Organizational Group Policy Objects (going from Highest Parent in the chain to lowest)
Additionally, the result of all of the applied policies can be determined by using the Resultant Set of Policy (RSOP) snap-in. More information on this topic is covered later in the “Resultant Set of Policy (RSOP)” section. Figure A.1 shows how Group Policy is applied by different organizational units along with the domain Group Policy.