Information Technology Reference
In-Depth Information
Group Policy is a powerful tool for network administrators to manage
domain controllers, member servers, member computers, and users. It allows administrators to
manage most aspects of computer and user environments centrally through Active Directory,
eliminating the need, in most cases, to visit individual computers or user desktops.
This chapter covers the architecture of group policies so that you understand what a Group
Policy Object (GPO) is and how and where GPOs can be applied to your Active Directory struc-
ture. In addition, you learn about the myriad security settings and user and computer environ-
ment settings that can be configured through group policies. You also examine how to apply
standard security settings throughout your network and audit computers that aren't in compli-
ance with designated standards. Finally, you take a look at group policy preferences, a new fea-
ture in Windows Server 2008.
An administrator's solid understanding of how to get the most out of group policies can
relieve some of the burden of user and computer management. Even more important, proper
design and application of group policies result in a more secure network.
The processes of centrally maintaining lists of computer and user settings, replicating these set-
tings to all domain controllers, and applying these settings to users and computers are complex.
The architecture of group policy is equally complex, at least when you're trying to envision the
architecture as a whole. When broken down into its constituent parts, as this section does, the
architecture is easier to grasp. Group policy architecture and functioning involve the following
components:
•
GPOs
—A GPO is an object containing policy settings that affect user and computer oper-
ating environments and security. GPOs can be local (stored on individual computers) or
Active Directory objects linked to sites, domains, and OUs.
•
Replication
—Replication of Active Directory-based GPOs ensures that all domain con-
trollers have a current copy of each GPO. Changes to GPOs can be made on any DC and
are replicated to all other DCs.
•
Scope and inheritance
—The scope of a group policy defines which users and computers
are affected by its settings. The scope can be a single computer, in the case of a local GPO,
or an OU, a domain, or a site. Like permissions, policy settings applied to users and com-
puters are inherited from parent containers, and like permission inheritance, an adminis-
trator can override the default behavior of group policy inheritance.
•
Creating and linking
—GPOs are created in the Group Policy Management Console and
can then be linked to one or more Active Directory containers. Multiple GPOs can be
linked to the same container.
A GPO, the primary component of group policies, contains policy settings for managing many
aspects of domain controllers, member servers, member computers, and users. There are two
main types of GPOs: local GPOs and domain GPOs (discussed later in this section).
Local GPOs
Local GPOs
are stored on local computers and can be edited by the Group
Policy Object Editor snap-in (see Figure 7-1). To use this tool, you can add the Group Policy
Editor snap-in to a custom MMC or simply type gpedit.msc in the Start Search text box, which
opens a preconfigured MMC called Local Group Policy Editor. To edit policies in the Security
Settings node of the local GPO, you can use the Local Security Policy MMC (accessed via
Administrative Tools in Windows Vista or XP). Local GPOs on workgroup computers are edited
manually with one of those tools. The policy settings on domain member computers can be
affected by domain GPOs linked to the site, domain, or OU in Active Directory. Settings in local
GPOs that are inherited from domain GPOs can't be changed on the local computer; only set-
tings that are undefined or not configured by domain GPOs can be edited locally.
Search WWH ::
Custom Search