Group Policy Settings
GPOs make it easy to enforce standard behavior across multiple users or computers. For example, GPOs can easily set firewall settings on multiple computers, define consistent desktop layouts, run scripts when users log on and log off, and redirect folders to network folders. These are only a few of the uses for GPOs. TABLE 6-1 lists additional category settings using GPOs.
TABLE 6-1 Categories of Settings in GPOs |
|
|---|---|
| CATEGORY | DESCRIPTION |
| Password Policy | Sets requirements for password strength, age, history, and storage |
| Account Lockout Policy | Determines how Windows handles accounts locked after failed logon attempts |
| Kerberos Policy | Sets lifetime limits for Kerberos tickets and clock synchronization |
| Audit Policy | Defines events Windows should record in audit files |
| User Rights Assignment | Assigns individual user rights that define what general actions users can perform, such as “Access this computer from the network” or “Change the system time” |
| Security Options | Offers options granting rights that define what security-related actions users can perform, such as “Allowed to format and eject removable media” or “Require smart card” |
| Event Log | Defines maximum size, retention settings, and guest access settings for event logs |
| Restricted Groups | Lists users in security-sensitive groups and to what other groups the restricted group can belong |
| System Services | Defines startup mode and access permissions for system services |
| Registry | Defines access permissions and audit settings for Registry keys |
| File System | Defines access permissions on discretionary access control lists (DACLs) and audit settings for system access control lists (SACLs) |
© Jones & Bartlett Learning. |
|
Group Policy is a central method to customize computer and user settings (FIGURE 6-1). Most operating systems, including Windows, provide the ability to create boot and logon scripts that run when a computer boots or a user logs on. Group Policy extends this capability by maintaining the commands from a central location. You don’t have to make changes to scripts and copy them to each computer or user’s directory. Group Policy changes are automatically distributed to the right locations. Another benefit that bears a closer look is the periodic update feature of Group Policy. Boot and logon scripts take effect only when you reboot the computer or log off and log on again. Group Policy applies many settings to the current session. This feature causes changes to take effect faster than with using other configuration options.
FIGURE 6-1
Group Policy.
© Jones & Bartlett Learning.
GPO Linking
You can link GPOs to specific users to customize settings for groups of users or even individual users. Users who log on anywhere in the Active Directory domain will get GPOs linked to their user account. You can also link GPOs to organizational units (OUs). In fact, you must link GPOs to at least one computer, domain, or OU for the GPO to be active. GPOs that aren’t linked to a computer, domain, or OU are defined but inactive. You can define OUs to logically group computers into functional groups, such as “Accounting,” “Manufacturing,” and “Distribution.” Once you define one or more OUs, you can add computers to each OU to logically group them together. When you link GPOs to OUs, Windows will download and apply only the appropriate GPOs for the computer and the user logging on.