Group Policies
The pieces and parts of group policy are composed of several components. This section focuses on identifying the key components and how they work together for a basic understanding of group policy.
Group Policy Editor
The Group Policy Editor (GPE) is a MMC snap-in that provides you with the capability to add, modify, and delete components of the Group Policy Object (GPO). Figure 9.1 is a view of a GPO that is discussed in this chapter.
Figure 9.1. MMC view of a sample GPO.
The GPE can be started by right-clicking an Active Directory container, selecting Properties, followed by selecting the Group Policy tab, and right-clicking on a GPO. In addition, you can start the MMC, add the GPE snap-in, and select a specific GPO for editing.
GPO
A GPO is collection of settings to be applied to a computer, which are based on the computer or user. This sounds confusing—look at Figure 9.1, which is a GPE view of a GPO called Standard Software, for an illustration.
The Standard Software policy provides several setting options. There is the Computer Configuration. Looking at the object, you see there are software settings, windows settings, and administrative templates. The software settings are for how the software should be configured for all computers that use this GPO. This is in contrast to the software settings for the user configuration, which are applied to all users that are assigned to this GPO. You might ask when each is used. You would use the computer settings if you were applying this GPO to a particular group that needs a specific application. In this example, the Finance department needs access to an invoicing application, and this can only be run from specific machines that are on the third floor where the Finance department is located. In this scenario, if a Finance staff member went to another floor and used their user ID to log into a workstation, the Finance user would not be able to run the application because the software setting only permits the application to be available from those machines on the third floor.
With the user setting/software setting scenario, the user would be able to use the application regardless of which machine is used. In contrast, although a non-Finance user uses a workstation that is located in the Finance department, they would not have access to the application.
Figure 9.1 also shows a few other configurable items that are part of a GPO. They include the window settings that are part of the computer. One that can be used to further control the desktop and a user's interaction with the configuration of the desktop is the Computer Configuration|Windows Settings|Scripts. This provides the capability to write custom scripts using Windows Scripting Host (WSH) to configure items or clean up a workstation. You can control whether the scripts run at startup or shutdown.
Also, notice that under the User Configuration|Software Settings|Software Installation tab, Microsoft Office 2000 Premium has been assigned for installation. This GPO provides for dynamic installation of Office 2000 for all users that have the Standard Software policy configured in the hierarchy of the container that the user object is located.
The administrator can also decide to assign or publish software based on GPOs. Assigning software to a computer pushes software to the computer. Publishing software is providing the capability for users to install software if they need to use it. Assigning software to a user also provides the software for use by a user. Typically, software that is used by most users, such as Microsoft Office, would be assigned to desktop computers. These are mostly static. The software that is used, for example, might be an application that is only used by the Financial Analyst in the organization. The difference between publishing and assigning software to a user is subtle, but the main difference is in the typical use. Software assigned to a user is typically installed by clicking the icon for the application on the Start menu. Published software is not an installed application on the start menu. Published software is installed when the user uses the Add/Remove Programs in the Control Panel.
The GPO is the component that groups settings together for a particular purpose. As is the case with many of the features of Windows 2000 and Active Directory, a good starting point is a few general GPOs, rather than many granular GPOs. One approach is to migrate parallel functionality to Active Directory from your Windows NT 4.0 environment. So rather than trying to invent a new approach from the start, start by translating current NT 4.0 functionality into a simple group policy approach.
Group Policy Container (GPC) and Group Policy Template (GPT)
The GPO exists in two parts as it is implemented. There is the GPC and the GPT. The GPC contains information about the GPO. The GPC contains inform- ation on the GPO status, what version of the GPO, and the components that are contained in the GPO. This is analogous to the directory information for the GPO. Guess where this information is stored—yes, in Active Directory. The GPT contains the setting information for the GPO. This information includes the script files, security settings, and application installation information that are depicted in the view of the GPO seen in Figure 9.1.
You can find GPT information in the System Volume. With a standard installation, this puts you at c:winntSYSVOLsysvolw2k.comPolicies{29xxxx..xxx}, where w2k.com is the domain name for the directory and {29xxxx..xxx} is the Globally Unique Identifier (GUID) for the GPO. If you look at the directory userscripts, you will see a directory logon and logoff. This is where the logon and logoff scripts for the GPO are contained.
Group Policy Processing
Group policies can be applied at several levels. They can be applied at the Site, Domain, or Organizational Unit (SDOU) level. The order of application to a computer or user is starting from the site, then to the domain, and finally to the OU. There can be multiple OU levels, and group policies are applied from the top level OU on down.
Using Figure 9.2 as an example of a SDOU structure, for users in the Dover OU, site level group policies would be applied first, then domain level, and finally OU level group policies. The OU policies are applied from the Europe OU, then the England OU, and finally from the Dover OU. Therefore, if there was a user group policy at each level, there would be five group policies applied to the user. In summary, they are applied from the site, then to the domain, then to Europe OU, England OU, and finally to Dover OU.
