Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
| ||
| ||
|
If you've got an Active Directory, you need Group Policy. Group Policy has one goal: to make your administrative life easier. Instead of running around from machine to machine tweaking a setting here or installing some software there, you'll have ultimate control from on high.
Turns out that you're not alone in wanting more power for your desktops and servers. Managing user desktops (via Group Policy) was the top-ranked benefit of migrating to Active Directory, according to 1000 members who responded to a poll with TechTarget.com. You can find the study at http://tinyurl.com/47wrg .
Like Zeus himself, controlling the many aspects of the mortal world below, you will have the ability, via Group Policy, to dictate specific settings about how you want your users and computers to operate . You'll be able to shape your network's destiny. You'll have the power. But you need to know exactly how to tap in to this power and exactly what can be powered and what can only appear to be powered.
In this introduction and throughout the first several chapters, I'll describe just what Group Policy is all about and give you an idea of its tremendous power.
Tip | To get the most out of this book, you'll likely want a Windows 2003 Server machine with at least one Windows XP client (preferably running SP2) and possibly a Windows 2000 Professional machine (running at least SP4.) If you don't have a copy of Windows 2003 Server, you can download a free evaluation copy from Microsoft ( http://tinyurl.com/pgqz ), or have them send you a CD. (You pay only for shipping.) |
Group Policy Defined
If we take a step back and try to analyze the term Group Policy , it's easy to become confused . When I first heard the term, I thought it was an NT 4 System Policy that applied to Active Directory groups. But, thankfully, the results are much more exciting. Microsoft's perspective is that the name "Group Policy" is derived from the fact that you are "grouping together policy settings." Group Policy is, in essence, rules that are applied and enforced at multiple levels of Active Directory. All policies you design are adhered to. This provides great power and efficiency when manipulating client systems.
When going though the examples in this book, you will play the parts of the end user, the OU administrator, the domain administrator, and the enterprise administrator. Your mission is to create and define Group Policy using Active Directory and witness it being automatically enforced. What you say goes! With Group Policy, you can set policies that dictate that users quit messing with their machines. You can dictate what software will be deployed. You can determine how much disk space users can use. You can do pretty much whatever you wantit is really up to you. With Group Policy, you hold all the power. That's the good news. The bad news is that this magical power only works on Windows 2000 or later machines. That includes Windows 2000, Windows XP, and Windows 2003 Server. That's right; there is no wayno matter what anyone tells youto create the magic that is known as Group Policy in a way that affects Windows 95, Windows 98, or Windows NT workstations or servers.
The application of Group Policy does not concern itself with the mode of the domain. Windows 2000 or Windows 2003 domains need not be in any special functional mode. Windows 2000 domains can be in Mixed or Native mode. Windows 2003 domains can be in domain mode: Mixed, Interim, or Functional.
If the range of control scares youdon't be afraid! It just means more power to hold over your environment. You'll quickly learn how to wisely use this newfound power to reign over your subjects, er, users.
Group Policy versus Group Policy Objects
Before we go headlong into Group Policy theory, let's get some terminology and vocabulary distinctions out of the way:
-
The term Group Policy is the concept that, from upon high, you can do all this "stuff" to your client machines.
-
A policy setting is just one individual setting that you can use to do some actual control.
-
A Group Policy Object (GPO) is the "nuts-and-bolts" contained within Active Directory Domain Controllers that contains anywhere from one to a zillion individual policy settings.
It's my goal that after you work through this book, you'll be able to jump up on your desk one day and declare: "Hey! Group Policy isn't applying to our client machines! Perhaps a policy setting is misconfigured. Or, maybe one of our Group Policy Objects has gone belly up! I'd better read what's going on in Chapter 3, 'Group Policy Processing Behavior."'
This terminology can be a little confusingconsidering that each term encompasses the word policy. In this text, however, I've tried especially hard to use the correct nomenclature for what I'm trying to describe.
Note | Note that there is never a time to use the phrase "Group Policies." Those two words together shouldn't exist. If you're talking about "multiple GPOs" or "multiple policy settings" these are the preferred phrases to use. |
Where Group Policy Applies
Group Policy can be applied to many machines at once, or it can be applied only to a specific machine. For the most part in this book, I'll focus on using Group Policy within either a Windows 2000 or Windows 2003 Active Directory environment where it affects the most machines.
A percentage of the settings explored and discussed in this book are available to member or stand-alone Windows 2000 Server, Windows 2000 Professional, Windows 2003, and Windows XP Professional machineswhich can either participate or not participate in an Active Directory environment. However, the Folder Redirection settings (discussed in Chapter 9) and the Software Distribution settings (discussed in Chapter 10) are not available to stand-alone machines (that is, computers that are not participating in an Active Directory domain). In some cases, I will pay particular attention to non-Active Directory environments. However, most of the book deals with the more common case; that is, we'll explore the implications of deploying Group Policy in an Active Directory environment.
Most of the book shows screens of Windows XP clients within Windows 2003 domains. However, most of the book is still applicable for Windows 2000 domains with Windows 2000 and Windows XP clients. Indeed, you should not be scared off even if you're stuck with 100% Windows 2000 Domain Controllers. Where appropriate, I've noted the differences between the operating environments.
| ||
| ||
|