Kathleen Molosky 2013TS2 Logo

Kathleen Molosky, PTS

Group Policy

As I am out visiting our partner community I receive many inquiries as to how to tailor the Windows client user experience to accommodate business and security requirements.  One of the best ways is through deployment of Group Policy Objects (GPO).  In addition to addressing user experience, Group Policy can also help a business reduce costs, control configurations, and enforce security settings. This article will provide a quick introduction to Group Policy Management as well as provide links to resources to help you learn more about this topic,

Group Policy provides a way to reach out and configure computer and user settings on networks most commonly based on Active Directory Domain Services (AD DS). In this scenario requirements include:  1) The network must have at least one server with the AD DS role installed, 2) devices that you want to manage must be joined to the domain, 3) Users that you want to manage must use domain credentials to log on, 4) The person interested in creating / editing / deployment GPOs must have permission to edit Group Policy in the domain.

Alternatively, you can configure Group Policy settings locally on each computer. This capability is great for one-off scenarios or workgroup computers, but using local Group Policy is not recommended for business networks based on AD DS.

Architecturally GPOs are actually composed of three parts, the Group Policy Container (GPC) which exists in Active Directory and the Group Policy Template (GPT) where the actual content of your GPOs resides and the third component, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to properly process the Group Policies assigned to them.

Policy settings for computer and user configurations are included in Administrative template files delivered with each Windows OS. You can configure these policy settings when you edit GPOs. These spreadsheets are available for download based on the client / server OS.

The Group Policy Management Console (GPMC) is most often utilized to create, edit and manage GPOs. In the AD DS scenario, once created you then link the GPO to selected Active Directory sites, domains, or organizational units (OUs) to apply the policy settings to the users and computers in those AD objects. An OU is the lowest-level AD container to which you can assign Group Policy settings.  There may be situations where all clients reside in the same OU but you wish to apply different group policies based on user profiles (e.g. different versions of the OS, different user roles, etc.)  In such a scenario you can opt to establish membership groups to which you apply group policy instead of the account location in the OU hierarchy of the domain.

Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop as well as the Local Group Policy Editor available via MMC snap in for administrating local group policy.  Another tool of interest is the Microsoft Advanced Group Policy Management (AGPM)  tool which extends the capabilities of the GPMC by providing comprehensive change control and enhanced management of GPOs. For more information about AGPM, see the Microsoft Desktop Optimization Pack (MDOP) Web site.

The gpupdate command refreshes AD and local based Group Policy settings, including security settings on the computer from where it is run. This is a great command to know when troubleshooting group policy as it forces an update of GPOs recently deployed in the environment. 

I hope the above has provided a short yet informative introduction to Group Policy.  There are many tools and resources available.  For those just beginning to explore the value of Group Policy management as a service offering you can extend to your customers a great place to start is with the whitepaper entitled Group Policy for Beginners.