Group Policy Collection

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy Collection

Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory. Consequently, Group Policy is one of the top reasons to deploy Active Directory because it allows you to manage user and computer objects.

Group Policy is one of a group of management technologies, collectively known as IntelliMirror management technologies, which provide users with consistent access to their applications, application settings, roaming user profiles, and user data, from any managed computer—even when they are disconnected from the network. IntelliMirror is implemented through a set of Microsoft Windows features, including Active Directory, Group Policy, Software Installation, Windows Installer, Folder Redirection, Offline Folders, and Roaming User Profiles.

This collection includes detailed information about each of the following areas of Group Policy:

  • Core Group Policy

  • Group Policy Components

  • Group Policy Administrative Tools

This page introduces Group Policy management concepts and architecture, summarizes the areas included in the Group Policy collection, and describes Group Policy scenarios.

Group Policy Management

Administrators face increasingly complex challenges in managing the IT infrastructure. You must deliver and maintain customized desktop configurations for more types of workers such as mobile users, information workers, or others assigned to strictly defined tasks, such as data entry. Security settings and updates must be delivered efficiently to all the computers and devices in the organization. New users need to be productive quickly without costly training. In the event of a computer breakdown or disaster, service must be restored with a minimum of data loss and interruption. All of these tasks, known collectively as Change and Configuration Management, must be achieved at the lowest possible cost. You need to be able to implement change quickly and affect large numbers of users and computers. Group Policy is the infrastructure that allows you to implement change on the object level in Active Directory.

You need to be able to define configurations once and rely on the operating system to enforce that state. With Active Directory, GPOs can be linked to sites, domains, and OUs, allowing Group Policy settings to be applied to users and computers. In addition, GPOs can be used to help manage server computers, through many server-specific operational and security settings. This infrastructure provides a high degree of flexibility, allowing you to customize configurations, such as delivering a specific piece of software to specialized users based on their membership in an OU. In addition, the Group Policy Management Console (GPMC) simplifies implementation and management of Group Policy.

Group Policy Architecture

Group Policy uses a document-centric approach to creating, storing, and associating Group Policy settings. Similar to the way in which Microsoft Word stores information in .doc files, Group Policy settings are contained in GPOs. A GPO is a virtual object; policy-setting information is stored in two locations: the Active Directory container to which the GPO is linked, and the Sysvol on the domain controller.

Group Policy is configured primarily through the use of two tools: Group Policy Object Editor, (previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit) and Group Policy Management Console (GPMC), available for download from the Microsoft Web site. Whereas Group Policy Object Editor is used to configure and modify settings within GPOs, GPMC is used to create, view, and manage GPOs. Group Policy architecture is shown in the following diagram, which shows how the primary components interact through read or write access. Components are described in the figure below.

Group Policy Architecture

Group Policy Components

Group Policy Components

Component Description

Server (Domain Controller)

In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources.

Active Directory

Active Directory, the Windows-based directory service, stores information about objects in a network and makes this information available to users and network administrators. Administrators link GPOs to Active Directory containers such as sites, domains, and OUs that include user and computer objects. In this way, Group Policy settings can be targeted to users and computers throughout the organization.

Group Policy object (GPO)

A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a Group Policy container (GPC) and a Group Policy template (GPT). The GPC, which contains information on the properties of a GPO, is stored in Active Directory on each domain controller in the domain. The GPT contains the data in a GPO and is stored in the Sysvol in the /Policies sub-directory. GPOs affect users and computers that are contained in sites, domains, and OUs.

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes Administrative Template-based Group Policy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated using the File Replication Service (FRS).

Local Group Policy object

The local Group Policy object (local GPO) is stored on each individual computer, in the hidden %systemroot%\System32\GroupPolicy directory. Each computer running Windows 2000, Windows XP Professional, Windows XP 64-Bit Edition, Windows XP Media Center Edition, or Windows Server 2003 has exactly one local GPO, regardless of whether the computers are part of an Active Directory environment.

Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of Group Policy Object Editor does not support remote management of local GPOs. Local GPOs are always processed, but are the least influential GPOs in an Active Directory environment, because Active Directory-based GPOs have precedence.

Although you can configure local GPOs on individual computers, the full power of Group Policy can only be realized in a Windows Server network with Active Directory installed. In addition, some features and Group Policy settings require client computers running Windows XP.

Group Policy Object Editor

Group Policy Object Editor is a Microsoft Management Console (MMC) snap-in that is used to edit GPOs. It was previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit.

Server-Side Snap-Ins

The MMC snap-in is loaded, by default, in Group Policy Object Editor. Server-side snap-in extensions provide the user interface to allow you to configure various policy settings while client-side extensions implement the actual policy settings on target client computers.

Snap-in extensions include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, Internet Explorer Maintenance, Disk Quotas, Wireless Network Policy, and QoS Packet Scheduler. Snap-ins may in turn be extended. For example, the Security Settings snap-in includes several extension snap-ins. Developers can also create their own MMC extension snap-ins to Group Policy Object Editor to provide additional Group Policy settings.

Client-Side Extensions

Client-side extensions (CSEs) run within dynamic-link libraries (DLLs) and are responsible for implementing Group Policy at the client computer. The following CSEs are loaded, by default, in Windows Server 2003:

Administrative Templates, Wireless Network Policies, Folder Redirection, Disk Quotas, QoS Packet Scheduler, Scripts, Security, Internet Explorer Maintenance, EFS Recovery, Software Installation, and IP Security.

Group Policy Management Console (GPMC)

GPMC is a new tool designed to simplify implementation and management of Group Policy. It consists of a new MMC snap-in and a set of scriptable interfaces for managing Group Policy. The Group Policy Management Console provides:

  • A user interface based on how customers use and manage Group Policy, rather than on how the technology is built.

  • Import/Export, Copy/Paste, and searching of GPOs.

  • Simplified management of Group Policy-related security.

  • Reporting (printing, saving, read-only access to GPOs) for GPO and Resultant Set of Policy (RSoP) data.

  • Backup/Restore of GPOs.

  • Scripting of GPO operations that are exposed within this tool (but NOT scripting of settings within a GPO).

Resultant Set of Policy (RSoP) snap-in

The Resultant Set of Policy (RSoP) snap-in is an MMC snap-in that that simplifies Group Policy implementation and troubleshooting. RSoP uses Windows Management Instrumentation (WMI) to determine how Group Policy settings are applied to users and computers. For RSoP functionality, it is recommended to use the reporting features in GPMC.

Winlogon

A component of the Windows operating system that provides interactive logon support, Winlogon is the service in which the Group Policy engine runs.

Group Policy engine

The Group Policy engine is the framework that handles common functionalities across client-side extensions including scheduling of Group Policy application, obtaining GPOs from relevant configuration locations, and filtering and ordering of GPOs.

File System

The NTFS file system on client computers.

Registry

A database repository for information about a computer’s configuration, the registry contains information that Windows continually references during operation, such as:

  1. Profiles for each user.

  2. The programs installed on the computer and the types of documents that each can create.

  3. Property settings for folders and program icons.

  4. The hardware on the system.

  5. Which ports are being used.

The registry is organized hierarchically as a tree, and it is made up of keys and their subkeys, hives, and entries. The Group Policy engine has read and write access to the Registry.

Registry settings can be controlled via the Group Policy Administrative Templates extension.

Event Log

The Event log is a service, located in Event Viewer, which records events in the system, security, and application logs. The Group Policy engine has write access to the Event Log on client computers and domain controllers. The Help and Support Center on each computer has read access to the Event Log.

Help and Support Center

The Help and Support Center is a component on each computer that provides HTML reports on the Group Policy settings currently in effect on the computer.

Resultant Set of Policy (RSoP) infrastructure

All Group Policy processing information is collected and stored in a Common Information Model Object Management (CIMOM) database on the local computer. This information, such as the list, content and logging of processing details for each GPO, can then be accessed by tools using WMI.

In logging mode (Group Policy Results), RSoP queries the CIMOM database on the target computer, receives information about the policies and displays it in GPMC. In planning mode (Group Policy Modeling), RSoP simulates the application of policy using the Group Policy Directory Access Service (GPDAS) on a domain controller. GPDAS simulates the application of GPOs and passes them to virtual client-side extensions on the domain controller. The results of this simulation are stored to a local CIMOM database on the domain controller before the information is passed back and displayed in GPMC.

WMI

WMI is a management infrastructure that supports monitoring and controlling of system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status.

WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data. WMI Filtering in Windows Server 2003 allows you to create queries based on this data. These queries (also called WMI filters) determine which users and computers receive all of the policy configured in the GPO where you create the filter.

Core Group Policy

This subject explains Group Policy infrastructure including how the Group Policy engine controls policy processing, including retrieval of GPOs, invocation of individual extensions, and other infrastructure functionality.

Group Policy Components

The Group Policy Components subcollection describes the role of extensions including server-side snap-in extensions and client-side extensions. These extensions include: Administrative Templates, Software Installation, Security Settings, Scripts, Remote Installation Services, Internet Explorer Maintenance, Folder Redirection, QoS Packet Scheduler, Disk Quotas, and Wireless Network Policies.

Group Policy Administrative Tools

This subcollection explains administrative tools including the Group Policy Object Editor, Group Policy Management Console, and the Resultant Set of Policy (RSoP) snap-in.

Group Policy Scenarios

Group Policy is used to define configurations for groups of users and computers. With Group Policy, you can specify specific configurations for a wide range of areas including Administrative Templates (registry-based policies), security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. Group Policy settings are contained in a GPO. By associating a GPO with selected Active Directory system containers—sites, domains, and organizational units—the GPO's Group Policy settings are applied to the users and computers in those Active Directory containers. This section provides an overview of what you can do with Group Policy.

Managing Desktops, Applications, and Components with Registry-Based Policies

Administrative Templates (or .adm files) enable you to control registry settings using Group Policy, providing the means to configure the behavior and appearance of the desktop, including the operating system, components, and applications. Windows comes with a predefined set of Administrative template files, which are implemented as text files (with an .adm extension), that define the registry settings that can be configured in a GPO. These .adm files are stored in two locations by default: inside GPOs in the Sysvol folder and in the %windir%\inf directory on the local computer.

Managing Security

Group Policy is used to manage the following types of securityoptions for users, clients, servers, and domain controllers:

  • Security settings. These Group Policy settings are used to define values for various security-relevant operating system parameters, such as password policy, user rights assignment, audit policy, registry values, file and registry ACLs, and service startup modes.

  • IPSec policies. These Group Policy settings are used to configure IPSec services for authenticating or encrypting network traffic. An IPSec policy consists of a set of security rules, and each security rule consists of an IP filter with an action.

  • Software restriction policies. These Group Policy settings are used to help protect computers from code that is not trusted by identifying and specifying which applications are permitted to run.

  • Wireless network policies. These Group Policy settings are used to configure settings for the Wireless Configuration Service, a user-mode service that operates on each of the IEEE 802.11 wireless network adapters that are installed on a computer.

  • Public Key Policies. These Group Policy settings are used to:

    • Specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate.

    • Create and distribute a certificate trust list.

    • Establish common trusted root certification authorities.

    • Add encrypted data recovery agents and change the encrypted data recovery policy settings.

Implementing Group Policy–based Software Installation

The Software Installation snap-in is used to centrally manage software. Software can be assigned or published to users and assigned to computers. Group Policy-based software installation can be used to install software applications when a computer is started, when the user logs on, or on demand. Software installation Group Policy settings can be applied to users or computers in an Active Directory structure.

Group Policy-based software installation can also be used to upgrade deployed applications or remove earlier applications that are no longer required. Users can be restricted from installing any software from local media, such as a CD-ROM, or disk, or other unapproved applications.

Medium and large organizations may wish to consider using Systems Management Server (SMS). SMS provides advanced capabilities such as inventory-based targeting, status reporting, server- and client-side scheduling, multisite facilities, complex targeting, centralized hardware and software inventory, remote diagnostic tools, software metering, software distribution-point population and maintenance, support for Windows 95, Windows 98, Windows NT 4.0, Windows 2000, and Windows XP clients, and enhanced software deployment features. SMS does not require Active Directory.

Managing Remote Operating System Installations

Remote Installation Services (RIS) is used to control the behavior of the Remote Operating System Installation feature as displayed to client computers. Remote Installation enables administrators to perform a new installation of Windows on Preboot eXecution Environment (PXE) remote boot-enabled client computers throughout an organization. Using a customized, fully automated installation process from a remote source, an administrator does not have to visit the new computer to install a new operating system and core applications.

Managing with Scripts

Scripts are used to automate tasks at computer startup and shutdown, and at user logon and logoff. Scripts can be written in any language supported by Windows Script Host including the Microsoft Visual Basic development system, Scripting Edition (VBScript), JavaScript, PERL, and MS DOS-style batch files (.bat and .cmd).

Managing Internet Explorer

Internet Explorer Maintenance is used to manage and customize Internet Explorer on computers running Windows 2000 or later. You can set options for the Browser UI, connections, URLs, proxy settings, security zones, Favorites, and Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening). .

Managing Folder Redirection

You can use folder redirection to redirect special directories on Windows 2000 or Windows Server 2003 from their default user profile location to an alternate location on the network. These special folders include My Documents, Application Data, Desktop, and the Start menu.