Managing Group Policy on Windows Networks (Active Directory)
Last Updated: 29 May 2006 / Prior Update: 18 Oct 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
One of the most powerful features of Windows 2000/2003 and
Active Directory is Group Policy. This functionality is a
quantum leap over what was offered in NT4, and it allows
administrators to completely manage the environment based
on Domain, OU, or Group membership, among other criteria.
The release of the Group Policy Management Console (GPMC)
has greatly improved the managability of these features,
but it still requires a decent amount of planning to make
the best use of this functionality.
CREATING GROUP POLICY SNAP-INS:
• Windows 2000/XP/2003 (but not XP Home):
1. START --> RUN --> MMC
2. Press CTRL-M (to add a snap-in)
3. Press "Add"
4. Select "Group Policy"
5. Press "Add"
6. Enable the "Allow focus to be changed..." checkbox
7. Press "Browse"
8. Select the "Computers" tab
9. Select "Another Computer"
10. Press "Browse"
11. Enter computer name and press "Check Names"
12. Press "OK"
13. Press "OK"
11. Press "Finish"
12. Press "Close"
13. Press "OK"
14. Expand the console
NOTE: Microsoft now recommends that you leave that you
leave the default Domain & Domain Controller GPOs
as is, and always create new GPOs to enact your
policy changes. This has some benefits when it
comes to troubleshooting, especially if you are
not using the GPMC.
GROUP POLICY UTILITIES
• GPUPDATE ............... Native Utility -- XP/2003
• SECEDIT ................ Native Utility -- Win2K
• DCGPOFIX ............... Native Utility -- Server 2003 (Recovery Tool)
• GPMC ................... http://www.microsoft.com/windowsserver2003/gpmc/
• DCGPOFIX ............... http://support.microsoft.com/?KBID=833783
• RecreateDefpol ......... http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en
• GPMONITOR .............. Resource Kit -- Server 2003
• GPOTOOL ................ Resource Kit -- Server 2003
• WINPOLICIES ............ Resource Kit -- Server 2003
• Various Tools .......... http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gp_tools.asp
3RD PARTY GPO UTILITIES
• AutoProf ............... http://www.autoprof.com/
• Special Op Suite ....... http://www.specialoperationssuite.com/
RESTORING DEFAULT DOMAIN POLICIES
• http://technet2.microsoft.com/WindowsServer/en/Library/885ed84e-80da-4025-bd76-0ea4d05127f11033.mspx
• http://technet2.microsoft.com/WindowsServer/en/Library/48872034-1907-4149-b6aa-9788d38209d21033.mspx
• http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en
• http://www.winnetmag.com/Article/ArticleID/41878/41878.html
• http://www.jsiinc.com/SUBM/tip6400/rh6493.htm
• http://www.jsiinc.com/SUBP/tip7900/rh7962.htm
• http://support.microsoft.com/?kbid=833783
• http://support.microsoft.com/?kbid=830062
ASSIGNING LOGON SCRIPTS VIA GROUP POLICY
• http://www.serverwatch.com/tutorials/article.php/1474241
• http://technet2.microsoft.com/WindowsServer/en/Library/8a268d3a-2aa0-4469-8cd2-8f28d6a630801033.mspx
• http://technet2.microsoft.com/WindowsServer/f/?en/Library/22cf660f-c165-49e3-b768-2b8898a5684b1033.mspx
• http://technet2.microsoft.com/WindowsServer/f/?en/Library/22cf660f-c165-49e3-b768-2b8898a5684b1033.mspx
GROUP POLICY MANAGEMENT (GPMC) AUTOMATION
• http://technet2.microsoft.com/WindowsServer/en/Library/885ed84e-80da-4025-bd76-0ea4d05127f11033.mspx
DEPLOYING CLIENT SYSTEMS IN AN ACTIVE DIRECTORY DOMAIN
• http://support.microsoft.com/?KBID=816519
• http://support.microsoft.com/?KBID=314953
SOFTWARE RESTRICTION POLICIES
• http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.asp
• http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=937&CatID=331
ADMINISTRATIVE TEMPLATES (ADM FILES)
• http://support.microsoft.com/?KBID=307900
• http://support.microsoft.com/?KBID=228460
• http://support.microsoft.com/?KBID=816662
• http://support.microsoft.com/?KBID=316977
• http://support.microsoft.com/?KBID=228460
GROUP POLICY SETTINGS REFERENCE
• http://www.ilstu.edu/win2000/tools/gpo_blank.xls
• http://msdn.microsoft.com/library/en-us/gp/615.asp
• http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&DisplayLang=en
XP-SP2 CHANGES TO GROUP POLICY
See the following for a full description of the issue:
• http://support.microsoft.com/?KBID=842933
The following hotfixes are needed to address this issue
on various versions of Windows...
• XP pre-SP2 ............. No link yet -- Contact Microsoft via KB842933
• Windows 2000 SP3/SP4 ... http://www.microsoft.com/downloads/details.aspx?FamilyID=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF
• SBS 2003 ............... http://www.microsoft.com/downloads/details.aspx?FamilyID=D70097C2-4317-40E0-B7DA-FEB52C6B6386
• Windows 2003 ........... http://www.microsoft.com/downloads/details.aspx?FamilyID=532A4CD0-F2CE-4FA7-92AB-AC336AD18409
• Windows XP/2003 -IA64 .. http://www.microsoft.com/downloads/details.aspx?FamilyID=568F75DE-F528-4925-BE8A-F7542555E5A7
WHITEPAPERS & TECH DOCUMENTS
• http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
• http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/
• http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
• http://www.microsoft.com/windows2000/server/evaluation/business/gpsimplifies.asp
• http://www.microsoft.com/windows2000/techinfo/planning/security/entsecsteps.asp
• http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp
• http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicy.asp
• http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp
• http://msdn.microsoft.com/library/en-us/gp/615.asp
• http://support.microsoft.com/?KBID=833783
• http://support.microsoft.com/?KBID=245207
• http://support.microsoft.com/?KBID=279664
• http://support.microsoft.com/?KBID=266280
• http://support.microsoft.com/?KBID=245040
• http://support.microsoft.com/?KBID=816519
• http://labmice.techtarget.com/activedirectory/grpolicy.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ADDITIONAL SEARCH OPTIONS (MS KB)
• http://msdn.microsoft.com/
• http://www.microsoft.com/technet/
• http://www.microsoft.com/
EXACT PHRASE ........... "Group Policy"
ALL WORDS .............. "Local Security Policy"
ALL WORDS .............. "Administrative Templates"
ALL WORDS .............. "lock down systems with group policy"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PERSONAL NOTES
• Oct 2004: There are several tools provided to restore
the Default Domain Group Policy Objects in 2000 & 2003
• Aug 2004: See KB842933 regarding changes to Group Policy
made by XP-SP2
• Under Win2K, the USER RIGHTS settings have been moved
to "Administrative Tools" --> "Local Security Policy"
under the MMC (%SystemRoot%\SYSTEM32\SECPOL.MSC)
• SECPOL will only address local security policy. It
does not appear possible to change the focus to a
remote system, as you could under NT4. You can still
use NTRIGHTS to make any necessary changes on single
machines, or use Group Policy at a domain or OU level.
• The downloadable Group Policy Management Console util
makes it MUCH easier to manage Group policies in a
domain or forest. It will only run on XP or 2003
systems, although it will work against 2000 or 2003
AD domains.
• Use the GPUPDATE command to force the processing of
user or computer policy changes in XP or 2003. In
Windows 2000, use the SECEDIT /REFRESHPOLICY command.
