How Can We Help?

Managing Group Policy on Windows Networks (Active Directory)

You are here:
< Back
Managing Group Policy on Windows Networks (Active Directory)
Last Updated: 29 May 2006 / Prior Update: 18 Oct 2004
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***


One of the most powerful features of Windows 2000/2003 and
Active Directory is Group Policy.  This functionality is a
quantum leap over what was offered in NT4, and it allows
administrators to completely manage the environment based
on Domain, OU, or Group membership, among other criteria.

The release of the Group Policy Management Console (GPMC)
has greatly improved the managability of these features,
but it still requires a decent amount of planning to make
the best use of this functionality.


CREATING GROUP POLICY SNAP-INS:

• Windows 2000/XP/2003 (but not XP Home):
	 1. START --> RUN --> MMC
	 2. Press CTRL-M (to add a snap-in)
	 3. Press "Add"
	 4. Select "Group Policy"
	 5. Press "Add"
	 6. Enable the "Allow focus to be changed..." checkbox
	 7. Press "Browse"
	 8. Select the "Computers" tab
	 9. Select "Another Computer"
	10. Press "Browse"
	11. Enter computer name and press "Check Names"
	12. Press "OK"
	13. Press "OK"
	11. Press "Finish"
	12. Press "Close"
	13. Press "OK"
	14. Expand the console


NOTE:  Microsoft now recommends that you leave that you
       leave the default Domain & Domain Controller GPOs
       as is, and always create new GPOs to enact your
       policy changes.  This has some benefits when it
       comes to troubleshooting, especially if you are
       not using the GPMC.


GROUP POLICY UTILITIES

• GPUPDATE ............... Native Utility -- XP/2003
• SECEDIT ................ Native Utility -- Win2K
• DCGPOFIX ............... Native Utility -- Server 2003 (Recovery Tool)

• GPMC ................... http://www.microsoft.com/windowsserver2003/gpmc/
• DCGPOFIX ............... http://support.microsoft.com/?KBID=833783
• RecreateDefpol ......... http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en

• GPMONITOR .............. Resource Kit -- Server 2003
• GPOTOOL ................ Resource Kit -- Server 2003
• WINPOLICIES ............ Resource Kit -- Server 2003

• Various Tools .......... http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gp_tools.asp


3RD PARTY GPO UTILITIES

• AutoProf ............... http://www.autoprof.com/
• Special Op Suite ....... http://www.specialoperationssuite.com/


RESTORING DEFAULT DOMAIN POLICIES

• http://technet2.microsoft.com/WindowsServer/en/Library/885ed84e-80da-4025-bd76-0ea4d05127f11033.mspxhttp://technet2.microsoft.com/WindowsServer/en/Library/48872034-1907-4149-b6aa-9788d38209d21033.mspxhttp://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=enhttp://www.winnetmag.com/Article/ArticleID/41878/41878.htmlhttp://www.jsiinc.com/SUBM/tip6400/rh6493.htmhttp://www.jsiinc.com/SUBP/tip7900/rh7962.htmhttp://support.microsoft.com/?kbid=833783http://support.microsoft.com/?kbid=830062


ASSIGNING LOGON SCRIPTS VIA GROUP POLICY

• http://www.serverwatch.com/tutorials/article.php/1474241http://technet2.microsoft.com/WindowsServer/en/Library/8a268d3a-2aa0-4469-8cd2-8f28d6a630801033.mspxhttp://technet2.microsoft.com/WindowsServer/f/?en/Library/22cf660f-c165-49e3-b768-2b8898a5684b1033.mspxhttp://technet2.microsoft.com/WindowsServer/f/?en/Library/22cf660f-c165-49e3-b768-2b8898a5684b1033.mspx


GROUP POLICY MANAGEMENT (GPMC) AUTOMATION

• http://technet2.microsoft.com/WindowsServer/en/Library/885ed84e-80da-4025-bd76-0ea4d05127f11033.mspx


DEPLOYING CLIENT SYSTEMS IN AN ACTIVE DIRECTORY DOMAIN

• http://support.microsoft.com/?KBID=816519http://support.microsoft.com/?KBID=314953


SOFTWARE RESTRICTION POLICIES

• http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.asphttp://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=937&CatID=331


ADMINISTRATIVE TEMPLATES (ADM FILES)

• http://support.microsoft.com/?KBID=307900http://support.microsoft.com/?KBID=228460http://support.microsoft.com/?KBID=816662http://support.microsoft.com/?KBID=316977http://support.microsoft.com/?KBID=228460


GROUP POLICY SETTINGS REFERENCE

• http://www.ilstu.edu/win2000/tools/gpo_blank.xlshttp://msdn.microsoft.com/library/en-us/gp/615.asphttp://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&DisplayLang=en


XP-SP2 CHANGES TO GROUP POLICY

See the following for a full description of the issue:
• http://support.microsoft.com/?KBID=842933

The following hotfixes are needed to address this issue
on various versions of Windows...

• XP pre-SP2 ............. No link yet -- Contact Microsoft via KB842933
• Windows 2000 SP3/SP4 ... http://www.microsoft.com/downloads/details.aspx?FamilyID=BA478B46-3AF7-4EAF-9CE6-E34EA2C74FAF
• SBS 2003 ............... http://www.microsoft.com/downloads/details.aspx?FamilyID=D70097C2-4317-40E0-B7DA-FEB52C6B6386
• Windows 2003 ........... http://www.microsoft.com/downloads/details.aspx?FamilyID=532A4CD0-F2CE-4FA7-92AB-AC336AD18409
• Windows XP/2003 -IA64 .. http://www.microsoft.com/downloads/details.aspx?FamilyID=568F75DE-F528-4925-BE8A-F7542555E5A7


WHITEPAPERS & TECH DOCUMENTS

• http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspxhttp://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asphttp://www.microsoft.com/windows2000/server/evaluation/business/gpsimplifies.asphttp://www.microsoft.com/windows2000/techinfo/planning/security/entsecsteps.asphttp://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asphttp://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicy.asphttp://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asphttp://msdn.microsoft.com/library/en-us/gp/615.asphttp://support.microsoft.com/?KBID=833783http://support.microsoft.com/?KBID=245207http://support.microsoft.com/?KBID=279664http://support.microsoft.com/?KBID=266280http://support.microsoft.com/?KBID=245040http://support.microsoft.com/?KBID=816519http://labmice.techtarget.com/activedirectory/grpolicy.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ADDITIONAL SEARCH OPTIONS (MS KB)

• http://msdn.microsoft.com/http://www.microsoft.com/technet/http://www.microsoft.com/

  EXACT PHRASE ........... "Group Policy"
  ALL WORDS .............. "Local Security Policy"
  ALL WORDS .............. "Administrative Templates"
  ALL WORDS .............. "lock down systems with group policy"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


PERSONAL NOTES

• Oct 2004: There are several tools provided to restore
  the Default Domain Group Policy Objects in 2000 & 2003

• Aug 2004: See KB842933 regarding changes to Group Policy
  made by XP-SP2

• Under Win2K, the USER RIGHTS settings have been moved
  to "Administrative Tools" --> "Local Security Policy"
  under the MMC (%SystemRoot%\SYSTEM32\SECPOL.MSC)

• SECPOL will only address local security policy.  It
  does not appear possible to change the focus to a
  remote system, as you could under NT4.  You can still
  use NTRIGHTS to make any necessary changes on single
  machines, or use Group Policy at a domain or OU level.

• The downloadable Group Policy Management Console util
  makes it MUCH easier to manage Group policies in a
  domain or forest.  It will only run on XP or 2003
  systems, although it will work against 2000 or 2003
  AD domains.

• Use the GPUPDATE command to force the processing of
  user or computer policy changes in XP or 2003. In
  Windows 2000, use the SECEDIT /REFRESHPOLICY command.