Administrators can use Group Policy to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory directory service environment. The majority of available policy settings is provided through Administrative Template files (.adm files) and is designed to modify specific keys in the registry. This is known as registry-based policy. For many applications, the use of registry-based policy delivered by .adm files is the simplest and best way to support centralized management of policy settings.
True Policies vs. Preferences
Group Policy settings that administrators can fully manage are known as “true policies.” In contrast, settings that users configure or that reflect the default state of the operating system at installation time are known as “preferences.” Both true policies and preferences contain information that modifies the registry on users’ computers. True policy settings take precedence over preference settings.
Registry values true for polices are stored under the following approved registry locations. Users cannot change or disable these settings.
Preferences are set by the user or by the operating system at installation time. The registry values that store preferences are located outside the approved Group Policy keys listed below. They are located in other areas of the registry. Users can typically change their preferences at any time. For example, users can decide to change the location of their local dictionary to a different location, or set their wallpaper to a different bitmap. Most users are familiar with setting preferences that are available to them through the operating system or application user interface.
For Computer Policy Settings:
HKLM\Software\Policies (The preferred location) and also
For User Policy Settings:
HKCU\Software\Policies (The preferred location) and also
Changing the link order
Within each domain, site, and organizational unit, the link order controls when links are applied. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. The link with the higher order (with 1 being the highest order) has the higher precedence for a given site, domain, or organizational unit. For example, if you add six GPO links and later decide that you want the last one that you added to have highest precedence, you can move the GPO link to the top of the list.
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied.
Enforcing a GPO link
You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, “enforced” was known as “No override.”
Backup, Restore, Import, Copy and Migration Tables
With Group Policy Management Console (GPMC) you can back up, restore, import, or copy Group Policy objects (GPOs). When you copy or import a Group Policy object (GPO) from one domain to another, you can use a migration table to tell Group Policy Management Console (GPMC) how domain-specific data should be treated.
Enabled – Turns on the behavior indicated by the policy name
Disabled – Turns off the behavior indicated by the policy name
Not Configured – Has no effect – default behavior
“String Too Long…” Hotfix for Earlier Operating Systems and Service Packs
If you or other administrators in your organization are going to manage policy settings on computers running earlier operating systems or service packs (for example, Windows Server 2003 or Windows XP with SP1), you need to install a hotfix in order for policy settings to appear correctly in the Group Policy Object Editor.
These hotfixes are available for the following:
· Windows Server 2003
· Windows XP with SP1
· Windows 2000
To obtain these hotfixes, see article 842933, “”The following entry in the [strings] section is too long and has been truncated” error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000,” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441.
If you are going to manage policy settings from workstation computers running Windows XP with SP2 only, you will be able to manage policy settings without applying any hotfixes. For example, you will be able to run the Group Policy Object Editor and view all the new policy settings delivered with Windows XP SP2.
Important: Opening a GPO on a computer running Windows XP with SP2 causes all other administrative workstations to use the new .adm files (note that no changes need be made to the GPO for this to occur). This will generate error messages when earlier versions of gpedit are loaded. For more information about this issue, see article 842933, “”The following entry in the [strings] section is too long and has been truncated” error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000,” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441.
By installing the hotfix for Windows Server 2003, Windows XP with Service Pack 1, and Windows 2000, you ensure that the Windows XP SP2 .adm files load correctly on these platforms.
Enough on group policies for the day!
Enough on group policies for the day!
Stephanie B. Doakes
Stephanie B. Doakes