< B A C K >

Group Policies

I would've covered this topic under the Active Directory, but then its already a large section so I dedicated a whole section to Group Policies. Either way, I think the Microsoft exams would cover a lot from this section because its applied intensively in large organizations

Group Policy is the technology that allows you to define user desktop environments once, with user and computer settings, and then rely on Windows 2000 to continually enforce throughout the network the Group Policy that you defined. You can associate Group Policy settings eith the following Active Directory containers:

Group policies do NOT apply to pre-Windows 2000 computers.

For any policy in Windows 2000, you can either not define(Not Configure) the application of the policy, allow(Enable) the policy or deny(Disable) the policy:


Group Policy Settings for Computers:

Group Policy settings for computers specify the operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings. Computer-related Group Policy is applied when the operating system initializes and during the periodic refresh cycle. In general, computer Group Policy takes precedence over conflicting user Group Policy.

Group Policy Settings for Users:

Group Policy settings for users specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts. User-related Group Policy is applied when users log on to the computer and during the periodic refresh cycle.


When a new GPO is created or when a Group Policy is edited, the operation is performed, by default, by the primary domain controller(PDC) Emulator.

GPOs are applied in the following order: Local, Site, Domain, OU. The GPOs applied to one domain do not apply to its child domains, unlike in the case of OUs.

Refreshing of Group Policies occurs periodically, which is 90 minutes(by default) for Windows 2000 non-domain controllers and 5 minutes(by default) for Windows 2000 domain controllers.
This interval can be changed in:
-> Group Policy\Computer Configuraation\Administrative Templates\System\Group Policy\Group Policy Refresh Interval For Computers   , or
-> Group Policy\User Configuration\Administrative Templates\System\Group Policy\Group Policy Refresh Interval For Users .

Slow Link Processing

Windows 2000 provides the option to disable the processing of some of the Group Policy Objects over slower links(threshold limit, by default, is 500kbps). Registry-based settings(Administrative Templates) and Security settings, however, cannot be disabled.

Resolving GPO Conflicts

When 2 GPOs provide contradictory policies, a conflict occurs. This is resolved as follows:


Managing Group Policy Inheritance

You can prevent a child container from getting all the Group Policy Settings of its parent by enabling "Block Inheritance" on the client. This option applies to all Group Policy settings and not just a single Group Policy Setting. If you wish to prevent this, you can enable the "No Override" option on the Parent container for the Policies that are considered critical.

The Application of group policies can be filtered by explicity denying the "Apply Group Policy" permission or by omitting an explicitly "Apply Group Policy" permission.


Administrative Control of Group Policies

To enable a user to manage group policy links for a site, domain or OU:

Enable a User or Group to Create GPOs: Enable a User to Edit GPOs:


Monitoring & Troubleshooting Group Policy

To enable diagnostic logging:

To enable verbose logging:

The Windows 2000 Support Tools package on the Windows 2000 Server CDROM provides the following utilities:

The Windows 2000 Resource Kit includes the following utilities to resolve Group Policy issues:

Features of Windows 2000 Group Policy



Using Group Policy to configure the user environment

The User Environment can be configured using : Administrative Template Settings, Script Settings, Redirecting User Folders, Security Settings

The settings can either be applied to the computer(any user logging into the computer gets the settings) or to the user(the user can log into any computer to get the settings). If the user settings and the computer settings conflict, the computer settings take priority.

The following are the types of Administrative Template Settings:

Setting typeControlsComputer SettingUser Setting
Windows ComponentsThe parts of Windows 2000 and its tools and components to which users can gain access. This includes controlling user access to MMC.üü
SystemLogon and logoff procedures. With System settings, you can manage Group Policy and refresh intervals, enable disk quotas, and implement loopback processingüü
NetworkThe properties of network connections and dial-up connections, which include shared network access.üü
PrintersPrinter settings that can force printers to be automatically published in Active Directory and can disable Web-based printing.üû
Start Menu and TaskbarWhich features users can access from the Start menu. For example, by removing the Run command, users are prevented from running applications for which there is no icon or shortcut. You can also make the Start menu read-only and disable the user's ability to make changes.ûü
DesktopThe Active Desktop. You can control users' ability to gain access to the network and the Internet by hiding the appropriate desktop icons and controlling what they can do with their My Documents folder.ûü
Control PanelSeveral applications in Control Panel. This includes restricting the use of Add/Remove Programs, Display, and Printers.ûü

There are several Group Policy settings that you can use to customize a user's desktop environment. Securing the desktop involves setting up a computer so that it can perform only a limited number of functions that users cannot modify. For example, a computer in a public information kiosk can be configured to run only a Web browser.

The following table describes common Group Policy settings to configure when locking down user desktops, and examples of the possible effect of these configurations.

Group Policy setting and locationAction
Hide all icons on desktop (User Configuration\Administrative Templates\Desktop)Hides all desktop items, including menus, folders and shortcuts. This provides users with a simpler user interface.
Don't save settings at exit (User Configuration\Administrative Templates\Desktop)Disables the ability to save any configuration changes made during the logon session. The original settings are restored each time users log off and them log back on.
Hide these specified drives in My Computer (User Configuration\Administrative Templates\Windows Components\Windows Explorer)Removes icons representing the selected drives from My Computer, Windows Explorer, and My Network Places. Drive letters will not appear in the Open dialog box of any application. By hiding drives, you help limit users to running only the applications that are on the Start menu.
Remove Run menu from Start menu (User Configuration\Administrative Templates\Desktop)Removes the Run command from the Start menu. However, users can still access this command through Task Manager.
Prohibit user from running Display in Control Panel (User Configuration\Administrative Templates\Control Panel\Display)Prevents users from changing display settings such as the wallpaper, screen saver, or color schemes. This setting also reduces problems that can arise when users change their desktop settings.
Disable and remove links to Windows Update (User Configuration\Administrative Templates\Desktop)Removes the Windows Update command from the Settings menu. However, this command will still be available in Internet Explorer. Removing this command helps prevent users from applying unauthorized updates or changes to their operating systems.
Disable changes to Taskbar and Start Menu settings (User Configuration\Administrative Templates\Start Menu & Taskbar)Removes Taskbar & Start Menu command from the Settings menu. This helps prevet users from overriding any changes to their operating systems.
Disable/Remove the Shut Down command (User Configuration\Administrative Templates\Desktop)Prevents users from shutting down and restarting Windows 2000. This is useful on omputers that need to run continually, such as a computer in a public library.

You can restrict the network resources to which users can gain access. The following table provides types of Group Policy that contain settings to configure when locking down user access to network resources, and examples of the possible effect of these configurations.

Group Policy setting and locationAction
Hide My Network Places icon on desktop (User Configuration\Administrative Templates\DesktopRemoves My Network Places from the desktop and disables support for universal naming convention(UNC) file names. By using logon scrips to map networkd rives, you can control the network resources to which users have access.
Remove the "Map Network Drive" and "Disconnect Network Drive" (User Configuration\Administrative Templates\Windows Components\Windows ExplorerRemoves the Map Network Drive and Disconnect Network Drive options from Windows Explorer. This setting also removes the Add Network Places wizard from My Network Places. However, users can still connect to computer by using the Run command on the Start menu.
Tools menu: Disable Internet Options... menu option (User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser MenusRemoves the Internet Options command from Internet Explorer. This prevents users from modifying their Internet Explorer configurations. You can also disable individual pages by using Group Policy settings located under User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel

The following table provides the setting types that contain settings to configure when locking down user access to administrative tools and applications, and examples of the possible effects of these configurations.

Group Policy setting and locationAction
Remove Search menu from Start menu (User Configuration\Administrative Templates\Start Menu & Taskbar)Removes the Search menu from the Start menu. However, the search menu will still appear in Windows explorer and Internet Explorer. Removing the Search command helps prevent users from conducting bandwidth-intensive searches across the network.
Remove Run menu from Start menu (User Configuration\Administrative Templates\Start Menu & Taskbar)Removes the Run menu from the Start menu. This makes it more difficult for users to run unauthorized applications.
Disable Task Manager (User Configuration\Administrative Templates\System\Logon/Logoff)Prevents the user form starting applications by using Task Manager.
Run only allowed Windows applications (User Configuration\Administrative Templates\System)Prevents users from running applications other than those you specify in this Group Policy setting. This restriction applies only to applications that are started through Windows Explorer.
Remove the Documents menu from the start menu (User Configuration\Administrative Templates\Start Menu & Taskbar)Removes the Documents command from the Start menu.
Disable changes to Taskbar and Start Menu settings (User Configuration\Administrative Templates\Start Menu & Taskbar)Removes the Taskbar & Start Menu command from the Settings menu. This helps prevent users from overriding any changes that you make to the Start menu.
Hide common program groups in Start menu (User Configuration\Administrative Templates\Start Menu & Taskbar)Removes common program groups from the Start menu. This means that users receive only the Start menu items specified in their user profiles.


Loopback Processing Mode Setting in Group Policy

Loopback processing mode is a Group Policy setting that enforces the User Configuration settings in the GPOs that apply to the computer, rather than enforcing the User Configuration settings int he GPOs that apply to the user object. Group Policy is normally applied to a user or computer based on where the user object or the computer object is located in the Active Directory. applied to a user or computer based on where the user object or the computer object is located in Active Directory. For example, the user whose user object is located in the Sales OU logs on to a computer. The computer object is located in the Servers OU. The Group Policy settings that are applied to the user are based on any GPOs that are linked to the Sales OU, and GPOs linked to any parent containers. The settings that are applied to the computer are based on any GPOs that are linked to the Servers OU, and GPOs linked to any parent containers. However, this default behavior may not be appropriate for certain computers, such as servers or computers that are dedicated to a certain task. For example, applications that are assigned to a user should not be automatically available on a server. There are two possible modes for loopback processing:


Related Links:
GPO Processing Order - Windows Systems Group