Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter

What we will cover: Group Policy Concepts Linking and Order of Precedence Group Policy Management Console New Features of Windows 2003 Group Policy

Prerequisite Knowledge Experience supporting Windows servers Experience supporting Microsoft networks Familiarity with the Windows server user interface Understanding of Active Directory concepts Level 200

Agenda Windows Server 2003 Group Policy Concepts Linking and Order of Precedence Group Policy Management Console New Features of Windows 2003 Group Policy

Group Policy Management Issues Problem: Group Policy is too hard Existing UI confusing and limited Core capabilities missing –Reporting of GPO settings –Backup/restore of GPOs –Import/export of GPOs Existing capabilities not scriptable

Windows Server 2003 Group Policy Group Policy Concepts Used to manage users and computers –Deploys Policy through Active Directory –Applied at site, domain, and OU levels Group Policy is highly flexible –Registry-based policy settings –Security settings –Software installation –User Environment control –Internet Explorer maintenance

Agenda Windows Server 2003 Group Policy Concepts Linking and Order of Precedence Group Policy Management Console New Features of Windows 2003 Group Policy

Windows Server 2003 Group Policy Group Policy Order of Precedence Local Security Policy Site Policy Domain Policy Parent OU Policy Child OU Policy

Windows Server 2003 Group Policy Group Policy Objects and Links GPOs contain policy settings Links define what objects the GPO will target –Scope of Management Sites, Domains, OU, OU, etc. Filtering can be based on links to Scope Of Management (SOM) Group Policy Management Console –Better illustrates the relationship between GPOs and Links

Agenda Windows Server 2003 Group Policy Concepts Linking and Order of Precedence Group Policy Management Console New Features of Windows 2003 Group Policy

Windows Server 2003 Group Policy Group Policy Management Console

Windows Server 2003 Group Policy Administrative Template Extension Used by Group Policy to configure settings in a Group Policy Object Server Side Snap-in –Loads in Group Policy Object Editor –ADM files Client-Side Extension –Writes policy settings that update registry keys on target client computers

Windows Server 2003 Group Policy ADM Files Enables configuration of policy settings –Do not actually contain policy settings –Policy settings are contained registry.pol Windows Server 2003 contains: –System.adm –Inetres.adm –Conf.adm –Wmplayer.adm –Wuau.adm Location of ADM files

Windows Server 2003 Group Policy ADM Files Enables configuration of policy settings –Do not actually contain policy settings –Policy settings are contained registry.pol Windows Server 2003 contains: –System.adm –Inetres.adm –Conf.adm –Wmplayer.adm –Wuau.adm Location of ADM files

Windows Server 2003 Group Policy ADM Files Walkthrough

Windows Server 2003 Group Policy Registry.pol Files Walkthrough

Windows Server 2003 Group Policy Group Policy Concepts and the GPMC Editing Group Policy Objects Creating and Managing Group Policies demonstration demonstration

Windows Server 2003 Group Policy Group Policy Capabilities Folder redirection Backup/Restore Software restriction WMI Filters

Group Policy Management Backup and Restore Backup / Export: –Transfers any live GPO to the file system –Backs up policy settings, ACLs, links to WMI filters Restore: –Puts things back exactly as before –GPO must be in the same domain Scenario: –Restore a policy to return to original settings

Software Restriction Policies Goals New feature of Group Policies Allow or restrict access to software –Set default to allow or disallow software –Create rules to bypass the default –Specify affected file extensions Prevent: –Viruses –Unapproved or non-standard applications –Any applications you wish to restrict

Software Restriction Policies Rules Certificate Rules –Verify digital certificate Hash Rules –Identifies software with unique hash Internet Zone Rules –Applies to Windows Installer packages Path Rules –Define specific path for software

Group Policy Management WMI Filters

Software Restriction Policies Software Restriction Policies Creating a Path Rule demonstration demonstration

Session Summary Group Policy allows you to manage and control your environment more easily Use the new GPMC to manage GPO’s and Security Policies Take Advantage of New Features of Windows Server 2003 Group Policy

For More Information… Visit TechNet at For additional information on books, courses and other community resources that support this session visit

For More Information… Windows 2003 Deployment Guide – WindowsServ/2003/all/deployguide/en- us/Default.asp?url=/resources/documentation/ WindowsServ/2003/all/deployguide/ Group Policy Common Scenarios – milyID=354b9f45-8aa c681a &displaylang=en

MS Press Inside information for IT Professionals To find the latest titles, visit

3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all major book stores and online retailers

Become A Microsoft Certified Systems Engineer (MCSE) What is the MCSE certification? –Premier certification for IT pros who analyze the requirements, design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System How do I become an MCSE on Microsoft Windows Server 2003? –Pass 6 core exams –Pass 1 elective exams from a comprehensive list Where do I get more information?