1. Page 1 System and Group Policies Lecture 7 Hassan Shuja 11/02/2004

2. Page 2 System and Group Policies – Used to manage user and computer environments – Policies are set on the local computer while other policies are set at the domain, site, or OU level – Allows for central management – Policies offer more options than User profiles

3. Page 3 System and Group Policies System Policies – Policies created to manage non-Windows 2000 clients on a Windows 2000 network – Provide a consistent environment for a large number of users – User System Policy – Two type a ‘individual user policy’ or a ‘Default user policy’ – Individual applies to a single user – Default user policy needs to be created and will apply to users if they do not have an individual user policy – Group System Policy – Applies to all users members of a group that do not have individual user policies – If a user has multiple group policies, than they are applied from bottom to top – The group at the top has the highest priority

4. Page 4 System and Group Policies System Policies – Computer System Policy – A collection of settings that specifies a local computer’s configuration – Two types a ‘individual computer policy’ and a ‘Default computer policy’ – Individual applies to a single computer – Default computer policy needs to be created and will apply to computers if they do not have an individual computer policy – Creating a System Policy – Use a utility called the System Policy Editor (poledit.exe) – Save the file as ntconfig.pol for NT clients and as config.pol for non-NT clients – These files are saved under the NETLOGON share of the domain controller

5. Page 5 System and Group Policies Group Policies – Used to manage Windows 2000 clients – New feature in Windows 2000 – Central point of administration – Define users’ environments and system configuration from one central location – Can configure such things as the start menu, account policies, script assignments, security settings, and software distribution – Group Policies consist of two components – An Active directory object called a Group Policy Object (GPO) – A series of files and folders that are automatically when created when the GPO is created – GPO’s are associated with a specific AD container – GPO’s also use inheritance

6. Page 6 System and Group Policies Group Policies – Group Polices are applied based on user’s location in the Active Directory – For example – If a domain has a group policy, that is applied first and then if the OU that the user belongs to has a policy,that is applied second. – If there is no conflicting policies than the policies are added but when conflicting the OU policy takes precedence – Group Policies can be set on each individual computer using the computer without the use of AD – These policies support same as AD except software installation and folder redirection (gpedit.msc) – Within AD, you can define three types of GPOs; domain, OU, site – A Site is a collection of subnets on your network that high speed links connect – Group Policies on Active Directory are created through “Active Directory Users and Computers” or “Active Directory Sites and Services”

7. Page 7 System and Group Policies Group Policy – Multiple GPOs can apply to a user object – The GPO at the top has the highest priority and therefore processed last – Policy inheritance works in the following method – Local computer, Site Policy, Domain Policy, OU Policy – You can block inheritance and you can also prevent inheritance (‘No Override’ setting) from being blocked – If both of these settings are applied the No Override takes precedence over blocking inheritance – GPOs can be linked from one OU to another – This cuts down on administration time – A new AD object is created

8. Page 8 System and Group Policies Group Policy – Most settings in a GPO have three states – Unconfigured, enabled, disabled – By default all settings in a GPO are unconfigured – Members of the Enterprise Admins group, Domain Admins, or domain Administrators groups have the necessary permissions to create GPOs – GP files are saved in %Systemroot%\SYSVOL\sysvol\domain_name\Policies folder on the domain controller – This allows for accessibility from anywhere in the domain and for replication to other domain controllers – One challenge is to determine the right policy to apply to your users (Know what your users do and need before implementing)