Group Policy Overview

Group Policy Overview The System policies provide another instrument to help system administrators control user access to the network and manage desktop settings, including data sharing and configuring system settings
Nội dung trích xuất từ tài liệu:
Group Policy OverviewGroup Policy OverviewThe System policies provide another instrument to help system administrators controluser access to the network and manage desktop settings, including data sharing andconfiguring system settings. The system policy represents registry settings that areautomatically loaded when the user logs on to the system. The main difference betweensystem policies and user profiles is that the system policy is applicable to users, usergroups, and individual computers. Administrators can specify, modify, and supportregistry settings for each of the components just listed. By combining system policies forindividual users, specific computers from which the user logs on, and for user groups, towhich the user may belong, the administrator can get complete control over the types ofuser environments and user rights and permissions. To define the system policy settings,the administrator simply creates system policy templates.The System Policy Editor tool was first introduced in the Windows NT 4.0 operatingsystem. It allowed administrators to specify configuration settings for users andcomputers, and store these settings in the Windows NT registry. Using this utility,administrators could manage user work environments and specify configuration settingsfor all Windows NT 4.0 computers (both Workstation and Server). Starting withWindows 2000, this tool was replaced by the Group Policy MMC snap-in, which extendsthe capabilities of the System Policy Editor (SPE) and provides many additional optionsfor managing client computer configurations, including registry based policies, securitysettings, scripts, and folder redirection. Group policy settings specified by theadministrator are stored in the Group Policy Object (GPO), which, in turn, is associatedwith one of the Active Directory objects (site, domain, or organizational unit).Group Policy implemented in newer versions of Windows NT-based operating systemshas many significant advantages over the Windows NT 4.0 system policy (not to mentionWindows 95/98). These advantages include: The possibility of associating with Active Directory objects (sites, domains, or organizational units). The policy associated with the Active Directory container influences all other computers and all the users within that container (site, domain, or organizational unit). Extended configuration capabilities. Both users and computers may be joined into groups. Improved security in comparison to Windows NT 4.0. Windows NT 4.0 policies were stored in the user profiles (this was sometimes called tattooing the registry). The specified registry setting using the System Policy Editor retained its value until it was changed by the administrator for the given policy, or manually changed by the user who edited the registry directly. This situation represented a problem (for example, when you decided to change group membership). This problem has been solved with Windows 2000, because registry settings specified by the group policy are written to the protected registry keys (\Software\Policies and \Software\Microsoft\Windows\CurrentVersion\Policies). When the group policy object (GPO) is no longer applicable, these settings are cleared.Administrative TemplatesThe System Policy Editor utility included with Windows NT 4.0 Server usesadministrative templates (ADM files). These templates allow you to define which registrysettings are available for editing using the System Policy Editor.Windows 2000 ADM files also specify registry settings that can be modified using the UIprovided by the MMC Group Policy snap-in. The policy settings related to the user whologs on are written to the registry under the HKEY_CURRENT_USER root key(HKCU). The policy settings that relate to the software installed on the computer, and tothe computer itself are written to the registry under the HKEY_LOCAL_MACHINE rootkey (HKLM).ADM files are text files containing the hierarchy of categories and subcategories. Thesecategories and subcategories define fully qualified registry settings that can be modifiedusing the Group Policy user interface. The term fully qualified registry setting meansthat these settings also specify registry paths to the settings that will be modified usingthe Group Policy snap-in when you select the appropriate option.Security SettingsThe Group Policy MMC snap-in allows you to specify the security configurationapplicable to one or more security areas. The security configuration specified usingGroup Policy is then applied to all computers within the Active Directory container.Group Policy, which allows administrators to specify security settings, extends theexisting operating system functionality. For example, the following capabilities areprovided: Account Policies. These are security settings related to passwords, the account lockout policy, and Kerberos-related policy (within Windows 2000 domains). Local Policies. This is a group of settings that specify the auditing policy, user permissions, and other security settings. The Local policies allow administrators to configure access to the computer both locally and through the network, and specify the events that should be audited. Event Log. These are security settings that control the security of the system event logs (Application, Security, and System), accessed using Event Viewer. Restricted Groups. These settings allow you to specify the users who belong to restricted groups. Thus, the administrator can enforce the security policy in relation to groups like Enterprise Administrators, for example. If another user is added to this restricted group (for example, when theres an emergency and its necessary to perform an urgent ...