Back docs > win2000 > group policy tips and info
     
   
   


This is not a reference or tutorial on Windows 2000 Group Policy. There are whole books written for that.  This document is meant to highlight some of the more important and maybe less known information about Group Policies. At the bottom of the page are links to more detailed information on Group Policies.


What are Group Policies?


Group Policies are settings that can be applied to Windows computers, users or both.  In Windows 2000 there are hundreds of Group Policy settings. Group Policies are usually used to lock down some aspect of a PC.  Whether you don't want users to run Windows Update or change their Display Settings, or you want to insure certain applications are installed on computers - all this can be done with Group Policies.

Group Policies can be configured either Locally or by Domain Polices. Local policies can be accessed by clicking Start, Run and typing gpedit.msc.  They can also be accessed by opening the Microsoft Management Console (Start, Run type mmc), and adding the Group Policy snap-in.  You must be an Administrator to configure/modify Group Policies.  Windows 2000 Group Policies can only be used on Windows 2000 computers or Windows XP computers.  They cannot be used on Win9x or WinNT computers.

Domain Policies are applied to computers and users who are members of a Domain, and these policies are configured on Domain Controllers.  You can access Domain Group Polices by opening Active Directory Sites and Services (these policies apply to the Site level only) or Active Directory Users and Computers (these policies apply to the Domain and/or Organizational Units).

To create a Domain Group Policy Object open Active Directory Sites and Services and right click Default-First-Site-Name or another Site name, choose properties, then the Group Policy tab, then click the New button.  Give the the GPO a name, then click the Edit button to configure the policies.
For Active Directory Users and Computers, it the same process except you right click the Domain or an OU and choose properties.


Who can Create/Modify Group Policies?

You have to have Administrative privileges to create/modify group policies.  The following table shows who can create/modify group policies:

Policy Type Allowable Groups/Users
Site Level Group Policies Enterprise Administrators and/or Domain Administrators in the root domain. The root domain is the first domain created in a tree or forest.  The Enterprise Administrators group is found only in the root domain.
Domain Level Group Policies Enterprise Administrators, Domain Administrators or members of the built-in group - Group Policy Creator Owners.  By default only the Administrator user account is a member of this group
OU Level Group Policies Enterprise Administrators, Domain Administrators or members of the Group Policy Creator Owners.  By default only the Administrator user account is a member of this group.

Additionally, at the OU level, users can be delegated control for the OU Group Policies by starting the Delegate Control Wizard (right click the OU and choose Delegate Control). However, the wizard only allows the delegated user to Link already created group policies to the OU.  If you want to give the OU administrators control over creating/modifying group policies, add them to the Group Policy Creator Owners group for the domain.
Local Group Policies The local Administrator user account or members of the local Administrators group.


How are Group Policies Applied?

Group Polices can be configured locally, at the Site level, the Domain level or at the Organizational Unit (OU) level. Group Policies are applied in a Specific Order, LSDO - Local policies first, then Site based policies, then Domain level policies, then OU polices, then nested OU polices (OUs within OUs). Group polices cannot be linked to a specific user or group, only container objects.

In order to apply Group Polices to specific users or computers, you add users (or groups) and computers to container objects. Anything in the container object will then get the policies linked to that container. Sites, Domains and OUs are considered container objects.

Computer and User Active Directory objects do not have to put in the same container object. For example, Sally the user is an object in Active Directory. Sally's Windows 2000 Pro PC is also an object in Active Directory. Sally the user object can be in one OU, while her computer object can be another OU. It all depends on how you organize your Active Directory structure and what Group Policies you want applied to what objects.

User and Computer Policies





There are two nodes in each Group Policy Object that is created.  A Computer node and a User Node. They are called Computer Configuration and User Configuration (see image above). The polices configured in the Computer node apply to the computer as a whole. Whoever logs onto that computer will see those policies.
Note: Computer policies are also referred to as machine policies.

User policies are user specific.  They only apply to the user that is logged on.  When creating Domain Group Polices you can disable either the Computer node or User node of the Group Policy Object you are creating.  By disabling a node that no policies are defined for, you are decreasing the time it takes to apply the polices.
To disable the node polices: After creating a Group Policy Object, click that Group Policy Object on the Group Policy tab, then click the Properties button.  You will see two check boxes at the bottom of the General tab.

It's important to understand that when Group Policies are being applied, all the policies for a node are evaluated first, and then applied.  They are not applied one after the other. For example, say Sally the user is a member of the Development OU, and the Security OU.  When Sally logs onto her PC the policies set in the User node of the both the Development OU and the Security OU Group Policy Objects are evaluated, as a whole, and then applied to Sally the user.  They are not applied Development OU first, and then Security OU (or visa- versa).
The same goes for Computer policies.  When a computer boots up, all the Computer node polices for that computer are evaluated, then applied.

When computers boot up, the Computer policies are applied.  When users login, the User policies are applied.  When user and computer group policies overlap, the computer policy wins.

Note: IPSec and EFS policies are not additive.  The last policy applied is the policy the user/computer will have.






When applying multiple Group Policies Objects from any container, Group Policies are applied from bottom to top in the Group Policy Object list. The top Group Policy in the list is the last to be applied. In the above image you can see three Group Policy Objects associated with the Human Resources OU. These polices would be applied No Windows Update first, then No Display Settings, then No ScreenSaver.  If there were any conflicts in the policy settings, the one above it would take precedence.


Disabling Group Policy Objects

When you are creating a Group Policy Object, the changes happen immediately.  There is no "saving" of GPOs.  To prevent a partial GPO from being applied, disable the GPO while you are configuring it. To do this, click the Group Policy Object on the Group Policy tab and under the Disable column, double click - a little check will appear.  Click the Edit button, make your changes, then double click under the Disable column to re-enable the GPO.  Also, if you want to temporarily disable a GPO for troubleshooting reasons, this is the place to do it.  You can also click the Options button on the Group Policy tab and select the Disabled check box.


Scripts

Startup scripts are processed at computer bootup and before the user logs in.
Shutdown scripts are processed after a user logs off, but before the computer shuts down.

Login scripts are processed when the user logs in.
Logoff scripts are processed when the user logs off, but before the shutdown script runs.

==========================================================

Refreshing Policies

Group Policies can be applied when a computer boots up, and/or when a user logs in. However, policies are also refreshed automatically according to a predefined schedule. This is called Background Refresh.

Policies not affected by background refresh. These policies are only applied at logon time:

Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts

Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30 min.
interval.  So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers), background refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.

Using the command line to refresh policies

Secedit.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer.  To use secedit, open a command prompt and type:

secedit /refreshpolicy user_policy  to refresh the user policies
secedit /refreshpolicy machine_policy  to refresh the machine (or computer) policies

These parameters will only refresh any user or computer policies that have changed since the last refresh.  To force a reload of all group policies regardless of the last change, use:

secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce

Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP computer.  It has replaced the secedit command.  To use gpupdate, open a command prompt and
type:

gpupdate /target:user  to refresh the user policies
gpupdate /target:machine  to refresh the machine (or computer) policies

As with secedit, these parameters will only refresh any user or computer policies that have changed since the last refresh.  To force a reload of all group policies regardless of the last change, use:

gpupdate /force

Notice the /force switch applies to both user and computer policies.  There is no separation of the two like there is with secedit.

==========================================================

Default Setting for Dial-up users

Win2000 considers a slow dial-up link as anything less than 500kbps.  When a user logs into a domain on a link under 500k some policies are not applied.

Windows 2000 will automatically detect the speed of the dial-up connection and make a decision about applying Group Policies.  Some policies are always applied regardless of the speed of the dial-up connection. These are:

Administrative Templates
Security Settings
EFS Recovery
IPSec

Policies Not applied over slow links:

IE Maintenance Settings
Folder Redirection
Scripts
Disk Quota settings
Software Installation and Maintenance

These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.

If the user connects to the domain using "Logon Using Dial-up Connection" from the logon screen, once the user is authenticated, the computer policies are applied first, followed by the user policies.

If the user connects to the domain using "Network and Dial-up Connections", after they logon, the policies are applied using the standard refresh cycle.

==========================================================

Default Group Policies

There are two default group policy objects that are created when a domain is created.  The Default Domain policy and the Default Domain Controllers policy.

Default Domain Policy - this GPO can be found under the group policy tab for that domain.  It is the first policy listed.  The default domain policy is unique in that certain policies can only be applied at the domain level.

If you double click this GPO and drill down to Computer Configuration, Windows Settings, Security Settings, Account Policies, you will see three policies listed:

Password Policy
Acount Lockout Policy
Kerberos Policy

These 3 policies can only be set at the domain level.  If you set these policies anywhere else- Site or OU, they are ignored.  However, setting these 3 policies at the OU level will have the effect of setting these policies for users who log on locally to their PCs.  Login to the domain you get the domain policy, login locally you get the OU policy.

If you drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, there are 3 policies that are affected by Default Domain Policy:

Automatically log off users when logon time expires
Rename Adminsitrator Account - When set at the domain level, it affects the Domain Administrator account only.
Rename Guest Account - When set at the domain level, it affects the Domain Guest account only.

The Default Domain Policy should be used only for the policies listed above.  If you want to create additional domain level policies, you should create additional domain level GPOs.
Do not delete the Default Domain Policy.  You can disable it, but it is not recommended.

Default Domain Controllers Policy - This policy can be found by right clicking the Domain Controllers OU, choosing Properties, then the Group Policy tab.  This policy affects all Domain Controllers in the domain regardless of where you put the domain controllers.  That is, no matter where you put your domain controllers in Active Directory (whatever OU you put them in), they will still process this policy.

Use the Default Domain Controllers Policy to set local policies for your domain controllers, e.g. Audit Policies, Event Log settings, who can logon locally and so on.

    Top

b/johnson:02