First
of all, you need to be more than a creator of Group Policy. You also
need to be a designer, or an architect. To accomplish this, you have to
spend some time clicking through the different policy settings so you
know what exists.
We
are going to walk through some of the basics of policy possibilities,
and ultimately we provide the steps for you to create two policies: one
for securing password settings through greater complexity and another
for hiding the Screen Saver tab in your Display Properties. These
examples will help you get your feet wet with Group Policy settings and
application.
Access Group Policy Settings
There
are multiple ways to access Group Policy settings, some of which are
more complicated than others. Let’s start simply. If you select Start,
Administrative Tools, Group Policy Management, you are taken to a
one-stop-shop location for Group Policy settings, the Group Policy
Management console, shown in Figure 1. In this console, you can see a hierarchy of forest, including your domain(s), OUs, and sites.
Consider a few elements of your policy:
What exactly are you looking to configure?
Will
you combine multiple items into a single GPO, or will you use multiple
GPOs due to the nature of the settings and persons you are applying
them to?
Where is the best place to apply a GPO once it is created?
To
begin with, you might want to see where security settings for your
domain are configured. That happens on policies created that are
applied at the domain level. To see an existing policy, you can perform
the following steps:
1. | Expand your forest branch by clicking the plus sign.
|
2. | Expand the domain by using the plus sign.
|
3. | Select Default Domain Policy. Note the four tabs displayed in the console:
|
4. | Right-click the policy and click Edit. The Group Policy Management Editor appears.
|
5. | Make adjustments to the Default Domain Policy, including the security settings in the Settings tab.
|
The Group Policy Management Editor
The
Group Policy Management Editor provides a very simple way of seeing
what is happening in one particular GPO. Within a single GPO, however,
you have the ability to make many configuration changes.
The
Default Domain Policy, for example, is already configured with certain
options, mainly related to security. You can see that there is a basic
hierarchy of Computer Configuration and User Configuration. Beneath
each of these, for both configuration sets, are Policies and
Preferences sections.
Policies Versus Preferences
What
is the difference between Group Policy Policies and Group Policy
Preferences? Well, it may come down to enforcement. Users cannot change
Group Policy settings. Preferences do not enforce settings over users
and computers, but they apply settings, although in the same tattooing
approach that we saw back in the days of Windows NT 4.0 with system
policies.
Group
Policy Preferences (GPP) arrived with Windows Server 2008 after
Microsoft purchased a company called Desktop Standard and its
PolicyMaker line of products. For
clients other than Vista to process GPP settings, they have to install
the GPP Client Side Extension (CSE), available from Microsoft. So, how
do GPP and CSE differ?
Group
Policy settings do not tattoo the registry, they supersede an
application’s configuration settings, and/or they are recognized by an
application. Preferences settings, however, do tattoo and can overwrite
an application’s configuration setting, but they are not recognized by
an application. With GPP settings, there are more than simply Apply or
Don’t Apply type options. Now you can choose to remove items that no
longer apply and can also choose Apply Once and Do Not Reapply, which
gives you greater flexibility.
Note
One
aspect of Preferences settings that make them as flexible as they are
powerful is the ability to perform item-level targeting. Using the
Targeting Editor tool, you can define where you want a policy applied
(laptops, only certain OS versions, disk space, or RAM settings...it is
truly item-level targeting).
While
policies are the key element to Group Policy, let’s consider one type
of Preferences setting that may help you see the value in using a GP
Preferences policy: the ability to create shortcuts in Internet
Explorer that you can then use to implement intranet sites directly
within your users’ Favorites.
To create a policy of this sort, you perform the following steps:
Note
We
assume that you are using the existing policy for the domain in this
case. We will show how to create new policies in the next section.
1. | In
the Group Policy Manager, right-click the appropriate policy and choose
Edit to open the policy with the Group Policy Management Editor.
|
2. | Under User Configuration, expand Preferences. Then expand Windows Settings.
|
3. | Right-click Shortcuts and select New Shortcut.
|
4. | Notice in Figure 2
that you can specify the action, name, target type, and location.
Provide a reasonable name to your shortcut, such as Company Intranet
Site. (You can put your shortcut in a special folder if you like—one
that exists or one that will be created—by making the name Folder\Name.)
|
5. | Select Target Type and change it to URL.
|
6. | Select Location and choose Explorer Favorites.
|
7. | Indicate the target URL.
|
8. | Click OK.
|
Because
that policy is set for the domain (as mentioned earlier), users will
have that shortcut in their Internet Explorer Favorites the next time
they log in.
Note
While
a user policy applies when the user logs out and back in again, you can
force it to happen by opening a command prompt and typing gpupdate.
Policy Settings
Within
either Computer Configuration or the User Configuration, you see three
sets of folders: Software Settings, Windows Settings, and
Administrative Templates (see Figure 3).
The
settings in Computer Configuration and in User Configuration are not
the same. If you open each of the folders, you see that some settings
are connected to only one or the other. For example, establishing
account policies is something you can only do from the Computer
Configuration side of a policy.
As
you click among the many different settings, you may begin to wonder
what each one does and how it functions. With many of the policies, you
can see in an extended view, showing the requirements for and
description of the policy, as shown in Figure 4.
In
addition, you can double-click to open any policy setting and click see
the Setting tab (where you can configure settings), the Explain tab
(where you can see a very detailed explanation of the setting), and the
Comment tab (where you can make comments and observations regarding
that setting).
Change an Existing GPO
To
alter an existing GPO, you begin by finding the GPO within the Group
Policy Management console. If you look under the hierarchy for a folder
called Group Policy Objects, you see that, by default, there are only
two policies: Default Domain Controllers Policy and Default Domain
Policy. You can add others, as discussed in the next section.
We
mentioned a little earlier that we will walk through two different
policy settings. The first is a security setting, which means it has to
be set at the domain level. In this case, you are simply going to alter
the Default Domain Policy.
To alter the Default Domain Policy to require, in this case, complexity of passwords, you perform the following steps:
1. | In
the Group Policy Management console, expand the hierarchy, and under
Domains select the Group Policy Objects folder. (As noted earlier, you
could also expand the domain name to find the Default Domain Policy.)
|
2. | Right-click the policy and choose Edit.
|
3. | From
the Group Policy Management Editor tool, expand Computer Configuration,
expand Policies, expand Windows Settings, expand Security Settings, and
expand Account Policies.
|
4. | Select Password Policy.
|
5. | Note
the option Password Must Meet Complexity Requirements; this option is
most likely enabled by default, but make sure it is selected.
|
6. | Double-click the policy setting. Note the Security Policy Setting and Explain tabs.
|
7. | After you alter a policy setting, click OK, and the change becomes part of the GPO.
|
Create a New GPO
There
are many ways to create a new GPO. One simple way is to create a policy
without initially being concerned with its application. The policy can
reside under the Group Policy Objects branch of the Domain section of
the Group Policy Management console.
To create a new policy in the Group Policy Objects branch, perform the following steps:
1. | In the Group Policy Management console, expand the hierarchy under Domains and select the Group Policy Objects folder.
|
2. | Right-click the Group Policy Objects folder and choose New.
|
3. | Give your new policy a name. In this case, call it No Screensaver Tab.
|
4. | Select
a Starter GPO if you have an existing GPO that you want to use as your
base set of configuration settings, like a template. In this case,
choose None and click OK. The No Screensaver Tab policy should show up
under your Group Policy Objects folder.
|
5. | Right-click the No Screensaver Tab policy and choose Edit.
|
6. | Expand User Configuration, expand Policies, expand Administrative Templates, and expand Control Panel.
|
7. | Select the Display folder and double-click the Hide Screen Saver setting to open it.
|
8. | Select the Enabled radio button. Note the Explain and Comment tabs. Click OK.
|
9. | Close the Group Policy Management Editor tool.
|
Now,
when you have this new policy in the Group Policy Objects section of
the Group Policy Management console, you can select it and see
information about it. Figure 5 shows an at–a-glance view of the settings.
Even
though you have the policy, unlike the default domain and domain
controller policies, this one hasn’t been applied to anything yet. You
can apply it to the domain, the OU, or the site level. The choice is
really up to you.
Apply a GPO
To
apply policies, you need to know what a policy does and who it is
supposed to affect. Because policies can be applied at the site,
domain, and OU levels, you have to prepare policies with the
appropriate application in mind.
To link an existing GPO to the domain, site, or OU level, perform the following steps:
1. | In
the Group Policy Management tool, right-click the domain, OU, or site
to which you want to apply the policy and then click Link an Existing
GPO.
|
2. | From
the Select GPO dialog, look in your domain (or other domains) for the
GPO. When you locate the GPO name, click it. Click OK.
|
Now
you can see that the GPO is linked because you can see it in the Linked
Group Policy Objects tab when you select the domain, OU, or site.
Create and Apply a GPO
If
you want to avoid taking multiple steps to create and apply a GPO
(although that is the more organized method of GPO deployment), you can
create and apply the GPO at the same time.
To create and apply a GPO at the same time, perform the following steps:
1. | In the Group Policy Management tool, select the domain, OU, or site to which you want to apply the policy.
|
2. | Right-click the domain, OU, or site and then click Create a GPO in This Domain and Link It Here.
|
3. | In the New GPO dialog, provide a name and a Starter GPO.
|
Note
Remember
that creating the GPO and having it applied is only half the process.
You still have to edit the GPO and create the settings you want applied.