Managing Browser Settings with Group Policy Tools
If you use Active Directory Domain Services (AD DS) to manage your network, you can use the comprehensive set of policy settings that Group Policy provides to manage Windows® Internet Explorer® 9 after you have deployed it to end users' computers. The following tools provide different ways to manages policies and settings.
Administrative Templates. You can use Administrative Template policy settings to manage registry-based policies for hundreds of Internet Explorer 9 options, including security options.
Internet Explorer Maintenance. You can use the Internet Explorer Maintenance (IEM) extension in Group Policy to preset and manage some Internet Explorer 9 settings (including user interface and connection settings) in your domain.
We recommend that you manage Internet Explorer 9 by using the Administrative Template settings in Group Policy whenever possible, because these settings are always written to secure Policy branches in the registry. Additionally, we recommend that you deploy standard user accounts instead of allowing users to log on to their computers as administrators, preventing users from making unwanted changes to their systems or overriding Group Policy settings.
By following these recommendations, users cannot change managed settings by using the Internet Explorer 9 user interface or by modifying the registry. Most of the extension settings in IEM and the browser settings that you can manage in the Internet Explorer Administration Kit 9 (IEAK 9) provide preferences that users can modify after they are applied.
If you do not use AD DS and Group Policy to manage users' computers, you can use the IEAK Profile Manager to configure and update some browser settings and preferences after deployment. For more information about the IEAK Profile Manager, see Managing Browser Settings Through IEAK 9 Profile Manager.
Group Policy overview
Most IT pros are familiar with Group Policy, which is based on AD DS and enables you to manage computer and user settings. You configure Group Policy settings in Group Policy objects (GPOs). To create and edit GPOs, you use the Group Policy Management Console (GPMC). By using the GPMC to link GPOs to selected Active Directory sites, domains, and organizational units (OUs), you apply the policy settings in the GPOs to the computers and users in those Active Directory containers. Group Policy objects include registry-based Administrative Template policy settings, security settings, software deployment, scripts, folder redirection, preferences, and IEM settings.
By using Group Policy to configure Internet Explorer 9, you can configure a setting one time and enforce that setting on many computers. In comparison to techniques like scripting, Group Policy can be the most efficient way to affect many computers with a low risk of human error. You can configure Internet Explorer 9 security settings in a GPO that you link to the domain, for example, and Group Policy can apply those settings to every computer in the domain. Users who do not log on to their computers as administrators cannot change those settings, so you can feel confident that Group Policy is enforcing your standard configuration.
Group Policy also provides flexible methods to target Group Policy settings at specific computers and users. The simplest way is to link GPOs to specific OUs, applying its settings only to the computers and users that the OU contains. Next, Group Policy supports security filtering. For example, you can configure a GPO so that it applies only to a specific security group within the organization. The most capable way to target a GPO is to use WMI filtering. For example, you can create a WMI filter that applies a GPO only to computers with a specific make and model; or that have a laptop chassis.
The complexity of Group Policy scales according to your requirements. Even small organizations can benefit from using Group Policy to manage their computers. In those scenarios, the implementation can be extremely simple, using only the most basic Group Policy features. Larger organizations with more complex requirements can use the advanced capabilities that Group Policy provides. For more information, see the Group Policy TechCenter on TechNet. The Group Policy TechCenter provides links to the latest technical documentation, videos, and downloads for Group Policy.
Group Policy management tools
Several tools are available to create, manage, view, and troubleshoot GPOs. The following sections describe many of these tools and provide links for learning more about them. These include:
Group Policy Management Console (GPMC)
Group Policy Management Editor (GPME)
Advanced Group Policy Management (AGPM)
Group Policy Management Console
The GPMC provides unified management of all aspects of Group Policy across multiple forests in an organization. By using the GPMC, you can manage all GPOs, Windows Management Instrumentation (WMI) filters, and Group Policy–related permissions on your network. The GPMC is your window into Group Policy, with all the Group Policy management tools available from the GPMC interface.
The GPMC provides a Microsoft Management Console (MMC)-based user interface and a set of scriptable interfaces for managing Group Policy. The 32-bit and 64-bit versions of the GPMC are included with Windows Server 2008 and Windows Server 2008 R2. Capabilities that the GPMC provide include:
Importing and exporting GPOs.
Copying and pasting GPOs.
Backing up and restoring GPOs.
Searching for existing GPOs.
Reporting capabilities, including Resultant Set of Policy (RSoP) data in HTML reports that you can save and print.
Group Policy Modeling, which allows you to simulate RSoP data for planning Group Policy deployments before implementing them in the production environment.
Group Policy Results, which allows you to obtain RSoP data for viewing GPO interaction and for troubleshooting Group Policy deployments.
Migration tables, which facilitate importing and copying of GPOs across domains and across forests. A migration table is a file that maps references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO.
Scriptable interfaces, which support all operations that are available within the GPMC. You cannot, however, use scripts to edit individual policy settings in a GPO.
For more information about the GPMC, see the article Group Policy Management Console on TechNet.
Group Policy Management Editor
When you open a GPO to edit it, the GPMC opens the GPME window. The GPME provides a user interface for editing settings within an individual GPO. Examples of the types of settings you can configure by using the GPME include:
Advanced Group Policy Management
Part of MDOP, AGPM is an add-on license for Software Assurance customers that extends Group Policy. It provides a robust delegation model and change control to help organizations optimize Group Policy management, reduce the risk of widespread failures, and quickly recover when problems do arise.
Three concepts are important to understanding AGPM.
Edit GPOs offline. First, you use AGPM to edit GPOs, outside of the production environment. AGPM stores GPOs in the AGPM archive. Only after editing, reviewing, and approving a GPO for deployment does AGPM move the GPO into production.
Three user roles. Second, you can delegate three roles to users:
Reviewer. Reviewers can view and compare GPOs in the AGPM archive, but they cannot edit or deploy GPOs.
Editor. Editors can view and compare GPOs in the AGPM archive. They can also check GPOs out of the archive, edit GPOs, check GPOs in to the archive, and request GPO deployment.
Approver. Approvers can approve GPO creation in the AGPM archive and GPO deployment to production. (When Approvers create or deploy a GPO, approval is automatic.)
You can delegate these roles to users and groups for all controlled GPOs within the domain (that is, domain delegation). You can also delegate these roles for individual controlled GPOs.
Advanced change-control features. Third, AGPM provides advanced change-control features that can help you manage the lifecycle of GPOs. Many of the AGPM change-control concepts will be familiar to administrators who have experience using common version-control tools, such as the version-control feature in Microsoft SharePoint® Server 2010.
To change and deploy a GPO:
Check out the GPO from the archive
Edit the GPO offline as necessary.
Check in the GPO to the archive.
Request GPO deployment to production.
AGPM keeps a history of changes for each GPO. You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version, if necessary. AGPM can also compare different versions of a GPO, showing added, changed, and deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. A complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.
For more information about AGPM, see the Advanced Group Policy Management Overview.
Windows PowerShell is a command-line shell and scripting language. With Windows PowerShell, you can automate Windows and application administration on a single computer locally or many computers remotely. To help you automate Group Policy administration, Group Policy offers more than 25 “cmdlets” for Windows PowerShell. Each is a simple, single-function command-line tool. You can use the Group Policy cmdlets to perform tasks for domain-based GPOs, such as:
Create, remove, back up, and import GPOs.
Create, update, and remove Group Policy links.
Set inheritance flags and permissions on organizational units (OU) and domains.
Configure registry-based policy settings and registry settings for Group Policy preferences.
Create and edit started GPOs.
For more information about Windows PowerShell, see the Scripting with Windows PowerShell on the Script Center TechCenter.
Group Policy logs event messages in the System log. You can view these messages by using the Event Viewer. The event source is Microsoft-Windows-GroupPolicy. For more information about using the event log to troubleshoot Group Policy, see Troubleshooting Group Policy Using Event Logs.