Working with Group Policies

  • Article

from Chapter 4, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

Once you've selected a policy for editing or created a new policy, you use the Group Policy console to work with group policies. Techniques for working with this console are examined in this section.

Getting to Know the Group Policy Console

As Figure 4-3 shows, the Group Policy console has two main nodes:

  • Computer Configuration Allows you to set policies that should be applied to computers, regardless of who logs on.

  • User Configuration Allows you to set policies that should be applied to users, regardless of which computer they log on to.

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you're creating. Still, you'll usually find that both Computer Configuration and User Configuration have subnodes for

  • Software Settings Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.

  • Windows Settings Sets policies for folder redirection, scripts, and security.

  • Administrative Templates Sets policies for the operating system, Windows components, and programs. Administrative templates are configured through template files. You can add or remove template files whenever you need to.

    Figure 4-3: The configuration of the Group Policy console depends on the type of policy you're creating and the add-ons installed.

Note: A complete discussion of all the available options is beyond the scope of this book. The sections that follow focus on using folder redirection and administrative templates. Scripts are discussed in the section entitled "User and Computer Script Management." Security is covered in Part II of this book, "Microsoft Windows 2000 Directory Services Administration."

Centrally Managing Special Folders

You can centrally manage special folders used by Windows 2000 through folder redirection. You do this by redirecting special folders to a central network location instead of using multiple default locations on each computer. The special folders you can centrally manage are

  • Application Data

  • Desktop

  • Start Menu

  • My Documents

  • My Pictures

You have two options for redirection. You can redirect a special folder to the same network location for all users or you can designate locations based on user membership in security groups. In either case, you should make sure that the network location you plan to use is available as a network share. See Chapter 13 for details on sharing data on the network.

Redirecting a Special Folder to a Single Location

You redirect a special folder to a single location by completing the following steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with as specified in the section of this chapter entitled "Creating and Editing Site, Domain, and Unit Policies."

  2. In the User Configuration node, you'll find Windows Settings. Expand this entry by double-clicking it, and then select Folder Redirection.

  3. Right-click the special folder you want to work with, such as Application Data, and then select Properties on the shortcut menu. This opens a properties dialog box similar to the one shown in Figure 4-4.

  4. In the Target tab, use the Setting selection list to choose Basic - Redirect Everyone's Folder To The Same Location.

  5. Enter the folder path to use in the Target Folder Location field. The folder you select is where all data for the special folder is stored. The folder path should be set to a shared folder that is available on the network through a Universal Naming Convention (UNC) path, such as \\Zeta\UserData. Click Browse to search for the folder in the Browse For Folder dialog box.

    Figure 4-4: Set options for the redirection using the Application Data Properties dialog box.

    Tip Normally, user data isn't stored separately. To specify that user data should be placed in subfolders that are specific to the user, add %UserName% to the path. For example, instead of setting the folder path to \\Zeta\UserData, you would use \\Zeta\UserData\ %UserName%.

  6. Click the Settings tab, and then configure additional options using the following fields:

    • Grant The User Exclusive Rights To ... Gives users full rights to access their data in the special folder.

    • Move The Contents Of ... To The New Location Moves the data in the special folders from the individual systems on the network to the central folder(s).

  7. Click OK to complete the process.

Redirecting a Special Folder Based on Group Membership

You redirect a special folder to a single location by completing the following steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with.

  2. In the User Configuration node, you'll find Windows Settings. Expand this entry by double-clicking it, and then select Folder Redirection.

  3. Right-click the special folder you want to work with, such as Application Data, and then select Properties on the shortcut menu.

  4. In the Target tab, use the Setting selection list to choose Advanced - Specify Locations For Various User Groups. As shown in Figure 4-5, a Security Group Membership panel is added to the properties dialog box.

  5. Click Add to display the Specify Group And Location dialog box. Or select an existing group entry and click Edit to modify its settings.

  6. In the Security Group Membership field, type the name of the security group for which you want to configure redirection. Click Browse to find a security group to add.

  7. In the Target Folder Location field, type the folder path to use. The folder you select is where the related data for the selected group is stored. The folder path should be set to a shared folder that is available on the network through a UNC path, such as \\Zeta\UserData. Click Browse to search for the folder in the Browse For Folder dialog box.

    Tip Normally, user data isn't stored separately. To specify that user data should be placed in subfolders that are specific to the user, add %UserName% to the path. For example, instead of setting the folder path to \\Zeta\UserData, you would use \\Zeta\UserData\%UserName%.

    Figure 4-5: Configure advanced redirection using the Security Group Membership panel.

  8. Click OK. Then repeat steps 5-7 for other groups that you want to configure.

  9. When you're done creating group entries, click the Settings tab and then configure additional options using the following fields:

    • Grant The User Exclusive Rights To ... Gives users full rights to access their data in the special folder.

    • Move The Contents Of ... To The New Location Moves the data in the special folders from the individual systems on the network to the central folder(s).

Removing Redirection

Sometimes you may want to remove redirection from a particular special folder. You remove redirection by completing the following steps:

  1. Access the Folder Redirection subnode in the Group Policy console.

  2. Right-click the special folder you want to work with, and then select Properties on the shortcut menu.

  3. Select the Settings tab, and then make sure that an appropriate Policy Removal option is selected. Two options are available: Leave The Folder In The New Location When Policy Is Removed or Redirect The Folder Back To The Local Userprofile Location When Policy Is Removed. If you select the first option, files and folders remain in the redirected location even when redirection is removed. If you select the second option, files and folder are moved back to their local userprofile location.

  4. If you changed the Policy Removal option, click Apply. Then select the Target tab. Otherwise just select the Target tab.

  5. To remove all redirection definitions for the special folder, use the Setting selection list to choose No Administrative Policy Specified.

  6. To remove redirection for a particular security group, select the security group in the Security Group Membership panel and then click Remove.

  7. Click OK.

Using Administrative Templates to Set Policies

Administrative templates provide easy access to registry-based policy settings that you may want to configure.

Viewing Administrative Templates and Policies

As Figure 4-6 shows, a default set of administrative templates is configured for users and computers in the Group Policy console. You can add or remove administrative templates as well. Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE (HKLM) and user configurations are saved in HKEY_CURRENT_USER (HKCU).

Figure 4-6: Policies are set through administrative templates.

You can view the currently configured templates in the Group Policy console's Administrative Templates node. This node contains policies that can be configured for local systems, organizational units, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can manually add additional templates containing new policies in the Group Policy console and when you install new Windows components.

You set the user interface for the Administrative Templates node in .adm files. These files are formatted as ASCII text and can be edited or created using a standard text editor. When you set policies through the Administrative Templates node, the policy settings are saved in Registry.pol files. Separate Registry.pol files are used for HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU).

The best way to get to know what administrative template policies are available is to browse the Administrative Templates nodes in the Group Policy console. As you browse the templates, you'll find that policies are in one of three states:

  • Not Configured The policy isn't used and no settings for it are saved in the registry.

  • Enabled The policy is actively being enforced and its settings are saved in the registry.

  • Disabled The policy is turned off and isn't enforced unless overridden. This setting is saved in the registry.

Enabling, Disabling, and Configuring Policies

You can enable, disable, and configure policies by completing the following steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with.

  2. Access the Administrative Templates folder in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set.

  3. In the left pane, click the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.

  4. Double-click or right-click a policy and choose Properties to display its related properties dialog box.

  5. Click the Explain tab to see a description of the policy. The description is only available if one is defined in the related .adm file.

  6. To set the policy's state, click the Policy tab and then use the radio buttons provided to change the state of the policy:

    • Not Configured The policy is not configured.

    • Enabled The policy is enabled.

    • Disabled The policy is disabled.

    Note: Computer policies have precedence in Windows 2000. So, if there is a conflict between a computer policy setting and a user policy setting, the computer policy is the one that is enforced.

  7. If you enabled the policy, set any additional parameters specified on the Policy tab, and then click Apply.

  8. Use the Previous Policy and Next Policy buttons to manage other policies in the current folder. Then configure them in the same way.

  9. Click OK when you're finished managing policies.

Adding or Removing Templates

You can add or remove template folders in the Group Policy console. To do this, complete the following steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with.

  2. Right-click the Administrative Templates folder in the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove. This displays the Add/Remove Templates dialog box shown in Figure 4-7.

  3. To add new templates, click Add. Then, in the Policy Templates dialog box, click the template you want to add and click Open.

    Figure 4-7: You can use the Add/Remove Templates dialog box to add more templates or remove existing ones.

  4. To remove an existing template, select the template to remove, and then click Remove.

  5. When you're finished adding and removing templates, click Close.

User and Computer Script Management

With Windows 2000 you can configure four types of scripts:

  • Computer Startup Executed during startup.

  • Computer Shutdown Executed prior to shutdown.

  • User Logon Executed when a user logs on.

  • User Logoff Executed when a user logs off.

You can write scripts as command-shell batch scripts ending with the .BAT or .CMD extension or as scripts that use the Windows Script Host (WSH). WSH is a new feature of Windows 2000 that lets you use scripts written in a scripting language, such as VBScript, without the need to insert the script into a Web page. To provide a multipurpose scripting environment, WSH relies on scripting engines. A scripting engine is the component that defines the core syntax and structure of a particular scripting language. Windows 2000 ships with scripting engines for VBScript and JScript. Other scripting engines are also available.

Assigning Computer Startup and Shutdown Scripts

Computer startup and shutdown scripts are assigned as part of a group policy. In this way, all computers that are members of the site, domain, and/or organizational unit execute scripts automatically when they're booted or shut down.

Note: You can also assign computer startup scripts as scheduled tasks. You schedule tasks using the Task Scheduler Wizard. See the "Scheduling Tasks" section of this chapter for details.

To assign a computer startup or shutdown script, follow these steps:

  1. For easy management, copy the scripts you want to use to the Computer\ Scripts\Startup or Computer\Scripts\Shutdown folder for the related policy. Policies are stored in the %SystemRoot%\SYSVOL\domain\policies folder on domain controllers.

  2. Access the Group Policy console for the site, domain, or organizational unit you want to work with.

  3. In the Computer Configuration node, double-click the Windows Settings folder. Then click Scripts.

  4. To work with startup scripts, right-click Startup and then select Properties. Or right-click Shutdown and then select Properties to work with Shutdown scripts. This opens a dialog box similar to the one shown in Figure 4-8.

  5. Click Show Files. If you copied the computer script to the correct location in the policies folder, you should see the script.

  6. Click Add to assign a script. This opens the Add A Script dialog box. In the Script Name field, type the name of the script you copied to the Computer\ Scripts\Startup or the Computer\Scripts\Shutdown folder for the related policy. In the Script Parameter field, enter any command-line arguments to pass to the command-line script or parameters to pass to the scripting host for a WSH script. Repeat this step to add other scripts.

    Figure 4-8: Add, edit, and remove computer scripts using the Shutdown Properties dialog box.

  7. During startup or shutdown, scripts are executed in the order in which they're listed in the properties dialog box. Use the Up or Down buttons to reposition scripts as necessary.

  8. If you want to edit the script name or parameters later, select the script in the Script For list and then click Edit.

  9. To delete a script, select the script in the Script For list, and then click Remove.

Assigning User Logon and Logoff Scripts

User scripts can be assigned in one of three ways:

  • You can assign logon and logoff scripts as part of a group policy. In this way, all users that are members of the site, domain, and/or organizational unit execute scripts automatically when they log on or log off.

  • You can also assign logon scripts individually through Active Directory Users And Computers console. In this way, you can assign each user or group a separate logon script. See Chapter 9 for details.

  • You can also assign individual logon scripts as scheduled tasks. You schedule tasks using the Task Scheduler Wizard. See the "Scheduling Tasks" section of this chapter for details.

To assign a group policy user script, complete the following steps:

  1. For easy management, copy the scripts you want to use to the User\Scripts\ Logon or the User\Scripts\Logoff folder for the related policy. Policies are stored in the %SystemRoot%\SYSVOL\domain\policies folder on domain controllers.

  2. Access the Group Policy console for the site, domain, or organizational unit you want to work with.

  3. Double-click the Windows Settings folder in the User Configuration node. Then click Scripts.

  4. To work with logon scripts, right-click Logon and then select Properties. Or right-click Logoff and then select Properties to work with Logoff scripts. This opens a dialog box similar to the one shown in Figure 4-9.

  5. Click Show Files. If you copied the user script to the correct location in the policies folder, you should see the script.

  6. Click Add to assign a script. This opens the Add A Script dialog box. In the Script Name field, type the name of the script you copied to the User\Scripts\Logon or the User\Scripts\Logoff folder for the related policy. In the Script Parameter field, enter any command-line arguments to pass to the command-line script or parameters to pass to the scripting host for a WSH script. Repeat this step to add other scripts.

  7. During logon or logoff, scripts are executed in the order in which they're listed in the properties dialog box. Use the Up or Down buttons to reposition scripts as necessary.

    Figure 4-9: Add, edit, and remove user scripts using the Logon Properties dialog box.

  8. If you want to edit the script name or parameters later, select the script in the Script For list and then click Edit.

  9. To delete a script, select the script in the Script For list, and then click Remove.

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.


Click to order