What's New About Group Policy in Windows Server 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This section summarizes new features in Windows Server 2003 Group Policy. The biggest change for Group Policy in Windows Server 2003 is the introduction of GPMC, the new solution for Group Policy management that helps you manage an enterprise more cost-effectively. It consists of a new Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy. GPMC is available for download from the Microsoft GPMC Web site at http://www.microsoft.com/windowsserver2003/gpmc. This paper assumes you are using GPMC.
Group Policy Management Console
GPMC simplifies the management of Group Policy by providing a single place for managing core aspects of Group Policy. It addresses the top Group Policy deployment requirements by providing the following functionality:
A user interface that makes Group Policy much easier to use.
Backup/restore of GPOs.
Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters.
Simplified management of Group Policy–related security.
HTML reporting for GPO settings and Resultant Set of Policy (RSoP) data.
Scripting of policy-related tasks that are exposed within this tool (not scripting of settings within a GPO).
GPMC is used to create, view, and manage GPOs while the Group Policy Object Editor is used to edit GPOs.
More information about GPMC is contained throughout this paper. For additional information about GPMC including step-by-step instructions for completing tasks, see the following resources:
Group Policy Administration using the Group Policy Management Console. This white paper provides additional technical details of functionality in GPMC.
GPMC Help. Available when you install GPMC, this provides step-by-instructions for GPMC tasks and addresses key concepts in GPMC.
New policy settings
Windows Server 2003 includes more than 200 new policy settings. The new Windows Server 2003 policy settings allow administrators to control the behavior of:
System restore, error reporting, PC Health.
Networking such as SNMP, Quality of Service (QoS), personal firewall, and dialup connections.
DNS and net logon.
Roaming user profiles and Group Policy.
Windows Media® Player.
Software restriction policy.
Administrative Templates Changes
For Administrative Templates policy settings, Group Policy Object Editor provides explain text directly in the Web view of the console. You also can find this explain text by double-clicking the policy setting and then clicking the Explain text tab. In either case, this text shows operating system requirements, defines the policy setting, and includes any specific details about the effect of enabling or disabling the policy setting.
Because new Administrative Template policy settings have been added that only work on specific versions of the operating system such as Windows XP Professional or Windows Server 2003, you can view only the Administrative Template policy settings that might be applied in your users' work environment, based on the "supported" keyword in each Administrative Template (.adm) file. For example, you may want to edit only policy settings that could be applied on client computers running Windows 2000 Service Pack 3. In Group Policy Object Editor, you can specify these options in the Filtering dialog box, available by clicking a node in the Administrative Templates section, clicking the View menu, and then clicking Filtering. For more information, see the section "Using Administrative Templates" in this paper.
Command Line Refresh of Policy
Administrators can now refresh policy settings from the command line using Gpupdate, which replaces secedit /refreshpolicy in Windows 2000. Gpupdate gives administrators better control and flexibility in refreshing policy. For more information, see the section "Refreshing Policy from the Command Line" in this paper.
WMI makes a large amount of data, such as hardware and software inventory, settings, and configuration information, available for a target computer. WMI retrieves data from the registry, drivers, file system, Active Directory, SNMP, Windows Installer, SQL, networking, and Exchange. WMI Filtering in Windows Server 2003 allows you to create queries based on this data. These queries (also called WMI filters) determine which users and computers receive all of the policy configured in the GPO where you create the filter. This functionality lets you target Group Policy based on a significant number of different properties of the target. In most organizations only senior administrators would actually create WMI filters; other administrators would simply access the WMI filters that have been created for their domain. For more information, see the section "WMI Filtering" in this paper.
Tools for Best Practice Organizational Unit Design
Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 that enable you to change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects. By running Redirusr.exe and Redircomp.exe once for each domain, the domain administrator can specify the organizational units into which all new user and computer accounts are placed at the time of creation. For more information, see the section "Redirecting the Users and Computers Containers in Windows Server 2003 Domains in this paper.
The Windows Server 2003 family introduces a new feature called Forest Trust that enables you to authenticate and authorize access to resources from separate, networked forests. With trusts established between forests, you can manage Group Policy throughout your enterprise, which provides greater flexibility especially in large organizations. For more information, see the section "Using Group Policy Features Across Forests" in this paper.
The ability to rename a domain provides you with the flexibility to make important changes to your forest structure and namespace as the needs of your organization change. Renaming domains can accommodate acquisitions, mergers, name changes, or reorganizations. Domain rename allows you to:
Change the DNS and NetBIOS names of any domain in the forest (including the forest root domain).
Restructure the position of any domain in the forest (except the forest root domain).
You can only rename domains in a forest where all of the domain controllers are running Windows Server 2003 and the forest functional level has been raised to Windows Server 2003. For more information, see Windows Server 2003 Domain Rename Tools at http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.
Restore GPOs tool
This is a new command-line tool intended for failure recovery. The tool, dcgpofix.exe, restores the default GPOs to their original state (that is, the default state after initial installation). For more information, see "Troubleshooting Windows Server 2003 Group Policy" available from the Microsoft GPMC Web site at http://www.microsoft.com/windowsserver2003/gpmc/.
A new Wireless Network (IEEE 802.11) Policies Group Policy extension allows you to configure wireless network settings that are part of Group Policy for Computer Configuration. Wireless network settings include the list of preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings. These settings are downloaded to targeted domain members, making it much easier to deploy a specific configuration for secure wireless connections to wireless client computers.
Software Restriction Policy Settings
Software restriction policy settings address the need to regulate unknown or untrusted software. With the rise in the use of networks, the Internet, and e-mail for business computing, users find themselves exposed to new software in a variety of ways. Users must constantly make decisions about running unknown software. Viruses and Trojan horses often intentionally misrepresent themselves to trick users into running them. It is difficult for users to make safe choices about which software they should run.
With software restriction policy settings, you can protect your computing environment from untrusted software by identifying and specifying which software is allowed to run. You can define a default security level of unrestricted or disallowed for a GPO so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating rules for specific software. For example, if your default security level is set to disallowed, you can create rules that allow specific software to run. For more information, see the section "Software Restriction Policy Settings" in this paper.
Internet Explorer Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration, also known as Internet Explorer hardening, is enabled by default on computers running Windows Server 2003. It can be managed using Group Policy in an enterprise environment to ensure consistent trusted sites and security settings on targeted server computers or to disable the feature on specific servers. For example, you may wish to ensure that Internet Explorer Enhanced Security Configuration is reapplied on a specific computer if the local administrator on that computer turns it off using the Optional Component Manager in the Windows Components Wizard (available from Add or Remove Programs.) In addition, it's likely that you will want to manage computers or groups of computers in your organization by defining a set of trusted sites and/or a specific security level for sites in the Internet or Trusted sites zones. For more information, see "Using Group Policy and Internet Explorer Enhanced Security Configuration" later in this document and Managing Internet Explorer Enhanced Security Configuration, available from the Microsoft Group Policy Web site at http://www.microsoft.com/grouppolicy.