Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Microsoft® Windows® XP Professional Administrator's Pocket Consultant
Author William R. Stanek
Pages 384
Disk N/A
Level All Levels
Published 09/26/2001
ISBN 9780735613812
ISBN-10 0-7356-1381-8
Price(USD) $29.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 8: Configuring User and Computer Policies continued

Group Policy Essentials

Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.

Understanding Policy Application

During logon, policies are applied in an exact sequence, which is often important in troubleshooting system behavior.

When multiple policies are in place, they are applied in the following order:

  1. Microsoft Windows NT 4 policies (NTCONFIG.POL)

  2. Local group policies

  3. Site group policies

  4. Domain group policies

  5. Organizational unit (OU) group policies

  6. Child OU group policies

If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that allow administrators to block, overview, and disable policies.

The events that take place during startup and logon are as follows:

  1. The network starts and then Windows XP applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.

  2. Windows XP runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn't displayed to the user unless specified.

  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows XP loads the user profile.

  4. Windows XP applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.

  5. Windows XP runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn't displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window.

  6. Windows XP displays the start shell interface configured in Group Policy.

Accessing and Using Local Group Policies

Each computer running Windows XP has one local group policy stored in its %SystemRoot%\System32\GroupPolicy folder. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.

  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).

  3. In MMC, click File, and then click Add/Remove Snap-in. This opens the Add/Remove Snap-In dialog box.

  4. Click the Stand-Alone tab, and then click Add.

  5. In the Add Snap-In dialog box, select Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.

  6. Select Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.

  7. Click Finish, and then click Close.

  8. Click OK. You can now manage the local policy on the selected computer. For more details, see the section of the chapter entitled "Configuring Policies."

Accessing and Using Site, Domain, and Unit Policies

Each site, domain, and OU can have one or more group policies. Group policies higher in the Group Policy list have a higher precedence than policies lower in the list. Group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and OUs. Site, domain, and OU group policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers. In this folder you'll find one subfolder for each policy you've defined on the domain controller. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use site, domain, and OU policies by completing the following steps:

  1. For sites, open the Active Directory Sites and Services console and start the Group Policy snap-in.

  2. For domains and OUs, open the Active Directory Users and Computers console and start the Group Policy snap-in.

  3. In the left pane, right-click the site, domain, or OU for which you want to create or manage a group policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.

  4. In the Properties dialog box, click the Group Policy tab. To create a new policy or edit an existing policy, click New. Then you can configure the new policy.

  5. To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the section of this chapter entitled "Configuring Policies."

  6. To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.

Using the Group Policy Console

Once you've selected a policy for editing or created a new policy, you use the Group Policy console to work with group policies. As Figure 8-1 shows, the Group Policy console has two main nodes:

  • Computer Configuration  Allows you to set policies that should be applied to computers, regardless of who logs on

  • User Configuration  Allows you to set policies that should be applied to users, regardless of which computer they log on to

    • NOTE

    Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers the user might use, you must use domain, site, or OU group policies.

    Click to view graphic
    Click to view graphic

Figure 8-1. Group Policy options depend on the type of policy you're creating and the add-ons installed.

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you're creating. You'll usually find that both nodes have subnodes for the following:

  • Software Settings  Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.

  • Windows Settings  Sets policies for folder redirection, scripts, and security.

  • Administrative Templates  Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, apply specifically to users and computers.

Previous   |  Table of Contents   |   Next


Last Updated: September 22, 2001
Top of Page