Defining Group Policy Operational Procedures

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To facilitate future management of Group Policy, you should develop operational procedures to ensure that changes to GPOs are made in an authorized and controlled manner. In particular, make sure that all new GPOs and changes in existing GPOs are properly staged before deployment to your production environment. You should also create regular backups of your GPOs.

In some organizations, different teams might be responsible for managing different aspects of Group Policy. For example, a software deployment team is typically concerned with the Software Installation (Users) and Software Installation (Computers) sections of Group Policy. The remaining settings, relating to items such as scripts and Folder Redirection, are unlikely to be of interest to this team.

To reduce complexity and minimize the likelihood of introducing errors, consider creating separate GPOs for different groups of administrators.

Alternatively, you might restrict administrators to the parts of Group Policy they are authorized to change. You can use the Restricted/Permitted Snap-ins\Extension snap-ins policy setting to restrict the snap-ins that administrators can access. This setting is available in the Group Policy Object Editor snap-in under User Configuration\Administrative Templates\Windows Components\Microsoft Management Console. The Restricted/Permitted Snap-ins\Extension snap-ins policy pertains to the UI that is accessible by using the Group Policy Object Editor snap-in. Remember that some teams may need access to more than one type of extension snap-in. To start the Group Policy Object Editor, right-click a GPO in GPMC and then click Edit.

Note

  • The MMC policy settings only affect the UI that is accessible by using MMC; if Group Policy is edited by using a programmatic means, any GPO settings can be edited, including important Sysvol aspects.

For more information about these and other Group Policy settings, double-click the setting in the details pane of the Group Policy Object Editor, and then click the Explain tab in the policy Properties dialog box. Note that this information is always available by simply clicking the setting if you have Extended View enabled, which is the default behavior.