Deployment Considerations
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Administering a Mix of Windows 2000 and Windows Server 2003 Domains
GPMC exposes features that are available in the underlying operating system. Because new features have been added to Group Policy since Windows 2000, certain features will only be available in GPMC depending on the operating system that has been deployed on the domain controllers. This section describes these dependencies. In general, there are three key issues that determine whether a feature is available in GPMC:
Whether the forest supports the Windows Server 2003 schema for Active Directory. Certain features are only available once the schema is upgraded. This is the first step that must be taken before any Windows Server 2003 domain controller can be deployed in an existing Windows 2000 forest. The schema is a forest-wide configuration and is upgraded by running ADPrep /ForestPrep. ADPrep is a utility included on the Windows Server 2003 CD. Note that it is possible to have the Windows Server 2003 schema in a forest with all Windows 2000 domain controllers.
Whether there is at least one domain controller in the forest that is running Windows Server 2003. Group Policy Modeling must be performed on a domain controller running Windows Server 2003.
Whether a domain contains the Windows Server 2003 domain configuration. This is implemented once ADPrep /DomainPrep is run in that domain. This is the first step that must be taken before any Windows Server 2003 domain controller can be deployed in an existing Windows 2000 domain.
Note that there is no dependency from the Group Policy perspective on whether a domain is in native mode or mixed mode.
Delegation of Group Policy Results and Group Policy Modeling
In order to delegate either Group Policy Modeling or Group Policy Results, the Active Directory schema in the forest must be the Windows Server 2003 schema. Note that you can use Group Policy Results even without this schema, but only users with local administrative credentials on the target computer can remotely access Group Policy Results data. Thus, if the forest does not have the Windows Server 2003 schema, the delegation pages in GPMC for organizational units and domains will not show these permissions.
Group Policy Modeling
Group Policy Modeling is a simulation that is performed by a service that can only run on a domain controller running Windows Server 2003 or later. As long as there is at least one domain controller running Windows Server 2003 in the forest, you can use Group Policy Modeling. GPMC will only show the Group Policy Modeling node in the user interface if the Windows Server 2003 schema is present.
WMI Filtering
WMI filters are only available in domains that have the Windows Server 2003 configuration. Although none of the domain controllers need to be running Windows Server 2003, you must have run ADPrep /DomainPrep in this domain. Also note that WMI filters are only evaluated by clients running Windows XP, Windows Server 2003, or later. WMI filters associated with a GPO will be ignored by Windows 2000 clients and the GPO will always be applied on Windows 2000.
If ADPrep /DomainPrep has not been run in a given domain, the WMI Filters node will not be present, and the GPO scope tab will not have a WMI filters section.
Upgrading Windows 2000 Domains to Windows Server 2003 Domains and Interaction with Group Policy Modeling
Group Policy Modeling is a new feature of Windows Server 2003 that simulates the resultant set of policy for a given configuration. The simulation is performed by a service that runs on Windows Server 2003 domain controllers. In order to perform the simulation in cross-domain scenarios, the service must have read access to all GPOs in the forest.
In a Windows Server 2003 domain (whether it is upgraded from Windows 2000 or installed as new), the Enterprise Domain Controllers group is automatically given read access to all newly created GPOs. This ensures that the service can read all GPOs in the forest.
However, if the domain was upgraded from Windows 2000, any existing GPOs that were created before the upgrade do not have read access for the Enterprise Domain Controllers group. When you click a GPO, GPMC detects this situation and notifies the user that Enterprise Domain Controllers do not have read access to all GPOs in this domain. To solve this problem, you can use one of the sample scripts provided with GPMC, GrantPermissionOnAllGPOs.wsf. This script can update the permissions for all GPOs in the domain. To use this script:
Ensure that the person running this script is either a Domain Admin or has permissions to modify security on all GPOs in the domain.
Open a command prompt and navigate to the %programfiles%\gpmc\scripts folder by typing:
CD /D %programfiles%\gpmc\scripts
Type the following:
Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:value
The value of domain parameter is the DNS name of the domain.
Using Group Policy Features Across Forests
The Windows Server 2003 family introduces a new feature called Forest Trust that enables you to authenticate and authorize access to resources from separate, networked forests. With trusts established between forests, you can manage Group Policy throughout your enterprise, which provides greater flexibility especially in large organizations. This section describes Group Policy behavior in an environment with forest trust enabled:
It is not possible to link a GPO to a domain in another forest.
With Forest trust, it is possible that a user in Forest B could log onto a computer in Forest A. In this case, when the computer starts up, it will process policy for the computer configuration from Forest A, as usual. When a user from Forest B logs on, where they receive their policy settings from depends on the value of the Allow Cross-Forest User Policy and Roaming Profiles policy setting.
When this setting is Not Configured, no user-based policy settings are applied from the user's forest. Instead, loopback Group Policy processing will be applied, using the GPOs scoped to the computer. Users will receive a local profile instead of their roaming profile.
When this setting is Enabled, the behavior is exactly the same as Windows 2000 Server: User policy is applied from the user's forest and a roaming user profile is allowed from the trusted forest.
When this setting is Disabled, the behavior is the same as Not Configured.
This setting is available on Windows Server 2003 located at: Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming Profiles.
It is possible to deploy Group Policy settings to users and computers in the same forest, but have those settings reference servers in other trusted forests. For example, the file shares that host software distribution points, redirected folders, logon scripts, and roaming user profiles could be in another trusted forest.
Group Policy Modeling requires that both the user and the computer be in the same forest. If you want to simulate a user from Forest A logging on to a computer in Forest B, you must perform two separate Group Policy Modeling simulations: one for the user configuration and the other for the computer configuration.
Delegation across forests is supported for managing Group Policy. For example, you can delegate to someone in Forest B the ability to perform Group Policy Modeling simulations on objects in Forest A.
Group Policy and Active Directory Sites
GPOs that are linked to site containers affect all computers in a forest of domains. Site information is replicated and available between all the domain controllers within a domain and all the domains in a forest. Therefore, any GPO that is linked to a site container is applied to all computers in that site, regardless of the domain (in the forest) to which they belong. This has the following implications:
It allows multiple domains (within a forest) to get the same GPO (and included policy settings), although the GPO only lives on a single domain and must be read from that domain when the affected clients read their site policy.
If child domains are set up across wide area network (WAN) boundaries, the site setup should reflect this. If it does not, the computers in a child domain could be accessing a site GPO across a WAN link.
To manage site GPOs, you need to be either an Enterprise Admin or Domain Admin of the forest root domain.
You may want to consider using site-wide GPOs for specifying policy for proxy settings and network-related settings.
In general, it is recommended that you link GPOs to domains and organizational units rather than sites.
Using Group Policy and Internet Explorer Enhanced Security Configuration
Windows Server 2003 includes a new default security configuration for Internet Explorer, called Internet Explorer Enhanced Security Configuration, also known as Internet Explorer hardening.
You can manage Internet Explorer Enhanced Security Configuration by:
Enabling or disabling Internet Explorer Enhanced Security Configuration. This is commonly used in situations where you want to ensure that Internet Explorer Enhanced Security Configuration is always enabled. For example, Internet Explorer Enhanced Security Configuration might need to be reapplied on a specific computer if the local administrator on that computer disables it using the Optional Component Manager in the Windows Components Wizard (available from Add or Remove Programs.)
Restricting who can manage trusted sites and other Internet Explorer security settings on a server. This is commonly used when you want to ensure that all servers have the same Internet Explorer Enhanced Security Configuration settings. For example, you might want to configure Internet Explorer Enhanced Security Configuration so that machined-based security settings are applied to each server rather than user-based security settings.
Adding trusted Web sites and UNC paths to one of the trusted security zones. This is commonly used when you want to allow users access to specific Web sites and corporate resources, but still reduce the risk of users downloading or running malicious content.
Enhanced Security Configuration impacts the Security Zones and Privacy settings within the Internet Explorer Maintenance settings of a GPO. The Security Zones and Privacy settings can either be enabled with Enhanced Security Configuration or not.
When you edit settings for Security Zones and Privacy settings in a GPO from a computer where Enhanced Security Configuration is enabled, that GPO will contain Enhanced Security Configuration-enabled settings. When you look at the HTML report for that GPO, the Security Zones and Privacy heading will be appended with the text (Enhanced Security Configuration enabled).
When you edit settings for Security Zones and Privacy settings in a GPO from a computer where Enhanced Security Configuration is not enabled , that GPO will contain Enhanced Security Configuration-disabled settings. ESC is not enabled on any computer running Windows 2000 or Windows XP, nor on computers running Windows Server 2003 where ESC has been explicitly disabled.
Enhanced Security Configuration settings deployed through Group Policy will only be processed on and applied by computers where Enhanced Security Configuration is enabled. Enhanced Security Configuration settings will be ignored on computers where Enhanced Security Configuration is not enabled (all computers running Windows 2000 and Windows XP, and Windows Server 2003 computers where Enhanced Security Configuration has been explicitly disabled). The converse is also true: A GPO that contains non- Enhanced Security Configuration settings will only be processed on and applied by computers where Enhanced Security Configuration is not enabled.
For more information, see Managing Internet Explorer Enhanced Security Configuration, available from the Microsoft Group Policy Web site at https://www.microsoft.com/grouppolicy.