What You Need Before Designing Your Group Policy Solution

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before designing your Group Policy implementation, you need to understand your current organizational environment, and you need to take preparatory steps in the following areas:

Active Directory   Ensure that the Active Directory OU design for all domains in the forest supports the application of Group Policy. For more information about Active Directory OU design, see "Designing the Active Directory Logical Structure" in Designing and Deploying Directory and Security Services of this kit.

Group Policy Management Console (GPMC)   Download and install the Group Policy Management Console, which consists of scripting interfaces and a Microsoft Management Console snap-in.

Networking   Make sure that your network meets the requirements for change and configuration management technologies. Because Group Policy works with fully qualified domain names, you must have DNS running in your forest in order to correctly process Group Policy; you cannot use NETBIOS only. Also, because client or destination computers must be able to contact your network’s domain controllers, do not turn off the ICMP protocol. If destination computers cannot ping the domain controllers, Group Policy processing will fail.

Security   Obtain a list of the security groups currently in use in your domain. Work closely with the security administrators as you delegate responsibility for organizational-unit administration and create designs that require security-group filtering. For more information about filtering GPOs, see "Applying GPOs to Selected Groups (Filtering)" in "Defining the Scope of Application of Group Policy" later in this chapter.

IT requirements   Obtain a list of the administrative owners and corporate administrative standards for the domains and OUs in your domain to develop a good delegation plan and to ensure that Group Policy is properly inherited.

Note

  • Turning off the ICMP protocol will cause Group Policy processing to fail. Turning off Read access on Active Directory containers that are in the hierarchy of a user or computer object will cause Group Policy processing for that object to fail.

Administrative Requirements for Group Policy

To use Group Policy, your organization must be using Active Directory and the destination desktop and server computers must be running Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, or Windows Server 2003. You can manage server computers as well as client computers by using Group Policy; Group Policy offers many settings specific to server computers.

Using GPMC will greatly improve the manageability of your Group Policy deployment and enable you to take full advantage of the power of Group Policy by providing an enhanced and simplified Group Policy management interface.

By default, only domain administrators or enterprise administrators can create and link GPOs, but you can delegate this task to other users. For more information about administrative requirements for Group Policy, see "Delegating Administration of Group Policy" later in this chapter.