Introduction to Configuration and Management
Although it is not recommended in large organizations, there might be instances when you need to deploy Group Policy on computers that are not managed in a Windows 2000 Server Active Directory domain.
On a computer running Windows 2000 Professional, local Group Policy objects are located at \%systemroot%\System32\GroupPolicy. You can use the following sets of Group Policy settings when the Group Policy snap-in is used on the local computer:
Security settings. Defines security settings only for the local computer, not for a domain or network.
Administrative Templates. These Group Policy settings allow you to set more than 450 operating system behaviors.
Scripts . Allows you to specify scripts to automate what happens at computer startup and shutdown and when the user logs on and off.
For more information about the Group Policy settings you can set in these categories, see the chapters in this book about the type of configuration setting in which you are interested. For example, to learn about Group Policy settings that affect desktop settings, see Customizing the Desktop in this book. For complete details about specific Group Policy settings, use the Explain tab on the Properties page of each Group Policy setting; or refer to Group Policy Reference on the Windows 2000 Resource Kit companion CD.
To manage Group Policy on local computers, you must have administrative rights on those computers. You can open the Group Policy snap-in by using one of the following procedures.
To gain access to Group Policy snap-in on the local computer
From the Start menu, click Run , and then type:
MMCClick OK .
In the Console menu of the MMC window, click Add/Remove Snap-in .
On the Stand-alone tab, click Add .
In the Add Snap-in dialog box, click Group Policy , and then click Add .
When the Select Group Policy Object dialog box appears, click Local Computer to edit the local Group Policy object.
Click Finish .
Click Close , and then click OK . The Group Policy snap-in opens with its focus on the local Group Policy object.
If you want to open the Group Policy snap-in for setting Group Policy on a remote computer, you must do it when the extension is added to an MMC console file or do it as a command line option.
.gif "note-icon")
Note
To use the Group Policy snap-in on a remote computer, you must have administrative rights on both computers and the remote computer must be part of the namespace.
To gain access to Group Policy snap-in on remote computers
On the Start menu , click Run , and type:
MMC
– Or –
Open an existing saved console (such as Console1.mmc).In the Console menu of the MMC window, click Add/Remove Snap-in .
On the Stand-alone tab, of the Add/Remove Snap-in dialog box, click Add .
In the Add Standalone Snap-in dialog box, click Group Policy , and then click Add . The Group Policy Object option in the Select Group Policy Object dialog box is, by default, set to Local Computer .
Click Browse .
On the Computers tab, select the Another computer option.
Either type in the name of the remote computer, or click Browse to locate the remote computer. You can use the Look in drop-down list box to select the domains to which you have access.
Note
The Security Settings extension does not support remote management for local policy in Windows 2000.
Computer Name Formats
The supported computer name formats are as follows:
NetBIOS names, for example, % ComputerName %.
DNS-style, for example, % ComputerName .Microsoft.com%.
Starting the Group Policy Snap-in by Using Command Line Options
The Group Policy snap-in can be started with either of the following two command line switches.
Gpcomputer Command Line Switch
You can use the gpcomputer command line switch by using either the NetBIOS name or the DNS name of the destination computer.
The NetBIOS Syntax is as follows:
gpedit.msc/gpcomputer:computername
The DNS syntax is as follows:
gpedit.msc /gpcomputer:computername.microsoft.com
Gpobject Command Line Switch
You can use the gpobject command line switch with an Active Directory Services Interface (ADSI) path. The syntax for this command line switch is as follows:
/gpobject:ADSI path
This is illustrated in the following example:
gpedit.msc/gpobject:LDAP://CN={GUID of the GPO},CN=Policies,CN=System,DC=microsoft,DC=com
For these command line options to work with a saved console file, you must select the check box titled Allow the focus of the Group Policy snap-ins to be changed when launching from the command line. This only applies if you save the console. The Gpedit.msc file is saved with this option on.
Security Considerations
Local Group Policy does not allow you to apply security filters or to have multiple sets of Group Policy objects, unlike Active Directory–based Group Policy objects. You can, however, set Discretionary Access Control Lists (DACLs) on the %systemroot%\System32\GroupPolicy folder so that specified groups are either affected or are not affected by the settings contained within the local Group Policy object. This option is useful if you have to control and administer computers that are used in situations such as kiosk environments, where the computer is not connected to a local area network (LAN). Unlike Group Policy administered from Active Directory, the local Group Policy object uses only the Read attribute, which makes it possible for the local Group Policy object to affect ordinary users but not local administrators. The local administrator can first set the policy settings he or she wants and then set the DACLs to the local Group Policy object directory so that administrators as a group no longer have Read access. For the administrator to make subsequent changes to the local Group Policy object, he or she must first take ownership of the directory to give him or herself Read access, make the changes, and then remove Read access.
.gif "important-icon")
Important
After you make changes to the Group Policy object, remember to remove Read access for the group in which you are a member. If you fail to remove Read access, it can be difficult, if not impossible, to gain access to the Group Policy object.
Setting Local Group Policy Settings
You can apply local Group Policy settings to the computer configuration or to the user configuration.
Computer Configuration Includes all computer-related Group Policy settings that specify operating system behavior, desktop behavior, application settings, security settings, computer-assigned application options, and computer startup and shutdown scripts. Computer-related Group Policy settings are applied when the operating system initializes and during the periodic refresh cycle.
User Configuration Includes all user-related Group Policy settings that specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related Group Policy settings are applied when a user logs on to the computer and during the periodic refresh cycle.
By default Group Policy settings are set to Not Configured . You can choose to select the Enable or Disable option for each Group Policy setting.
Note
If you use local Group Policy settings initially and then make the computer a member of a domain that has Group Policy settings implemented, local Group Policy settings are processed first, and domain-based Group Policy settings are processed next. If there is a conflict between the settings, the domain Group Policy setting prevails. However, if a computer subsequently leaves the domain, local Group Policy settings reapply.
Important
If you deploy Windows 2000 Professional in an unmanaged environment and later want to move Windows 2000 Professional computers into a managed Active Directory domain, you might have to reinstall the operating system and applications to ensure that unauthorized changes have not been made to the system configuration.
If a local Group Policy setting is configured for Enabled or Disabled and the Active Directory Group Policy setting is set to Not Configured , the local Group Policy setting prevails on that computer.