Group Policy Snap-in Namespace

The root node of the Group Policy snap-in displays as the name of the Group Policy object and the domain in which it is stored, in the following format:

< Group Policy object name > [< server name >] Policy

For example:

Default Domain Policy [MSMSRV01.Reskit.com] Policy

The next level of the namespace has two nodes: Computer Configuration and User Configuration. These are the parent folders that you use to configure specific desktop environments and to enforce Group Policy on groups of computers and users, respectively, on the network.

Computer Configuration

Computer configuration includes all computer-related policy settings that specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned application options, and application settings. Computer-related Group Policy is applied when the operating system initializes and during the periodic refresh cycle, explained later in this document. In general, computer policy takes precedence over conflicting user policy. Figure 22.1 shows the Group Policy Snap-in Console Computer Configuration.

Figure 22.1 The Group Policy Snap-in Console Computer Configuration

User Configuration

User configuration includes all user-related policy settings that specify operating system behavior, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and user logon and logoff scripts. User-related Group Policy is applied when users log on to the computer and during the periodic refresh cycle. Figure 22.2 shows the Group Policy Snap-in Console User Configuration.

Figure 22.2 The Group Policy Snap-in Console User Configuration

In certain strictly managed computing environments, it is useful to mandate a specific desktop configuration regardless of which user logs on to the computer. Schools, libraries, public kiosks, some laboratories, and reception areas are candidates for policy of this sort. You implement this by appending (or, more severely, replacing) the User Configuration settings for the user account with the User Configuration settings for the computer account. This process is called loopback and it is explained in "Group Policy Loopback Support" later in this chapter.

There are several child nodes under the Computer Configuration and User Configuration parent nodes. These include:

• Software Settings, which is a location for independent software vendors (ISVs) to add further extensions. If no nodes have been added by ISVs, then Software Settings contains just the Software Installation extension included with Windows 2000.

• Windows Settings, which holds extensions provided by Microsoft.

• Administrative Templates which shows namespace for registry-based policy settings. The Administrative Templates namespace is created by adding .adm files. You do this by right-clicking either of the Administrative Templates nodes, and then clicking "Add/Remove Templates."

Extensions to the Group Policy Snap-in

A Group Policy snap-in extension can extend the Group Policy namespace under the User Configuration or Computer Configuration nodes, or both. Most of the snap-in extensions extend both of these nodes, but frequently with different options. The Group Policy snap-in extensions included with Windows 2000 are listed below.

Administrative Templates    These include registry-based Group Policy, which you use to mandate registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications. There are over 450 of these settings available for you to configure, and you can add more using .adm files. To avoid undesirably persistent registry settings, any additional registry settings should be placed in \Software\Policies or \Software\Microsoft\Windows\CurrentVersion\Policies. See Group Policy Overview in this chapter about undesirably persistent registry settings.

Security Settings    You use the Security Settings extension to set security options for computers and users within the scope of a Group Policy object. You can define local computer, domain, and network security settings.

Software Installation    You use the Software Installation snap-in to centrally manage software in your organization. You can assign and publish software to users, and assign (but not publish) software to computers. You use Software Installation to install applications. The target computer needs to have the Windows 2000 operating system in place, as well as the client-side extension for Software Installation, Appmgmts.dll. To install Windows 2000 on a remote computer, use Remote Installation Services.

Scripts    You can use scripts to automate computer startup and shutdown and user logon and logoff sessions. You can use any Windows Script Host–supported language you like. Your options include Microsoft® Visual Basic® Scripting Edition (VBScript), JavaScript, Perl, and MS-DOS®-style batch files (.bat and .cmd).

Remote Installation Services    You use Remote Installation Services (RIS) to control the behavior of the Remote Operating System Installation feature as displayed to client computers. Group Policy requires a genuine Windows 2000 client, not merely a client of Active Directory running on a previous version of Windows.

Internet Explorer Maintenance    You use Internet Explorer Maintenance to administer and customize Microsoft® Internet Explorer on Windows 2000–based computers.

Folder Redirection    You use Folder Redirection to redirect Windows 2000 special folders from their default user profile location to an alternate location on the network, where you can centrally manage them. Windows 2000 special folders include My Documents, Application Data, Desktop, and Start Menu.

Administrative Templates

In Windows 2000, the Administrative Templates node of the Group Policy snap-in uses an administrative template (.adm) file to specify the registry settings you can modify through the Group Policy snap-in user interface Policy Group Policy object. Figure 22.3 shows some Administrative Template Group Policy settings. The Policy pane lists some policy settings that make up the User Configuration part of the Default Domain Policy of the Group Policy object.

Figure 22.3 Administrative Template Group Policy Settings

Note

The Windows NT 4.0 System Policy Editor uses files called administrative templates (.adm files) to determine which registry settings you can modify by presenting a namespace for those settings in the System Policy Editor. Windows 2000 .adm files have new features, such as Explain text. The Windows 2000 Resource Kit CD-ROM includes a searchable reference file, GP.chm, with details about the administrative templates settings included with Windows 2000 Server.

The Administrative Templates nodes of the Group Policy snap-in present registry-based Group Policy settings to the administrator. Administrative Templates govern a variety of behaviors for the Windows 2000 operating system and its components and applications. These settings are written to the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE portion of the registry database, as appropriate.

The .adm file is a Unicode text file that specifies a hierarchy of categories and subcategories that together define how the options are displayed through the Group Policy snap-in user interface. Unicode support for .adm files is new in Windows 2000. It also indicates the registry locations where you need to make changes if a particular selection is made, specifies any options or restrictions in values that are associated with the selection, and in some cases, specifies a default value to use if a selection is activated. By default, three .adm files, System.adm, Inetres.adm, and Conf.adm, which together contain more than 450 settings appropriate to Windows 2000 operating system clients, are installed in the Group Policy console. Inetres.adm contains settings for Internet Explorer, and System.adm has a wide variety of settings. There is also a Conf.adm, containing Microsoft® NetMeeting® settings, which is not loaded by default.

Note

See the Explain tab of each Group Policy setting's Properties page for more details on the policy settings within the .adm file.

The Administrative Templates nodes of the Group Policy snap-in can be extended by using custom .adm files. For more information about creating .adm files, see Windows 2000 Help.

Undesirably Persistent Registry Settings

Windows NT 4.0 registry settings remain in effect until they are explicitly reversed. Windows 2000 registry settings, by contrast, are removed and rewritten each time policy changes. Be aware of this possibly undesirable behavior if you consider using Windows NT 4.0–type registry settings on Windows 2000–based computers.

For more information, see "Using Windows NT 4.0 Administrative Templates in the Windows 2000 Group Policy Console" later in this chapter.

Other Group Policy Extensions That Use the Registry

Both Remote Installation Services (RIS) and Disk Quotas use the registry. RIS has a node in the Group Policy console, but no client-side extension; that is, no .dll on the client computer. This is not surprising, because the client typically won't have an operating system. Disk Quotas is an example of a component with a client-side extension (Dskquota.dll), but no node in the Group Policy console.

Remote Installation Services

Remote Installation Services (RIS) is an optional component included in the Windows 2000 Server operating system. You can use the RIS extension of Group Policy to control which screen options (such as Automatic Setup, Custom Setup, and Restart Setup) are available to users during the client installation wizard.

When a client computer enabled with Preboot Execution Environment (PXE) remote-boot technology accesses the RIS server to install the operating system, the Remote Installation Services server checks for Group Policy pertaining to remote installation options defined for the user. The Boot Information Negotiation Layer (BINL) service running on the RIS server performs this work. It impersonates the user who logs on to the RIS client-side pre-boot user interface, and evaluates the Group Policy objects to calculate the resulting policy. Based on the resulting policy, it determines which screens are sent to the pre-boot RIS client code for display to the user.

RIS policies are stored in the Sysvol folder at the following location: Policies\{< GUID of GPO >}\User\Microsoft\RemoteInstall\oscfilter.ini. For detailed information about Remote Installation Services, see "Remote OS Installation" in this book.

Security Settings

You can define a security configuration within a Group Policy object. A security configuration consists of settings applied to one or more security areas supported on Windows 2000 Professional or Windows 2000 Server. The specified security configuration is then applied to computers as part of Group Policy enforcement.

The Security Settings extension of the Group Policy snap-in complements existing system security tools such as the Security tab on the Properties page (of an object, file, folder, and so on), and Local UsersandGroups in Computer Management . You can continue to use existing tools to change specific settings whenever necessary.

The security areas that can be configured for computers include:

Account Policies    These are computer security settings for password policy, lockout policy, and Kerberos policy in Windows 2000 domains.

Note

These settings are only set at the domain level. If they are set at the organizational unit level, they are ignored.

Local Policies    These include security settings for audit policy (Audit successful or failed logon attempts), user rights (who has network access to the computer) assignment, and security options (the ability to connect to a computer anonymously).

Event Log    This controls settings such as size and retention method for the Application, Security, and System event logs. You can access these logs using Event Viewer.

Restricted Groups    Allows you to control who needs to and who does not need to belong to security sensitive groups, as well as which other groups a security sensitive group needs to belong to. This allows administrators to enforce a membership policy regarding sensitive groups, such as Enterprise Administrators or Payroll. For example, it might be decided that only two users should be members of the Enterprise Administrators group. You can define the Enterprise Administrators group as a restricted group that contains only those two members. If a third user is added to the group (for example, to accomplish some task in an emergency situation), that user is automatically removed from the Enterprise Administrators group the next time policy is enforced. This mechanism can also be used to enforce group memberships on workstations in the domain (that is, enforcing that certain administrators from the domain are in the local Administrators groups on workstations).

System Services    These control startup mode and access permissions for system services, such as who is allowed to stop and start the fax service.

Registry    This is used to configure security settings for registry keys, including access control, audit, and ownership.

File System    This is used to configure security settings for file-system objects, including access control, audit, and ownership.

Incremental Security Templates

Windows 2000 includes several incremental security templates. By default, these templates are stored in %systemroot%\Security\Templates. These predefined templates can be customized using the Security Templates MMC snap-in and can be imported into the Security Settings extension of the Group Policy snap-in.

These security templates are to be applied to Windows 2000–based computers that are configured with the Windows 2000 default security settings. They modify the default security settings incrementally, not cumulatively.

Note

You should not apply these incremental templates to Windows 2000 systems that have been upgraded from Windows NT 4.0.

You should only apply these incremental templates onto Windows 2000 systems that have been clean-installed onto NTFS partitions. For NTFS computers that have been upgraded from Windows NT 4.0 or earlier, a Basic security template can be applied to configure the upgraded computer with the Windows 2000 default security settings. This is described in the following section. You cannot secure Windows 2000 systems that are installed on FAT file systems.