Glossary (Group Policy Infrastructure)
Updated: April 7, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This section presents terminology used in this document.
The Windows 2000 Server and Windows Server 2003 directory service that stores information about all objects on the computer network and makes this information easy for administrators and users to find and apply. With Active Directory, users can gain access to resources anywhere on the network with a single logon. Similarly, administrators have a single point of administration for all objects on the network, which can be viewed in a hierarchical structure.
administrative templates (.adm files)
Template files that provide settings pertaining to Windows 2000, Windows NT 4.0, and Windows 95, Windows 98, and Windows Millennium Edition operating system and registry structure. The .adm file specifies the registry settings that can be modified through the Group Policy Object Editor user interface. The .adm file consists of a hierarchy of categories and subcategories that together define how the options are displayed through the Group Policy Object Editor user interface. It also indicates the registry locations where changes should be made if a particular selection is made, specifies any options or restrictions (in values) that are associated with the selection, and in some cases, specifies a default value to use if a selection is activated.
Administrative Templates snap-in extension
A Group Policy Object Editor extension that includes all registry-based Group Policy, which you use to define settings that control the behavior and appearance of the desktop, including the operating system and applications. The Administrative Templates snap-in extension includes functionality for managing disk quotas.
You can assign applications to either a user or a computer using Group Policy. When you assign applications to a computer, the application is automatically installed the next time the computer is started. When you assign applications to a user with Group Policy, the administrator can choose to either have the application installed on-demand when the user selects the application or in-full when the user next logs on:
On Demand. If the application is installed on demand, the user's computer is set up with a Start menu shortcut, and the appropriate file associations are created in the registry. To the user, it looks and feels as if the application is already present. However, the application is not fully installed until the user needs the application. When the user attempts to open the application or a file associated with that application, Windows Installer checks to make sure that all the files and parameters of the application are present for the application to properly execute. If they are not present, Windows Installer retrieves and installs them from a predetermined distribution point. Once in place, the application opens.
Full Install. The full-install option is useful for specific groups of users such as frequent travelers who might require all available applications to be fully installed before they travel. With full install, a user's applications are installed at logon.
In Windows 2000 and Windows Server 2003, you can use the Software Installation snap-in extension of the Group Policy Object Editor to publish applications to users. Published applications are those that the administrator makes available for on-demand use.
Published applications have no presence on the users' computers. That is, no shortcuts or Start menu references to the application are present on the desktop. A published application is advertised to Active Directory. The advertised attributes are used to locate the application and all the information required for installing it. After the application is advertised in Active Directory, users can activate it by document association, just as an assigned application. Users can also set up the program using the Add or Remove Programs Control Panel tool on their desktop.
A .cab file contains one or more files, all of which are downloaded together in a single compressed cabinet file. Included in the cabinet is an .inf file that provides further installation information. The .inf file may refer to files in the .cab and to files at other URLs.
discretionary access control list (DACL)
A part of the security descriptor that specifies the groups or users that can access an object, as well as the types of access (permissions) granted to those groups or users. See also security descriptor.
Within the Administrative Templates node of the Group Policy Object Editor are policy options for managing disk quotas, which administrators can use to monitor and limit disk space use for NTFS volumes formatted as NTFS version 5.0. After you enable disk quotas, you can set options for disk quota limits and warnings.
A grouping of servers and other network objects under a single name. Domains provide the following benefits:
You can group objects into domains to help reflect your company's organization in your computer network.
Each domain stres only the information about the objects located in that domain. By partitioning the directory information this way, Active Directory scales up to as many objects as you need to store information about on your network.
The administraor of a domain has absolute rights to set policy settings within that domain only.
You can combine multiple domains into structures called domain trees. The first domain in a tree is called the root of the tree, and additional domains in the same tree are called child domains. A domain immediately above another domain in the same tree is referred to as the parent of the child domain.
All domains within a single domain tree share a hierarchical naming structure. Domains that share a common root share a contiguous namespace. Domains in a tree are joined together through two-way, transitive trust relationships. These trust relationships are two-way and transitive, therefore, a domain joining a tree immediately has trust relationships established with every domain in the tree.
Folder Redirection snap-in extension
A Group Policy Object Editor extension that you use to place the Windows 2000 or Windows Server 2003 special folders in network locations other than their default location (%systemroot%\Documents and Settings\%userprofile%) on the local computer.
globally unique identifier (GUID)
A 128-bit integer that identifies a particular object class and interface. GUIDs are virtually guaranteed to be unique. A GUID can be generated using either the uuidgen.exe utility from the Platform Software Development Kit, or the GUIDgen tool included in the Microsoft Visual C++® development system. For more information about GUIDs, see the OLE Programmer's Reference, Volume One; the Platform Software Development Kit documentation; and Inside OLE, 2d ed. by Kraig Brockschmidt, Redmond, Wash.: Microsoft Press, 1995.
A component used in Windows 2000 and Windows Server 2003 to define options for managed desktop configurations for groups of users and computers. To specify Group Policy options, you use GPMC in conjunction with the Group Policy Object Editor.
Group Policy engine
The part of Group Policy that runs in the Winlogon process.
Group Policy Management Console (GPMC)
An MMC console to view and edit Group Policy properties, generate reports, copy, import, backup, restore, and to select GPOs for editing. GPMC lets administrators manage Group Policy for multiple domains and sites within a given forest, all in a simplified user interface with drag-and-drop support. Operations are fully scriptable, which lets administrators customize and automate management.
Group Policy object
The Group Policy settings that you create by using the Group Policy Object Editor are contained in a GPO, which is in turn associated with selected Active Directory containers: sites, domains, and organizational units (organizational units).
Group Policy Object Editor
To edit a specific desktop configuration for a particular group of users and computers, you use the Group Policy Object Editor, also known previously as the Group Policy snap-in, Group Policy Object Editor, or GPedit.
You can specify Group Policy settings for the following:
Registry-based policy settings—Includes Group Policy for the Windows 2000 and Windows Server 2003 operating systems and their components and for applications. To manage these settings, use the Administrative Templates node of the Group Policy Object Editor.
Security settings—Includes options for local computer, domain, and network security settings.
Software Installation and Maintenance options—Used to centrally manage application installation, updates, and removal.
Script options—Includes scripts for computer startup and shutdown and user logon and logoff.
Folder Redirection options—Allows administrators to redirect users' special folders to the network.
Internet Explorer Maintenance—Used to manage and customize Internet Explorer on Windows 2000- and Windows Server 2003-based computers.
Remote Installation Services—Used to control the behavior of the Remote Operating System Installation feature as displayed to client computers
Group Policy Modeling
This is a simulation of what would happen under circumstances specified by an administrator. Group Policy Modeling requires that you have at least one domain controller running Windows Server 2003 because this simulation is performed by a service running on a domain controller that is running Windows Server 2003. With Group Policy Modeling, you can either simulate the RSoP data that would be applied for an existing configuration, or you can perform "what-if" analyses by simulating hypothetical changes to your directory environment and then calculating the RSoP for that hypothetical configuration. For example, you can simulate changes to security group membership, or changes to the location of the user or computer object in Active Directory. Outside of GPMC, Group Policy Modeling is referred to as RSoP - planning mode.
Group Policy Results
This represents the actual policy data that is applied to a given computer and user. It is obtained by querying the target computer and retrieving the RSoP data that was applied to that computer. The Group Policy Results capability is provided by the client operating system and requires Windows XP, Windows Server 2003 or later. Outside of GPMC, Group Policy Results is referred to as RSoP - logging mode.
IntelliMirror refers to the ability to provide users with consistent access to their applications, application settings, roaming user profiles, and user data, from any managed computer—even when they are disconnected from the network. IntelliMirror is delivered via a set of Windows features that enable IT administrators to implement standard computing environments for groups of users and computers.
IntelliMirror can significantly boost user productivity and satisfaction by doing the following:
Allowing users to continue working efficiently in intermittently connected or disconnected scenarios by enabling uninterrupted access to user and configuration data under these conditions.
Delivering a consistent computing environment to users from any computer when their desktop or laptop computer is unavailable or in scenarios where users are not assigned a specific computer.
Minimizing data loss by enabling centralized backup of user data and configuration files by the IT organization.
Minimizing user downtime by enabling automated installation and repair of applications.
Implementing IntelliMirror also boosts administrator efficiency and reduces IT costs by doing the following:
Eliminating the need to manually configure user settings, install applications, or transfer user files to provide users access to their computing environments on any computer.
Enabling scenarios where users don't have an assigned computer but log in to any available computer in a pool of computers. This helps reduce hardware and administration costs.
Easing the IT task of implementing centralized backup of user files while satisfying need for these files to be available on the user's computer.
Reducing support costs by using Windows Installer to automatically repair broken application installations.
IntelliMirror is implemented by means of a set of Windows features, including Active Directory, Group Policy, Software Installation, Windows Installer, Folder Redirection, Offline Folders, and Roaming User Profiles.
Internet Explorer Maintenance
A Group Policy extension snap-in that includes policy settings to manage the following: Browser User Interface, Connection Settings, Custom URLs, Security, and Program Associations.
Microsoft Management Console (MMC)
A common console framework for system-management applications. The primary goal of the Microsoft Management Console is to support simplified administration and lower cost of ownership through tool integration, task orientation, support for task delegation, and overall interface simplification. MMC console hosts the administrative tools (these are called MMC snap-ins); the console itself provides no management functionality.
A migration table is a file that maps references to users, groups, computers, and UNC paths in the source GPO to new values in the destination GPO. A migration table consists of one or more mapping entries. Each mapping entry consists of a type, source reference, and destination reference. If you specify a migration table when performing an import or copy, each reference to the source entry will be replaced with the destination entry when writing the settings into the destination GPO. Migration tables store the mapping information as XML, and have their own file name extension, .migtable. You can create migration tables using the Migration Table Editor (MTE). The MTE is a convenient tool for viewing and editing migration tables without having to work in, or be familiar with, XML. The MTE is associated with the .migtable extension so that when you double click a migration table, it opens in the MTE. The MTE is installed with GPMC.
Tools that extend MMC console and provide administrative functionality. A snap-in functions independently from other snap-ins.
MMC extension snap-in
A tool that enhances the functionality of a parent snap-in. An extension depends on a parent snap-in for contextual data.
organizational unit (organizational unit)
A type of directory object contained within domains. organizational units are logical containers into which you can place users, groups, computers, and even other organizational units.
A database in which Windows NT internal configuration information and computer- and user-specific settings are stored.
A section of the registry that is saved as a file. The registry subtree is divided into hives (named for their resemblance to the cellular structure of a beehive). A hive is a discrete body of keys, subkeys, and values.
Remote Installation Services
A component that administrators can use to remotely install a local copy of the Windows 2000 Professional or Windows XP Professional on supported computers throughout their organization. Administrators can deploy a new version of an operating system upgrade to large numbers of clients at one time from a centralized location.
Administrators can use Group Policy to specify the client installation options that groups of users can access. These options are determined by the specific Remote operating system Installation Group Policy settings that administrators define for the site, domain, or organizational unit to which the users belong, in conjunction with the specific security group or user account.
Resultant Set of Policy (RSoP)
RSoP allows administrators to see the effect of Group Policy on a targeted user or computer. RSoP is an infrastructure leveraged by GPMC to enable Group Policy Results and Group Policy Modeling. In Group Policy Results, administrators assess what has applied to a particular target. In Group Policy Modeling, administrators can see how policy settings would be applied to a target and then examine the results before deploying a change to Group Policy.
Roaming user profile
A copy of the local user profile stored on a server share. This profile is downloaded every time that a user logs on to any computer on the network, and any changes made to a roaming user profile are synchronized with the server copy upon logoff. See also user profile.
The formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. Active Directory includes a default schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and security policy settings. The Active Directory schema is dynamically extensible; this means that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either programmatically with the Schema Manager snap-in tool included with Windows NT Server.
Batch files (.bat) or executable (.exe) files that run when a computer starts up or shuts down or when a user logs on or off at any type of workstation on the network. Windows 2000 and Windows Server 2003 support Windows Script Host Visual Basic Scripting Edition (VBScript) and Jscript, while continuing to support MS-DOS command scripts and executable files.
A set of access-control information attached to every container and object on the network. A security descriptor controls the type of access allowed to users and groups. Administrators assign security descriptors to objects stored in Active Directory in order to control access to resources or objects on the network.
A security descriptor lists the users and groups that are granted access to an object (a file, printer, or service, for example), and the specific permissions assigned to those users and groups. See also discretionary access control list and system access control list.
Security Settings extension snap-in
A Group Policy extension snap-in that you use to define security configuration for computers within a GPO. A security configuration consists of settings applied to each security area supported for Windows 2000 or Windows XP Professional and Windows 2000 Server and Windows Server 2003. This configuration is included within a GPO.
In Windows 2000 and Windows Server 2003 you register your network's physical topology by defining sites. A site is defined as one or more IP subnets. Windows 2000 and Windows Server 2003 uses site information to direct requests from one computer to be fulfilled by another computer at the same site. For example, when a workstation logs on, Active Directory uses the TCP/IP address of the workstation, along with the site information you have entered, to locate a domain controller on the local site. This local controller is used to service the workstation's requests.
Scripts extension snap-in
A Group Policy extension snap-in that you use to assign scripts to run at computer startup or shutdown or upon user logon or logoff.
Software Installation extension snap-in
A Group Policy extension snap-in that you use to centrally manage software distribution in your organization.
system access control list (SACL)
Part of a security descriptor that specifies which user accounts or groups to audit when accessing an object, the access events to be audited for each group or user, and a Success or Failure attribute for each access event, based on the permissions granted in the object's DACL.
This refers to a registry setting that is set using Windows NT 4.0 System Policies, the setting persists until the specified policy is reversed or the user edits the registry.
total cost of ownership (TCO)
Refers to the administrative costs associated with computer hardware and software purchases, deployment and configuration, hardware and software updates, training, maintenance, and technical support.
A user profile describes the desktop computing configuration for a specific user, including the user's environment and preference settings. A profile is created the first time that a user logs on to a computer running Windows Server 2003, Windows XP, Windows 2000, or Windows NT Workstation. A user profile is a group of settings and files that defines the environment that the system loads when a user logs on. It includes all the user-specific configuration settings, such as program items, screen colors, network connections, printer connections, mouse settings, and window size and position. Profiles are not user policies and the user has a profile even if you don't use Group Policy.
Windows Installer packages (.msi files)
Packages that contain all the information necessary to describe to the Windows Installer how to set up an application in every conceivable situation: various platforms, different sets of previously installed products, earlier versions of a product, and numerous default installation locations. The Software Installation extension snap-in to the Group Policy Object Editor uses .msi packages.
Windows Management Instrumentation (WMI)
A management infrastructure that supports monitoring and controlling system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status. WMI Filtering in Windows Server 2003 allows you to create queries based on this data. These queries (also called WMI filters) determine which users and computers receive all of the policy configured in the GPO where you create the filter.