Extending the Scenarios
Updated: May 3, 2004
Applies To: Windows Server 2003 with SP1
You can use the common scenarios GPOs as a starting point for your own custom scenarios. For more information about the features and capabilities of Group Policy, see the Designing a Managed Environment book in the Windows Server 2003 Deployment Kit. For more information, see the Microsoft Web site (http://go.microsoft.com/fwlink/?linkid=18341).
Software Distribution through Group Policy
The scenarios do not implement any form of software distribution, although this is a feature of Group Policy. By creating .MSI packages and associating them with targeted GPOs, it is possible to manage applications using Group Policy, including support for initial deployment, transforms, and “self-healing” installations (detection and automatic repair of missing components such as DLLs). Group Policy enables you to automatically install and maintain software installation on target computers or make it available for user installation.
Software Restriction Policies
Software restriction policies, new with Windows XP and Windows Server 2003, provide a policy-driven mechanism that enables you to identify the programs that are running on computers in your domain, and to control their ability to run. By using software restriction policies, you can:
Control what programs run on your system. For example, you can apply a rule that does not allow certain file types to run in the mail attachment directory of your e-mail program if you are concerned about users receiving viruses through e-mail.
Run only digitally signed scripts.
Allow users to run only specific files on multi-user computers. For example, if you have multiple users who use a single computer, you can set up software restriction policies and Access Control List settings so that users cannot make changes to the computer.
Decide who can add trusted publishers to a computer.
Control whether software restriction policies affect all users or only certain users who use a computer.
Prevent any files from running on a local computer. For example, if you are aware of a known virus, you can disallow a hash of that virus so that the computers in your domain cannot run that program.
Creating Default OUs for New Machine and User Accounts
By default, all new computer or user accounts are created in the Computer or User containers, respectively. Because these are not OUs, it is not possible to link GPOs to them. However, using two new tools provided with Windows Server 2003, you can specify that all new accounts will be created in specific OUs. You do this by first creating OUs for new user and computer accounts and then running Redirusr.exe (for user accounts) and/or Redircmp.exe (for computer accounts) once for each domain. From this point, all new user and computer accounts will be placed in the targeted OUs. These tools are included on the Windows Server 2003 CD. You can run either of these tools or both of them.
For more details, see article 324949, “Redirecting the Users and Computers Containers in Windows Server 2003 Domains,” in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?linkid=4441).