- Shopping Bag ( 0 items )
CCM includes IntelliMirror features (user settings and data management, and software installation and management) and remote operating system installation. Group Policy Objects (GPOs), stored in Active Directory (AD), and the File Replication Service (FRS), which replicates Group Policy Templates (GPTs), provide the infrastructure for CCM. Group Policy Extensions to GPOs apply security settings, specify logon and other scripts and configure automatic installation of Windows 2000-compatible application software.
If you hope to achieve any long-term economic benefit by upgrading to Windows 2000 from Windows NT, NetWare, or both, you must implement Group Policy. The consensus of industry analysts, such as GartnerGroup and Giga Information Group, is that a return on an upgrade investment depends entirely on your implementation of effective policy management.
Windows 2000 Server and its upscale derivatives, such as Advanced Server and Datacenter Server, have wizards to aid administrators in setting up new features, such as AD, Dynamic DNS, and Virtual Private Networks that run L2TP over IPSec. You won't find a "Group Policy Wizard" in Windows 2000 Server. Group Policy is one of the most complex and, in many respects, counterintuitive features of Windows2000; if any component of Windows 2000 deserves a wizard, it's Group Policy. The absence of built-in assistance for establishing a logical and consistent set of CCM policies is one of the primary reasons for the existence of this book.
You can't escape Group Policy in a Windows 2000 domain. When you use Dcpromo.exe to create your first Windows 2000 Domain Controller (DC) during a clean installation or an upgrade of a Windows NT PDC, the AD promotion process establishes a Default Domain Policy that applies to all Windows 2000 computers and users in the domain. DCs in AD's Domain Controllers organizational unit (OU) receive Default Domain Controllers Policy. The default policies represent only the starting point of the Group Policy journey. In particular, the basic domain and DC security policies are grossly inadequate for a production network. Default local security settings for workstations and member servers contribute to weak security. The first Group Policy management example in this chapter describes how to increase your domain security level.
Comparing Group Policy with Windows NT System Policy
The immediate ancestors of Group Policy are Windows NT and 9x system policy files, Ntconfig.pol and Config.pol, respectively, that you author with the Policy Editor (Poledit.exe). These files, which load from the PDC's or BDC's Netlogon share during the client logon process, alter settings in the client's HKEY LOCAL MACHINE (HKLM) and HKEY CURRENT_USER (HKCU) Registry hives. If you've implemented (or tried to implement) system policy in a Windows NT 4.0 network, you'll appreciate Group Policy's substantial improvements to system policy's rudimentary CCM features. System policies are an element of the oxymoronic Zero Administration for Windows (ZAW) initiative that Microsoft announced in October 1996. The original ZAW press release (http://www.microsoft.com/presspass/press/1996/Oct96/ZAWinpr.asp) promised the following features:
Automatic system update and application installation The operating system will update itself when the computer is booted, without user intervention, seeking the latest necessary code and drivers from a server, intranet, or the Internet, if available. The Automatic Desktop feature will provide users with all available applications, installing them automatically when invoked.
All state kept on server Users' data can be automatically "reflected" to servers, ensuring high availability and allowing mobile users to have access to information whether connected to the network or not. Additionally, users will be able to roam between PCs while maintaining full access to their data, applications, and customized environments.
Central administration and system lockdown All aspects of client systems will be controllable by a central administrator across the network. In a few simple steps, the system can be "locked down" to maintain controlled, consistent, and secure configurations across sets of users. The degree of flexibility can be altered on a per-user basis by the central administrator, without having to change hardware and software...