The Barnes & Noble Review
Whether you're upgrading your entire enterprise or simply buying new PCs on an ad hoc basis, Windows XP Professional is coming into your enterprise. If you're responsible for supporting or administering it, this handy pocket guide offers you more useful answers per ounce than any other book we've seen. It's especially strong on XP's new administrative features, and those really important tasks (like setting up desktop VPN connections) that you won't do often enough to memorize on your own.
The book's organized into four sections: essentials, core administration, networking, and optimization/recovery. In 350 pages, it manages to be remarkably complete. Want to use Windows XP's new Remote Assistance feature to resolve users' problems without leaving your computer? Prohibit users from setting up Internet Connection Sharing on your DNS domain? Set a new home page for all your users at once? Place custom content on each user's desktop? Use System Restore across a network? Lock the taskbar, so it can't be moved or lost? William B. Stanek walks you through all these tasks, and more.
We could go on. Setting disk quotas. Managing security zones. Using notebook power schemes. Rolling back troublesome driver versions. Checking the status of a LAN connection. Configuring the synchronization of offline files. If you need to do it as a manager or support professional, there's no faster way to find out how.
Bill Camarda is a consultant, writer, and web/multimedia content developer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.
Read an Excerpt
Chapter 8: Configuring User and Computer Policies
- Group Policy Essentials
- Understanding Policy Application
- Accessing and Using Local Group Policies
- Accessing and Using Site, Domain, and Unit Policies
- Using the Group Policy Console
- Configuring Policies
- Viewing Policies and Templates
- Enabling, Disabling, and Configuring Policies
- Adding or Removing Templates
- Working with File and Data Management Policies
- Configuring Disk Quota Policies
- Configuring System Restore Policies
- Configuring Offline File Policies
- Working with Access and Connectivity Policies
- Configuring Network Policies
- Configuring Remote Assistance Policies
- Working with Computer and User Script Policies
- Controlling Script Behavior Through Policy
- Assigning Computer Startup and Shutdown Scripts
- Assigning User Logon and Logoff Scripts
- Working with Logon and Startup Policies
- Hiding the Welcome Screen
- Using Classic Logon vs. Simple Logon
- Setting Policy-Based Startup Programs
- Disabling Run Lists Through Policy
Chapter 8 Configuring User and Computer Policies
Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. You can think of a group policy as a set of rules that helps you manage users and computers. Group policies can be applied to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory service.
In this chapter, you’ll learn how to manage group policy settings. The chapter examines policies that you might want to configure in the domain and on local computers. These policies are organized by topic area, such as file and data management. Group policies apply only to systems running Microsoft Windows 2000 and Microsoft Windows XP. (In this book, "Windows XP" refers to Windows XP Professional unless otherwise indicated.) They will also apply to systems running the Windows .NET operating system.
Group Policy Essentials
Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.
Understanding Policy Application
During logon, policies are applied in an exact sequence, which is often important in troubleshooting system behavior.
When multiple policies are in place, they are applied in the following order:
- Microsoft Windows NT 4 policies (NTCONFIG.POL)
- Local group policies
- Site group policies
- Domain group policies
- Organizational unit (OU) group policies
- Child OU group policies
If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that allow administrators to block, overview, and disable policies.
The events that take place during startup and logon are as follows:
- The network starts and then Windows XP applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
- Windows XP runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn’t displayed to the user unless specified.
- A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows XP loads the user profile.
- Windows XP applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
- Windows XP runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window.
- Windows XP displays the start shell interface configured in Group Policy.
Accessing and Using Local Group Policies
Each computer running Windows XP has one local group policy stored in its %SystemRoot%\System32\GroupPolicy folder. You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.
You access and use local policies on a computer by completing the following steps:
- Open the Run dialog box by clicking Start and then clicking Run.
- Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
- In MMC, click File, and then click Add/Remove Snap-in. This opens the Add/Remove Snap-In dialog box.
- Click the Stand-Alone tab, and then click Add.
- In the Add Snap-In dialog box, select Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.
- Select Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.
- Click Finish, and then click Close.
- Click OK. You can now manage the local policy on the selected computer. For more details, see the section of the chapter entitled "Configuring Policies."
Accessing and Using Site, Domain, and Unit Policies
Each site, domain, and OU can have one or more group policies. Group policies higher in the Group Policy list have a higher precedence than policies lower in the list. Group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and OUs. Site, domain, and OU group policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers. In this folder you’ll find one subfolder for each policy you’ve defined on the domain controller. You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.
You access and use site, domain, and OU policies by completing the following steps:
- For sites, open the Active Directory Sites and Services console and start the Group Policy snap-in.
- For domains and OUs, open the Active Directory Users and Computers console and start the Group Policy snap-in.
- In the left pane, right-click the site, domain, or OU for which you want to create or manage a group policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.
- In the Properties dialog box, click the Group Policy tab. To create a new policy or edit an existing policy, click New. Then you can configure the new policy.
- To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the section of this chapter entitled "Configuring Policies."
- To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.
Using the Group Policy Console
Once you’ve selected a policy for editing or created a new policy, you use the Group Policy console to work with group policies. As Figure 8-1 shows, the Group Policy console has two main nodes:
- Computer Configuration Allows you to set policies that should be applied to computers, regardless of who logs on
- User Configuration Allows you to set policies that should be applied to users, regardless of which computer they log on to
Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers the user might use, you must use domain, site, or OU group policies.
Figure 8-1. Group Policy options depend on the type of policy you’re creating and the add-ons installed. (Image Unavailable)
The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you’re creating. You’ll usually find that both nodes have subnodes for the following:
- Software Settings Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.
- Windows Settings Sets policies for folder redirection, scripts, and security.
- Administrative Templates Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, apply specifically to users and computers.
When you want to manage users and computers, you’ll want to configure the administrative template policies. These policies provide easy access to registry-based policy settings that control the operating system, Windows components, and programs.
Viewing Policies and Templates
As shown in Figure 8-2, you can view the currently configured templates in the Group Policy console’s Administrative Templates node, which contains policies that can be configured for local systems, OUs, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can add additional templates containing new policies manually in the Group Policy console and when you install new Windows components.
Figure 8-2. User and computer policies are set through administrative templates. (Image Unavailable)
Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE and user configurations are saved in HKEY_CURRENT_USER. The best way to get to know what administrative template policies are available is to browse the Administrative Templates node in the Group Policy console. As you browse the templates, you’ll find that policies are in one of three states:
- Not Configured The policy isn’t used and no settings for it are saved in the registry.
- Enabled The policy is actively being enforced and its settings are saved in the registry.
- Disabled The policy is turned off and isn’t enforced unless overridden. This setting is saved in the registry.
Enabling, Disabling, and Configuring Policies
In the Group Policy console, you’ll find administrative templates in two nodes: Computer Configuration and User Configuration. In most cases, the policies in these areas don’t overlap or cause conflict. If there is a conflict, however, computer policies have precedence, which means that the computer policy is the one that is enforced. You’ll find details on commonly used policies and how you can employ them later in this chapter.
You can enable, disable, and configure policies by completing the following steps:
- Access the Group Policy console for the resource you want to work with. Then in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set, access the Administrative Templates folder.
- In the left pane, click the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.
- Double-click or right-click a policy and select Properties to display its related Properties dialog box.
- Click the Explain tab to see a description of the policy. A description is only available if one is defined in the related .adm file.
- To set the policy’s state, click the Policy tab and then use the following buttons to change the state of the policy:
- Not Configured The policy is not configured.
- Enabled The policy is enabled.
- Disabled The policy is disabled.
If you enabled the policy, set any additional parameters specified in the Policy tab, and then click Apply.
Use the Previous Policy and Next Policy buttons to manage other policies in the current folder. Then configure them in the same way.
Click OK when you’re finished managing policies.
Adding or Removing Templates
You can add or remove template folders in the Group Policy console. To do this, complete the following steps:
- Access the Group Policy console for the site, domain, or OU you want to work with.
- In the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove, right-click the Administrative Templates folder. This displays the Add/Remove Templates dialog box shown in Figure 8-3.
Figure 8-3. Use the Add/Remove Templates dialog box to add more templates or remove existing ones. (Image Unavailable)
- To add new templates, click Add. Then, in the Policy Templates dialog box, select the template you want to add and click Open.
- To remove an existing template, select the template to remove, and then click Remove.
- When you’re finished adding and removing templates, click Close.
Working with File and Data Management Policies
Every system administrator should be familiar with file and data management policies, which affect the amount of data a user can store on systems, how offline files are used, and whether the System Restore feature is enabled.
Configuring Disk Quota Policies
Policies that control disk quotas are applied at the system level. You access these policies through Computer Configuration\Administrative Templates\System\Disk Quotas. The available policies are summarized in Table 8-1.
Table 8-1. Disk Quota Policies
|Enable Disk Quotas||Turns disk quotas on or off for all NT file system (NTFS) volumes of the computer and prevents users from changing the setting.
|Enforce Disk Quota Limit||Specifies whether quota limits are enforced. If quotas are enforced, users are denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.
|Default Quota Limit And Warning Level||Sets a default quota limit and warning level for all users. This setting overrides other settings and only affects new users.
|Log Event When Quota Limit Exceeded||Determines whether an event is logged when users reach their limit and prevents users from changing their logging options.
|Log Event When Quota Warning Level Exceeded||Determines whether an event is logged when users reach the warning level.
|Apply Policy To Removable Media||Determines whether quota policies apply to NTFS volumes on removable media. If you do not enable this policy, quota limits only apply to fixed media drives.
Whenever you work with quota limits, you’ll want to use a standard set of policies on all systems. Typically, you won’t want to enable all of the policies. Instead, selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:
- Access Group Policy for the system you want to work with, such as a file server. Next, access the Disk Quotas node through Computer Configuration\Administrative Templates\System\Disk Quotas.
- Double-click Enable Disk Quotas. In the Setting tab, select Enabled and then click Next Setting. This displays the Enforce Disk Quota Limit Properties dialog box.
- If you want to enforce disk quotas on all NTFS volumes residing on this computer, select Enabled. Otherwise, select Disabled and then set specific limits on a per-volume basis as discussed in Chapter 9, "Configuring Folder Options, Offline Files, and Quotas."
- Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box shown in Figure 8-4. Select Enabled....