Introduction to Windows 2000 Group Policy

More detailed control of the desktop configuration

Group Policy is a new addition to my favorite feature in Windows 2000, which gives me the features that Windows NT never provided ━━ the centralized and detailed control of the user's computer, and we can think of Group Policy as an improvement of the system policy in NT 4.0. A Group Policy object (GPO) is an object based on Active Directory (AD) that allows users to centrally configure Win2K desktops and server systems, including the ability to lock from NT 4.0 desktops to security configuration and software installation.

This article focuses on how Group Policy works for the system, how it works inside the system, and how it should be used in the Win2K environment, if understanding the principle of system strategy in NT 4.0 will help us understand the group strategy.

What IS Group Policy?

A GPO is a physical policy that is associated with a domain, address, or organizational unit. In an NT 4.0 system, a single system policy file (such as Ntconfig.pol) includes all the policy functions that can be performed, but it relies on the settings of the system registry on the user's computer. In Win2K, GPOs include files and AD objects. Group Policy allows you to specify registry-based settings, use the NT 4.0 format. adm template files run Win2K local computers, domain security settings, and network software installations that use Windows Installer, so that folders can be redirected when software is installed.

The Group Policy Editor (GPE) plug-in in Microsoft Management Console (MMC) is equivalent to the System Policy Editor Poledit.exe in NT 4.0. Each feature node in the GPE (such as software settings, Windows settings, management modules, etc.) is an MMC extension that is an optional management tool in an MMC plug-in, and if you are an application developer, you can extend the functionality of the GPO through a custom extension, To provide additional policy control for your application.

Only systems running Win2K can perform Group Policy, and clients running NT 4.0 and Windows 9x cannot recognize or run GPOs with AD schemas.

Group Policy and AD

To give full play to the functionality of the GPO, there is a need for AD domain architecture support, which enables you to define a centralized policy that can be used by all Win2K servers and workstations. However, each computer running Win2K has a local GPO (a GPO residing on the local computer file system) that, through a local GPO, can specify a policy for each workstation that does not work in the ad domain. For example, you will not configure a public computer in the ad domain for security reasons. With local GPOs, you can modify the local policy to get security and limit the use of the desktop without taking advantage of GPOs based on ad domains. There are 2 ways to access a local GPO, the 1th method, select Run on the Start menu of the computer where you want to modify the GPO, and then type:

Gpedit.msc

This action is the same as Poledit.exe in NT 4.0, and you can open the local policy file. 2nd, you can edit the local GPO by selecting the GPE plug-in in the MMC console and selecting a local or remote computer to come to the site.

Local GPOs support all default extensions in addition to software installation and folder redirection, so you cannot do this with only local GPOs, and you need AD support if you want to give full play to the functionality of the GPO.

Diversity and inheritance of GPOs

In AD, GPOs can be defined at different levels of domain, organizational unit (OU), or address three. An OU is a container in ad that can be assigned to manage objects such as users, groups, and computers, where the address is a collection of subnets on the network, and the address forms the replication dividing line of the ad. GPO namespace is divided into computer Configuration and User Configuration two large classes, only users and computers can use GPOs, such as printer objects and even user groups can not apply GPOs.

There are several ways to edit a policy in a domain or organizational unit (OU). In the Active Directory user or Computer MMC plug-in, right-click a domain or organizational unit (OU), select Properties from the menu, and then select the Group Policy tab. When editing a policy in an address, you need to right-click the Active Directory address and Services plug-in, and then right-click the desired address to get its GPO. Alternatively, you can choose Run from the Start menu, and then type:

Mmc.exe

Start MMC, select Console, add/Remove Plug-ins, then select Group Policy Plug-in, browse, GPO in AD domain will be displayed, you can select a GPO to edit.