04 CHAPTER 2 Designing a Group Policy Infrastructure

Additional Resources1

Chapter 2

Designing a Group Policy Infrastructure

Microsoft® Windows® Server2003 Group Policy enables administrators to manage configurations for groups of computers and users, including options for registry-based policy settings, security settings, software deployment, scripts, folder redirection, Remote Installation Services, and Microsoft® Internet Explorer maintenance. By using Group Policy, you can significantly reduce an organization’s total cost of ownership. Because of factors such as the large number of policy settings available, the interaction between multiple policies, and inheritance options, Group Policy design can be complex. By carefully planning, designing, and testing a solution based on your organization’s business requirements, you can provide the standardized functionality, security, and management control that your organization needs.

In This Chapter

Group Policy Overview...... 52

Planning Your Group Policy Design...... 58

Designing Your Group Policy Model...... 68

Deploying Group Policy...... 82

Maintaining Group Policy...... 115

Additional Resources...... 117

Related Information

For more information about the Active Directory® directory service, see the Directory Services Guide of the Microsoft® Windows® Server2003 Resource Kit (or see the Directory Services Guide on the Web at
For more information about security in Windows Server2003, see the Distributed Services Guide of the Windows Server2003 Resource Kit (or see the Distributed Services Guide on the Web at
For more information about managing Group Policy, see the Distributed Services Guide of the Windows Server2003 Resource Kit (or see the Distributed Services Guide on the Web at

Group Policy Overview

Group Policy enables Active Directory–based change and configuration management of user and computer settings on computers running a member of the Microsoft® Windows® Server2003 or Microsoft Windows®2000 families of operating systems, or the Microsoft® Windows®XP Professional operating system. You use Group Policy to define configurations for groups of users and computers, including policy settings for registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security. You can also use Group Policy to help manage server computers, by configuring many server-specific operational and security settings.

The Group Policy settings that you create are contained in a Group Policy object (GPO). To create a GPO, use the Group Policy Management Console (GPMC). To edit a new GPO, use the Group Policy Object Editor snap-in for the Microsoft Management Console (MMC), which you can start from GPMC. By using GPMC to link a GPO to selected Active Directory system containers — sites, domains, and organizational units (OUs) — you apply the policy settings in the GPO to the users and computers in those Active Directory containers.

To guide your Group Policy design decisions, you need a clear understanding of your organization’s business needs, service level agreements, and security, network, and IT requirements. By analyzing your current environment and users’ requirements, defining the business objectives you want to meet by using Group Policy, and following this chapter’s guidelines for designing a Group Policy infrastructure, you can establish the approach that best supports your organization’s needs.

To see example standard desktop configurations and the actual policy settings used for those configurations, see the Group Policy scenarios in the whitepaper at the Implementing Common Desktop Management Scenarios link on the Web Resources page at For a list of these sample configurations, see Table2.3 later in this chapter.

IntelliMirror refers to the ability to provide users with consistent access to their applications, application settings, roaming user profiles, and user data, from any managed computer – even when they are disconnected from the network. IntelliMirror is delivered by means of a set of Windows features that enable IT administrators to implement standard computing environments for groups of users and computers.

IntelliMirror can significantly boost user productivity and satisfaction by doing the following:

Allowing users to continue working efficiently in intermittently connected or disconnected scenarios by enabling uninterrupted access to user and configuration data under these conditions.
Delivering a consistent computing environment to users from any computer when their desktop or laptop computer is unavailable or in scenarios where users are not assigned a specific computer.
Minimizing data loss by enabling centralized backup of user data and configuration files by the IT organization.
Minimizing user downtime by enabling automated installation and repair of applications.

Implementing IntelliMirror also boosts administrator efficiency and reduces IT costs by doing the following:

Eliminating the need to manually configure user settings, install applications, or transfer user files to provide users access to their computing environments on any computer.
Enabling scenarios where users do not have an assigned computer but log in to any available computer in a pool of computers. This helps reduce hardware and administration costs.
Easing the IT task of implementing centralized backup of user files while satisfying the need for these files to be available on the user’s computer.
Reducing support costs by using Windows Installer to automatically repair broken application installations.
Enabling rapid deployment of security settings to ensure resources on the network are secure.

Windows features that implement IntelliMirror include Active Directory, Group Policy, Software Installation, Windows Installer, Folder Redirection, Offline Folders, and Roaming User Profiles.

Process for Implementing a Group Policy Solution

The process for implementing a Group Policy solution entails planning, designing, deploying, and maintaining the solution. These steps are illustrated in Figure2.1.

Figure2.1Implementing Group Policy

When you plan your Group Policy design, make sure that you design the OU structure to ease Group Policy manageability and to comply with service level agreements. Establish good operational procedures for working with GPOs, such as those defined in this chapter, make sure that you understand Group Policy interoperability issues, and determine whether or not you plan to use Group Policy for software deployment.

During the design phase, define the scope of application of Group Policy, determine the policy settings that are applicable to all corporate users, classify users and computers based on their roles and locations, and then plan desktop configurations based on the user and computer requirements.

The deployment phase begins by staging in a test environment. This includes creating standard desktop configurations, filtering the scope of application of GPOs, specifying exceptions to default inheritance of Group Policy, delegating administration of Group Policy, evaluating effective policy settings by using Group Policy Modeling (formerly known as Resultant Set of Policy planning mode), and evaluating the results by using Group Policy Results (formerly known as Resultant Set of Policy logging mode).

Staging is critical. Thoroughly test your Group Policy implementation in a test environment before deploying to your production environment. After you complete staging and testing, migrate your GPO to your production environment by using GPMC. Consider an iterative implementation of Group Policy: rather than deploying 100 new Group Policy settings, initially stage and then deploy only a few settings to validate that the Group Policy infrastructure is working well.

Finally, prepare to maintain Group Policy by establishing control procedures for working with and troubleshooting GPOs by using GPMC.

What You Need Before Designing Your Group Policy Solution

Before designing your Group Policy implementation, you need to understand your current organizational environment, and you need to take preparatory steps in the following areas:

Active Directory

Ensure that the Active Directory OU design for all domains in the forest supports the application of Group Policy. For more information about Active Directory OU design, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of this kit.

Group Policy Management Console (GPMC)

Download and install the Group Policy Management Console, which consists of scripting interfaces and a Microsoft Management Console snap-in.

Networking

Make sure that your network meets the requirements for change and configuration management technologies. Because Group Policy works with fully qualified domain names, you must have DNS running in your forest in order to correctly process Group Policy; you cannot use NETBIOS only. Also, because client or destination computers must be able to contact your network’s domain controllers, do not turn off the ICMP protocol. If destination computers cannot ping the domain controllers, Group Policy processing will fail.

Security

Obtain a list of the security groups currently in use in your domain. Work closely with the security administrators as you delegate responsibility for organizational-unit administration and create designs that require security-group filtering. For more information about filtering GPOs, see “Applying GPOs to Selected Groups (Filtering)” in “Defining the Scope of Application of Group Policy” later in this chapter.

IT requirements

Obtain a list of the administrative owners and corporate administrative standards for the domains and OUs in your domain to develop a good delegation plan and to ensure that Group Policy is properly inherited.

Note

Turning off the ICMP protocol will cause Group Policy processing to fail. Turning off Read access on Active Directory containers that are in the hierarchy of a user or computer object will cause Group Policy processing for that object to fail.

Administrative Requirements for Group Policy

To use Group Policy, your organization must be using Active Directory and the destination desktop and server computers must be running Windows2000 Professional, Windows2000 Server, Windows XP Professional, or Windows Server2003. You can manage server computers as well as client computers by using Group Policy; Group Policy offers many settings specific to server computers.

Using GPMC will greatly improve the manageability of your Group Policy deployment and enable you to take full advantage of the power of Group Policy by providing an enhanced and simplified Group Policy management interface.

By default, only domain administrators or enterprise administrators can create and link GPOs, but you can delegate this task to other users. For more information about administrative requirements for Group Policy, see “Delegating Administrationof Group Policy” later in this chapter.

New in Windows Server2003: Group Policy Management

GPMC is a new tool that unifies management of all aspects of Group Policy across multiple forests in an enterprise. GPMC allows you to manage all GPOs, Windows Management Instrumentation (WMI) filters, and Group Policy-related permissions in your network. Think of GPMC as your primary access point to Group Policy, with all the Group Policy management tools available from the GPMC interface. The information presented in this book is based on using GPMC for Group Policy deployment and ongoing management.

GPMC consists of a set of scriptable interfaces for managing Group Policy and an MMC-based user interface (UI). The UI integrates all previous Group Policy tools into a unified Group Policy-management console. GPMC runs on 32-bit computers that are running a member of the Windows Server2003 family operating system or WindowsXP Professional with Service Pack1 and the Microsoft® .NET Framework. This tool can manage both Windows Server2003 and Windows2000 Active Directory–based domains.

GPMC provides the following:

A new user interface that integrates existing Group Policy functionality currently accessible by using various tools such as the Active Directory Users and Computers snap-in, the Active Directory Sites and Services snap-in, the Delegation of Control Wizard, the RSoP snap-in, the Delegation Wizard, and the ACL editor. The UI also simplifies inheritance and enforcement of GPOs.
Access to the Group Policy Object Editor (previously known as the Group Policy MMC snap-in).

Importing and exporting GPOs.
Copying and pasting GPOs.
Backing up and restoring GPOs.
Searching for existing GPOs.
Integration of RSoP capabilities:

Group Policy Modeling. Allows you to simulate RSoP data for planning Group Policy deployments prior to implementing them in the production environment.
Group Policy Results. Allows you to get RSoP data for viewing GPO interaction and for troubleshooting Group Policy deployments.

Support for migration tables to facilitate cross-domain and cross-forest GPO import and copy operations.
Reporting GPO settings and RSoP data in HTML reports that you can save and print.
Scripting all operations that are available within the tool. You cannot, however, use scripts to edit individual policy settings in a GPO.

Note

To help you get started, the GPMC installation includes sample scripts that use COM interfaces. The sample scripts are installed in the folder \Program Files\GPMC\Scripts\.

GPMC deployment and troubleshooting operations are described throughout this chapter. For detailed, step-by-step information about using GPMC to deploy and manage your Group Policy infrastructure, see Help in GPMC. Full details of the scripting interfaces are documented in the Group Policy Management Console Software Development Kit (SDK), which is located at program files\gpmc\scripts\gpmc.chm on any computer where you install GPMC. The GPMC SDK is also available in the Microsoft® Platform SDK. For more information and to download SDKs, see the Microsoft Platform SDK link on the Web Resources page at

Before you begin planning your Group Policy design, install GPMC. It is available as a download from the Microsoft Web site. See the Group Policy Management Console link on the Web Resources page at

Planning Your Group Policy Design

When you plan your Group Policy design, ensure that your Active Directory design supports the application of Group Policy. Then you need to clearly define your objectives for deploying Group Policy. Specifically, understand any service-level agreements and administrative issues that pertain to Group Policy and consider your business requirements and how Group Policy can help you achieve them. Finally, incorporate any operational, interoperability and software installation considerations into your plan. Figure2.2 illustrates the steps in the Group Policy planning process.

Figure2.2Group Policy Planning

Designing an OU Structure that Supports Group Policy

In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or organizational units (OUs). Typically, most GPOs are assigned at the organizational unit level, so be sure your OU structure supports your Group Policy-based client-management strategy. You might also apply some Group Policy settings at the domain level, particularly those such as password policies, which only take effect if applied at the domain level. Very few policy settings are likely to be applied at the site level. A well-designed OU structure, reflecting the administrative structure of your organization and taking advantage of GPO inheritance, simplifies the application of Group Policy. For example, it can prevent needing to duplicate certain policies so that the policies can be applied to different parts of the organization, or having to link the same GPO to multiple Active Directory containers to achieve your objectives. If possible, create OUs to delegate administrative authority as well as to help implement Group Policy.

OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:

Delegating administrative authority

You can create OUs within a domain and delegate administrative control for specific OUs to particular users or groups. Your OU structure might be affected by requirements to delegate administrative authority. For more information about planning for delegation of Active Directory administrative authority, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of this kit.

Applying Group Policy

An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.

Think primarily about the objects you want to manage when you approach the design of an OU structure. You might want to create a structure that has OUs organized by workstations, servers, and users near the top level. Depending on your administrative model, you might consider geographically based OUs either as children or parents of the other OUs, and then duplicate the structure for each location to avoid replicating across different sites. Add OUs below these only if doing so makes the application of Group Policy clearer, or if you need to delegate administration below these levels.

By using a structure in which OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object. This approach to OU design, illustrated in Figure2.3, reduces complexity and improves the speed at which Group Policy is applied. Keep in mind that GPOs linked to the higher layers of the OU structure are inherited by default, which reduces the need to duplicate GPOs or to link a GPO to multiple containers.

Note that the default Users and Computers containers cannot have Group Policy applied to them until you use the new Redirusr.exe and Redircomp.exe tools. When designing your Active Directory structure, the most important considerations are ease of administration and delegation.

Figure2.3Example OU Structure