May 01 2006

Policy Initiatives

Tap Windows Group Policy to boost uptime and security while cutting management costs.

While more than 80 percent of Windows users in North America have deployed Active Directory, according to market research firm IDC, Microsoft officials say only 50 to 60 percent are using its Group Policy technology. If you manage Windows computers, Group Policy can reduce IT costs, improve security and increase uptime by giving you centralized control of your client and server computers.

Though there are some limitations in its capabilities, here’s how to deploy and benefit from Group Policy. For administrators already using Group Policy, here’s an opportunity to review its capabilities and verify that you are getting the most out of your infrastructure.

Group Policy is a way to manage settings and software on multiple Windows computers. Some of the settings you can define include:

  • Configuration. Configure most important operating system settings, as well as settings for many built-in applications, including Internet Explorer, Windows Messenger and Windows Media Player.
  • Security. Define password policy, account lockout policy, user rights, audit settings and group memberships.
  • Permissions. Control which users can control services, edit registry settings, and view or modify selected files.
  • Wireless network policy. Allow or block wireless network connections.
  • Software restrictions. Define which applications users can run.
  • Software distribution. Install or upgrade an application on computers in your organization with just a few clicks. While Group Policy software distribution can be very useful, most organizations will also need a Windows Server Update Services (WSUS) infrastructure to distribute Microsoft updates. Larger organizations may need to add a Microsoft Systems Management Server infrastructure.

Additionally, administrators or software vendors can add custom Group Policy settings by using Administrative Templates. To familiarize yourself with Group Policy settings, follow these steps to browse Group Policy settings on your local computer, or review the Group Policy Settings Reference.

An Active Directory Partner

All Windows computers have a local Group Policy object that defines settings for that computer. However, the real benefit of Group Policy is the ability to configure multiple computers. For that, you need an Active Directory domain. If you’re not familiar with Active Directory, it is a Microsoft directory service that requires Windows Server 2003. Active Directory can scale to any size enterprise and provides many other benefits besides Group Policy, including centralized user management, simplified DNS management and software distribution.

When deployed in an Active Directory environment, Group Policy gives you the flexibility to apply settings to computers in a way that mirrors your organization’s structure. Figure 1 shows a simple Group Policy organizational hierarchy. In this hierarchy, a Group Policy object applied at the Domain level would apply to every user and computer in the organization. However, you could overwrite some or all of those settings for the Marketing, IT or Accounting departments by applying Group Policy to those organizational units. For example, if developers need Visual Studio and local Administrator rights, no problem—just specify those settings in a Group Policy object and add the Group Policy object to the Developers organizational unit.

In addition to custom organizational units, you can assign Group Policy objects based on location (known as Sites in Active Directory), operating system and a variety of other factors. Ultimately, this gives you total control over how you configure the computers in your organization. You can even delegate management over parts of your organization, enabling regional and departmental IT groups to make their own decisions about the computers they are responsible for.

Tools of the Trade

There are several tools you can use to configure, apply, and audit Group Policy settings:

  • Security Templates. Use security templates to define Group Policy settings on Windows computers not in an Active Directory domain and to quickly audit a computer’s settings using the Security Configuration and Management console. Microsoft provides several pre-defined security templates that you can use to apply high-security settings to your computers. 
  • Resultant Set of Policy (RSoP). Primarily a troubleshooting tool, use RSoP to audit security settings and to identify the source of a specific security setting in environments where multiple Group Policy objects apply to individual computers.
  • Group Policy Inventory. Collect Group Policy information from computers on your network to perform hardware and software inventories, audit configuration settings, find computers that need updates, or many other tasks.

Additional tools are available from both Microsoft and third-parties.

Nobody’s Perfect

Group Policy is a necessity for any organization managing more than a handful of Windows computers. It’s not perfect, however. First, Group Policy has only very limited abilities to manage non-Windows computers, so you may need to purchase third-party software such as the LANDesk Management Suite or Symantec’s LiveState Client Management if you manage UNIX, Linus or Apple clients or servers.

Second, it’s difficult to use Group Policy to manage computers not in an Active Directory domain. Consumer versions of Windows, including Windows XP Home Edition, Windows ME, and Windows 98, cannot join a domain. Therefore, you may need to upgrade some client computers to realize all the benefits of Group Policy.

Finally, the Group Policy and Active Directory infrastructure are included with Windows Server 2003, but that doesn’t mean it comes free. Depending on the size of your organization, you may need anywhere from two to dozens of Windows Server 2003 computers for the Active Directory infrastructure. You’ll also have to train your IT staff to use Group Policy and manage the deployment of your organization’s computers.

Group Policy will almost certainly save you time and money if you manage more than a handful of Windows computers. If you want to deploy Group Policy, start by deploying an Active Directory. Then, design a Group Policy hierarchy that will enable you to efficiently manage your environment with the fewest number of Group Policy objects possible. For information about how to design and deploy a Group Policy infrastructure, a good place to start is Chapters 1 through 4 of the Windows Server 2003 Deployment Kit: Designing a Managed Environment.

Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.