Group Policy Components
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group Policy Components
Depending on the size and complexity of the organization, administrators must set, maintain, and manage various standard configurations for groups of users and computers. Users may require specialized software or have unique needs, such as the ability to always work remotely. Client computers must be set up for specific purposes with configurations for kiosks, labs, general office use, and other roles.
Group Policy is the infrastructure that enables you to deliver and apply these and other configurations to targeted users and computers within an Active Directory directory service environment.
The Group Policy infrastructure consists of a Group Policy engine and various individual components known as client-side extensions that “plug” into the infrastructure. These client-side extensions are used to configure Group Policy settings either by modifying the registry (through the Administrative Templates extension) or setting Group Policy settings for security settings, software installation, folder redirection, wireless network settings, and other areas. Group Policy settings are contained in Group Policy objects (GPOs) that are applied to users and computers.
Group Policy components provide you with the means of enforcing and maintaining a wide variety of configurations, thereby reducing the risk of disruption in your computing environment. In addition, the Group Policy infrastructure is designed to be flexible and extensible, allowing you to develop your own extensions, if desired.
You administer Group Policy components using two primary tools. The first tool is Group Policy Management Console (GPMC), which lets you create, view, and manage GPOs. The second tool is Group Policy Object Editor, which which lets you configure and modify settings within GPOs.
Group Policy Component Architecture
Group Policy settings are implemented by a variety of components. There are two basic types of components:
Extensions that allow you to administer and configure Group Policy settings using Group Policy Object Editor. These are server-side snap-ins that are extensions to the Microsoft Management Console (MMC) snap-in.
Extensions that interpret Group Policy settings and apply them on the client computer. These are extensions to the logon process – Winlogon – and are known as client-side extensions.
Group Policy Component Architecture
Group Policy Components
Server Side MMC Snap-in Extensions
You configure Group Policy settings using Microsoft Management Console (MMC) snap-ins. The snap-in provides the basic organization of the Group Policy Object Editor and the top-level namespace (Software Settings, Windows Settings, and Administrative Templates). There are server-side snap-in extensions for most of the client-side extensions shown in the figure earlier. However, some client-side extensions, such as Disk Quotas, do not require separate server side snap-ins. In many cases client-side extensions only require registry settings to be transferred to the client system and these can be configured using the Administrative Templates snap-in.
Server-side snap-in extensions include:
Administrative Templates.
Security Settings.
IP Security.
Scripts.
Software Installation.
Internet Explorer Maintenance.
All MMC snap-ins and extensions are registered under the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\Nodetypes
Each extension may have further child extensions. In this way, Group Policy Object Editor consists of an extensible tree of administrative components. This allows components to be updated or new components to be added without affecting other components.
Client-Side Extensions
Client-side extensions are the components running on the client system that process and apply the Group Settings to that system. There are a number of extensions that are preinstalled in Windows Server 2003. Other Microsoft applications and third-party application vendors can also write and install additional extensions to implement Group Policy management of these applications. The default CSEs are listed in the following table.
Default Client-Side Extensions
Client-Side Extension | Active Directory Component | Sysvol Component |
---|---|---|
Administrative Templates |
|
Registry.pol (+ .adm) |
Software Installation |
PackageRegistration objects |
.aas files |
Security Settings |
|
Gptmpl.inf |
Folder Redirection |
|
fdeploy.ini |
Scripts |
|
Scripts |
IP Security |
IPSec Policy objects |
|
Internet Explorer Maintenance |
|
.ins and branding .inf files. |
Disk Quotas |
|
Registry.pol |
EFS Recovery |
|
Registry.pol |
Remote Installation |
|
Oscfilter.ini |
QoS Packet Scheduler |
|
Registry.pol and .adm files. |
Client-side extensions are implemented within DLLs that are installed and registered on the client computer during operating system installation. To trigger Group Policy processing, the Group Policy engine running within Winlogon calls each CSE DLL using the CSE registration settings contained below the Winlogon key in the registry.
Each of the CSEs is registered under the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
Group Policy Component Scenarios
Group Policy is used to define configurations for groups of users and computers. With Group Policy, administrators can specify Group Policy settings for registry-based policies, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. Group Policy settings are contained in a GPO. By linking a GPO with selected Active Directory system containers—sites, domains, and organizational units—the GPO's Group Policy settings are applied to the users and computers in those Active Directory containers.
Administrative Templates
Administrative Templates enable administrators to control registry settings using Group Policy, providing the means to configure the behavior and appearance of the desktop, including the operating system, components, and applications. Windows comes with a predefined set of Administrative Template files, which are implemented as text files (with an .adm extension), that define the registry settings that can be configured in a GPO. These .adm files are stored in two locations by default: inside GPOs in the Sysvol folder and in the %windir%\inf directory on the local computer. Administrative Templates Group Policy settings are also referred to as .adm settings or registry-based settings.
As new versions of Windows are released, new Administrative Templates policy settings are added. In addition to supporting these new settings, each successive version of Windows supports all registry policy settings that were available in earlier versions of Windows. For example, the Windows Server 2003 family of operating systems supports all Administrative Templates policy settings available in Windows 2000 and Windows XP.
Security Settings
You can define security settings that are enforced on any number of computers, by using the Security Settings extension of Group Policy. By specifying the security configuration of a Group Policy object (GPO), you can affect the computers in a site, domain, or organizational unit to which the GPO is linked.
You can configure the following types of security settings:
Account Policies. This includes settings for Password Policy, Account Lockout Policy, and Kerberos Policy.
Local Policies. This includes settings for Audit Policy, User Rights Assignment, and Security Options.
Event Log. This includes settings for application, system, and security Event Log settings.
Restricted Groups. This specifies policies for membership of security-sensitive groups.
System Services. This specifies policies for startup and permissions for system services.
Registry. This includes policies that specify permissions for registry keys.
File System. This includes policies that specify permissions for folders and files.
IP Security Policy
Internet Protocol security (IPSec) is a framework of open standards designed to ensure private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection.
In an Active Directory environment, you can use Group Policy to centralize IPSec policy distribution and management. You can use the IP Security Policies snap-in to configure IPSec policies to meet the security requirements of a user, group, application, domain, site, or global organization. You can also specify IPSec policies on a local computer that is not a member of a domain.
Software Restriction Policies
The Windows Server 2003 family of operating systems and Windows XP include software restriction policies, a new policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are a part of Microsoft’s security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computer networks. You can specify software restriction policies in an Active Directory environment or on a local computer.
You can use Software Restriction Policies to:
Fight viruses.
Regulate which ActiveX controls can be downloaded.
Run only digitally signed scripts.
Enforce that only approved software is installed on system computers.
Highly restrict (lock down) a computer.
Wireless Network Policies
A new Wireless Network (IEEE 802.11) Policies Group Policy extension allows you to configure wireless network settings that are part of Group Policy for Computer Configuration. Wireless network settings include the list of preferred networks, Wired Equivalent Privacy (WEP) settings, and IEEE 802.1X settings. These settings are downloaded to targeted domain members, making it much easier to deploy a specific configuration for secure wireless connections to wireless client computers.
Public Key Policies
These Group Policy settings are used to:
Specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate.
Create and distribute a certificate trust list.
Establish common trusted root certification authorities.
Add encrypted data recovery agents and change the encrypted data recovery policy settings.
Software Installation
The Software Installation snap-in is used to centrally manage software. Software can be assigned or published to users and assigned to computers. Group Policy-based Software Installation can be used to install software applications when a computer is started, when the user logs on, or on demand. Software installation Group Policy settings can be applied to users or computers in an Active Directory structure.
Group Policy-based Software Installation can also be used to upgrade deployed applications or remove earlier applications that are no longer required. Users can be restricted from installing any software from local media, such as a CD-ROM, or disk, or other unapproved applications.
Medium and large organizations may wish to consider using Microsoft Systems Management Server (SMS). SMS provides advanced capabilities such as inventory-based targeting, status reporting, server- and client-side scheduling, multisite facilities, complex targeting, centralized hardware and software inventory, remote diagnostic tools, software metering, software distribution-point population and maintenance, support for Windows 95, Windows 98, Windows NT 4.0, Windows 2000, and Windows XP clients, and enhanced software deployment features. SMS does not require Active Directory.
Remote Installation Services
Remote Installation Services (RIS) is an optional component that is included in the Windows Server operating system and works with other Windows Server 2003 technologies to implement the Remote Operating System Installation feature. Administrators use Remote Operating System Installation to remotely install a copy of the Windows XP Professional operating system on supported computers. Administrators use the RIS extension of Group Policy to specify which options are presented to users by the Client Installation Wizard, for example, Automatic Setup, Custom Setup, and Restart Setup.
Scripts
Scripts are used to automate tasks at computer startup and shutdown, and at user logon and logoff. Scripts can be written in any language supported by Windows Script Host including the Microsoft Visual Basic development system, Scripting Edition (VBScript), JavaScript, PERL, and MS DOS-style batch files (.bat and .cmd).
Internet Explorer Maintenance
Internet Explorer Maintenance is used to manage and customize Internet Explorer on computers running Windows 2000 or later. Administrators can set options for the Browser UI, connections, URLs, proxy settings, security zones, Favorites, and Internet Explorer Enhanced Security Configuration component (also known as Microsoft Internet Explorer hardening).
Folder Redirection
Folder redirection is used to redirect special directories on Windows 2000 or Windows Server 2003 from their default user profile location to an alternate location on the network. These special folders include My Documents, Application Data, Desktop, and the Start menu.
Disk Quotas
Disk quotas provide a way to limit each users utilization of disk space on a volume. Disk quotas are implemented as part of the NTFS File System. Disk quota settings are read from the registry at startup and during GPO processing. Disk Quotas are configured through the Administrative Templates snap-in and are stored in the registry.pol GPO registry settings file – there is no GPO snap-in for disk quotas. The Disk Quota CSE retrieves the resultant setting from the client system’s registry and configures the disk quota parameters accordingly. Prioritization of multiple GPO settings is handled by the Administrative Templates CSE.
QoS Packet Scheduler
Quality of service (QoS) allows you to use your existing resources efficiently and guarantee that critical applications receive high-quality service, without having to expand as quickly or even over-provision your networks. Quality of Service parameters are configured as registry settings using the Administrative Templates snap-in. The QoS Packet Scheduler CSE reads these settings from the registry and configures the Packet Scheduler service on the client system with these parameters.