Active Directory 2008 : Implementing Group Policy (part 3) - Policy Settings

There are two major divisions of policy settings: computer settings, contained in the Computer Configuration node, and user settings, contained in the User Configuration node.

The Computer Configuration node contains settings applied to computers, regardless of who logs on to them. Computer settings are applied when the operating system starts up and during background refresh every 90 to 120 minutes thereafter. The User Configuration node contains settings that are applied when a user logs on to the computer and during background refresh every 90 to 120 minutes thereafter.

Within the Computer Configuration and User Configuration nodes are the Policies and Preferences nodes. Policies are settings that are configured and behave similarly to the policy settings in earlier versions of Windows. Preferences were introduced in Windows Server 2008. The following sections examine these nodes.

Within the Policies nodes under Computer Configuration and User Configuration are a hierarchy of folders containing policy settings. Because there are thousands of settings, it is beyond the scope of the exam and of this training kit to examine individual settings. It is worthwhile, however, to define the broad categories of settings in the folders. The first of these nodes is the Software Settings node, which contains only the Software Installation extension. The Software Installation extension helps you specify how applications are installed and maintained within your organization. It also provides a place for independent software vendors to add settings.

In both the Computer Configuration and User Configuration nodes, the Policies node contains a Windows Settings node that includes the Scripts, Security Settings, and Policy-Based QoS nodes.

The Scripts extension allows you to specify two types of scripts: startup/shutdown (in the Computer Configuration node) and logon/logoff (in the User Configuration node). Startup/shutdown scripts run at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off the computer. When you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, the Scripts CSE executes the scripts from top to bottom. You can determine the order of execution for multiple scripts in the Properties dialog box. When a computer is shut down, the CSE first processes logoff scripts, followed by shutdown scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and shutdown scripts require more than 10 minutes to process, you must adjust the timeout value with a policy setting. You can use any ActiveX scripting language to write scripts. Some possibilities include Microsoft Visual Basic Scripting Edition (VBScript), Microsoft JScript, Perl, and Microsoft MS DOS style batch files (.bat and .cmd). Logon scripts on a shared network directory in another forest are supported for network logon across forests.

The Security Settings node allows a security administrator to configure security by using GPOs. This can be done after, or instead of, using a security template to set system security.

The Policy-Based QoS node defines policies that manage network traffic. For example, you might want to ensure that users in the Finance department have priority for running a critical network application during the end-of-year financial reporting period. Policy-Based QoS enables you to do that.

In the User Configuration node only, the Windows Settings folder contains the additional Remote Installation Services, Folder Redirection, and Internet Explorer Maintenance nodes. Remote Installation Services (RIS) policies control the behavior of a remote operating system installation, using RIS. Folder Redirection allows you to redirect user data and settings folders (AppData, Desktop, Documents, Pictures, Music, and Favorites, for example) from their default user profile location to an alternate location on the network, where they can be centrally managed and accessed. Internet Explorer Maintenance lets you administer and customize Microsoft Internet Explorer.

In both the Computer Configuration and User Configuration nodes, the Administrative Templates node contains registry-based Group Policy settings. Thousands of such settings are available for configuring the user and computer environment. As an administrator, you might spend a significant amount of time manipulating these settings. To assist you with the settings, a description of each policy setting is available in two locations:

Underneath both Computer Configuration and User Configuration is a Preferences node. Introduced in Windows Server 2008 and Windows Vista, preferences provide more than 20 CSEs to help you manage an incredible number of additional settings, including:

Preferences also helps you deploy the following:

Many enterprises also benefit from Preferences because the options can be used to enable or disable hardware devices or classes of devices. For example, you can use Preferences to prevent USB hard drives, including personal media players, from being connected to computers.

You must use the correct version of the GPME to configure preferences. The correct version is part of the Remote Server Administration Tools (RSAT) that can be installed on Windows Server 2008, Windows Vista, and later operating systems. You can download RSAT from the Microsoft Download Center at http://www.microsoft.com/downloads.

To apply preferences, systems require the preferences CSEs, which are included with Windows Server 2008, Windows Server 2008 R2, and Windows 7. CSEs for Windows XP, Windows Server 2003, and Windows Vista can be downloaded from the Microsoft Download Center.

The interface you use to configure many preferences looks identical to the Windows user interface in which you would make the change manually. Figure 4 shows a Folder Options (Windows Vista and later) preference item—a collection of settings that are processed by the preferences CSE. You can see the similarity to the Folder Options application in Control Panel.

Figure 4. A Folder Options preference item