Data Centers

Five tips for working with Windows Server 2003 Group Policy Objects

Group Policy Objects (GPOs) can be a bit tricky when you first start tinkering with them in Windows Server 2003. They are worth consideration because of all the power they bring right to your desktop. Here are a few tips to remember when working with GPOs.

Group Policy Objects (GPOs) can be a bit tricky when you first start tinkering with them in Windows Server 2003. They are worth consideration because of all the power they bring right to your desktop. Here are a few tips to remember when working with GPOs:

1. Avoid the Deny setting (unless you have a justified reason to use it)

When you deny access to anything in Windows, the denied item takes precedence over other allowed permissions. For example, if an administrator specifically denied access to the Word documents folder on the network to my user ID and another administrator allowed me permission to a group having access to that same folder, I would not have access to the folder because of the deny permission. GPOs are no exception.

2. Remove GPO links rather than GPOs

When you remove the GPO, the directory deletes it. When a policy object is unlinked from its container object, the policy is still stored in Active Directory, buut it is essentially turned off. This will save time if you need to apply settings within a GPO later.

3. Define user and computer settings separately and document them well

When configuring GPOs, you can create settings that apply to user objects in Active Directory and settings that apply to computer objects in Active Directory. For example, if you are creating a GPO to display a custom log on message, you can configure it for users or computers. When configured for users, the users who belong to the container objects where the GPO links will see the message wherever they log on. When configured for a computer object, any user who logs on to a computer that has the GPO applied will see the message. It is perfectly all right to use either method, but you should evaluate the need for the setting and configure the GPO accordingly. Documentation will always help you retrace your steps in the future.

4. Disable unnecessary nodes to improve log on times

When setting up a GPO that contains user settings, you can improve the log on times of the affected users by disabling the settings for the computer node. The same is true for the user node when working with GPOs for computer settings. The improved log on process occurs because you can skip the selected node, so the node will not process the objects where the GPO is applied.

5. Configure GPOs according to organizational need

Evaluate the management style of your organization's IT department. If your organization's IT department has an organizational unit (OU)-based method of delegation, you can configure group policy to allow second-level administrators to oversee their respective OUs. If your organization has a task-based approach to IT — where one administrator oversees applications and another oversees security — you can configure the GPOs to support this style of administration across the entire network, allowing each role to manage its respective GPO.

These five items will point you in the right direction with group policy. In future Windows Server 2003 tips, I will walk you through how to configure and modify group policy using the settings mentioned above and discuss what effect these changes will have on your environment.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks