Windows Server

Five tips for working with Windows Server 2003 Group Policy Objects

Group Policy Objects (GPOs) can be a bit tricky when you first start tinkering with them in Windows Server 2003. They are worth consideration because of all the power they bring right to your desktop. Here are a few tips to remember when working with GPOs.

Group Policy Objects (GPOs) can be a bit tricky when you first start tinkering with them in Windows Server 2003. They are worth consideration because of all the power they bring right to your desktop. Here are a few tips to remember when working with GPOs:

1. Avoid the Deny setting (unless you have a justified reason to use it)

When you deny access to anything in Windows, the denied item takes precedence over other allowed permissions. For example, if an administrator specifically denied access to the Word documents folder on the network to my user ID and another administrator allowed me permission to a group having access to that same folder, I would not have access to the folder because of the deny permission. GPOs are no exception.

2. Remove GPO links rather than GPOs

When you remove the GPO, the directory deletes it. When a policy object is unlinked from its container object, the policy is still stored in Active Directory, buut it is essentially turned off. This will save time if you need to apply settings within a GPO later.

3. Define user and computer settings separately and document them well

When configuring GPOs, you can create settings that apply to user objects in Active Directory and settings that apply to computer objects in Active Directory. For example, if you are creating a GPO to display a custom log on message, you can configure it for users or computers. When configured for users, the users who belong to the container objects where the GPO links will see the message wherever they log on. When configured for a computer object, any user who logs on to a computer that has the GPO applied will see the message. It is perfectly all right to use either method, but you should evaluate the need for the setting and configure the GPO accordingly. Documentation will always help you retrace your steps in the future.

4. Disable unnecessary nodes to improve log on times

When setting up a GPO that contains user settings, you can improve the log on times of the affected users by disabling the settings for the computer node. The same is true for the user node when working with GPOs for computer settings. The improved log on process occurs because you can skip the selected node, so the node will not process the objects where the GPO is applied.

5. Configure GPOs according to organizational need

Evaluate the management style of your organization's IT department. If your organization's IT department has an organizational unit (OU)-based method of delegation, you can configure group policy to allow second-level administrators to oversee their respective OUs. If your organization has a task-based approach to IT -- where one administrator oversees applications and another oversees security -- you can configure the GPOs to support this style of administration across the entire network, allowing each role to manage its respective GPO.

These five items will point you in the right direction with group policy. In future Windows Server 2003 tips, I will walk you through how to configure and modify group policy using the settings mentioned above and discuss what effect these changes will have on your environment.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

7 comments
kalimlalwani
kalimlalwani

i make a window server 2003 dna networking

madanroyal
madanroyal

Hi plz suggest me security tool / security settings for my following requirement. Using Windows 2003 server (sp2) G: is network drive shared for student user say 'Param' I want follwing security / rights for shared drive G: 1) Admin having full controul. (have done this) 2) Param user must be able to modify files stored on 'G:' Folders. (file type .doc, .xls etc..) 4) Param will not have rights to move/delete/rename the file or folder from client PC. 5) these security must be applicable to newly created file / folder automatically. ******************************************************I have tried two different types of permissions.....using special permission 1) I Allowed necessary rights to Param but not denied rights like delete subfolders & file, delete.. Result of above rights on client side. a) Param can access and modify files. b) Param can'nt delete files created on server. c) above permissions only work fine for files / folder created on server. d) But param is able to delete any folder or file creted by Param on G: (shared drive) from client side (i do not want this one) ******************************************************2) I Allowed necessary rights to Param but also denied rights like delete subfolders & file, delete.. it created 2 set of permissions in special permissions. now all required permissions are woking fine but it creating .TMP files on respective folder on G: Plz suggest how i can stop creation of this .tmp files. my email madanroyal@yahoo.com

dmanganiello
dmanganiello

I wonder if it is possible to create a GPO on a SBS2003 server where the "my documents" redirection can be disabled for certain users? Thanks! -Dave

randall.cohen
randall.cohen

It would be nice if MS provided a comments field in the GPO to store any documentation. Even better would be to provide a comments field for each GPO setting.

aaronjsmith21
aaronjsmith21

First, you would have to make at least 2 Group Policy that handle the changing of my documents, one that is enabled and the paths in which to have the users documents changed to, the other which is disabled and set for local computer. For Example Call them "Remote Documents Policy" and Local Documents Policy" The Next step would be to Create separate OU's(Organizational unit's [they look like Folders in the Active Directory Users and Computers Console] ) to place the users you want to have changed and ones that don't. For Example: under the Users OU, create a OU[Folder] thats LocalDocs and one thats called RemoteDocs and under the localdocs, place the users that need to have there documents stored on the computer, and then under the remotedocs put the users that need there my documents redirected to a file server or were ever you set them to. Then, in the Group Policy Manager link the appropriate GPO's to the OU's, Remote with remote and local with local, and you can even do some experimenting with this and have some users documents stored in diffrent locations just by creating more OU's under remote and creating and then greating more GPO's and linking them to the OU, just make sure no GPO that is at a higher level has has anything to do with my documents redirection, or that the priority for the current GPO's in that OU is set to Enforced Well, I hope I answered your question, if you need more help, just drop me a line in here and I will try to get back to you as soon as possible!

dennis
dennis

Built-in generation of of both detailed and summary reports of GPO settings, including scripts, would be a handy feature. The Group Policy Management Console (GPMC), an MMC upgrade to the GPEditor, is a big improvement, but it lacks some reporting capabilities.

dmanganiello
dmanganiello

Ok.. i get your reasoning here.. thanks for the process. -Dave