Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


April 2004

Taking Control of Group Policy

Reduce the number of policies in your domain
From the April 2004 Edition
of Windows IT Pro
Kathy Ivens
Windows Admin 101
InstantDoc #41985
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Domains Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Managing any Windows environment can be a challenging task. Features such as Group Policy, which lets administrators control a domain's clients (i.e., computers and users), are both welcome and useful. But many administrators apply security policies only after events occur that signal the need for a policy. Such events might involve a user who wreaks havoc on a computer's configuration or who changes a setting that results in domainwide problems.

When an administrator applies policies on an as-needed basis, the result is often a hodgepodge of many policies. Having too many policies can increase the logon time for client machines, ultimately annoying users. Too many policies can also result in conflicting policies that prevent some users from performing needed tasks and let other users, who should be restricted, perform tasks that affect the domain. The quick cure to these types of problems is to set yet another policy to correct the error, which of course makes everything worse.

You can, however, set policies in a way that maintains order. By planning ahead and taking steps to reduce the number of policies you need, you can avoid many of the pitfalls that administrators typically encounter when applying policies.

Use Fewer Policies More Effectively
When a Windows Server 2003, Windows XP, or Windows 2000 computer that's a member of a domain starts, the system processes and applies both domain and local computer-based policies. Then, when a user logs on to the domain from that computer, the system processes and applies both domain and local user-based policies. Because each policy takes time to apply, users can experience a significant delay between the time the computer starts and the time they can begin working. This delay is directly proportional to the number of physical policies (aka Group Policy Objects—GPOs) associated with the domain, site, or organizational unit (OU) that the system must process. You can minimize this delay by applying one or more of the following principles:

  • Apply policies to OUs.
  • Filter policies according to security group memberships.
  • Disable unused GPO sections.
  • Process policies asynchronously.

Apply policies to OUs. If you add computers to OUs, you can apply policy settings more effectively and at a more granular level than domainwide policies afford. For example, you can apply specific GPOs to all members of a particular OU and use those GPOs as a condition of membership for joining that OU. An added benefit of applying GPOs to OUs is that you minimize the need to process unnecessary GPOs. To create a GPO for an OU, perform the following steps:

  1. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
  2. Right-click the appropriate OU, then choose Properties from the context menu.
  3. Select the Group Policy tab, then click New.
  4. Enter a descriptive name for the GPO in the New Group Policy Object dialog box.
  5. Click Edit, then select the Enabled radio button to enable the policy, as Figure 1 shows.

Filter policies according to security group memberships.
Although many policies aren't relevant to particular security groups, an administrator can still allow or deny GPOs according to security group memberships. Many professionals in the field consider this alternative to the "apply policies to groups" paradigm to be the backdoor approach that they wish Microsoft had built into Active Directory (AD). To filter policies according to security group memberships, perform the following steps:

  1. Select the appropriate GPO from the Active Directory Users and Computers snap-in, then click Properties.
  2. In the Properties dialog box, select the Security tab, as Figure 2, page 70, shows.
  3. Select a group, then select the Allow option for the Apply Group Policy permission to include that group in the policy or the Deny option to exclude the group. Repeat these steps for any other groups that you want to filter for this particular policy.

For example, if you create a policy to expand user rights, you might want to select the Allow option for the Apply Group Policy permission only for administrative security groups. If you create a policy to restrict user rights, select the Deny option for administrative security groups (to preserve administrators' rights) and select Allow for all other users.

Disable unused GPO sections. All GPOs have a Computer Configuration section and a User Configuration section. If the policy that you want to apply affects only the computer profile or only the user profile, but not both, you can configure the GPO so that the system doesn't spend time processing the unused section. To disable an unused GPO section, perform the following steps:

  1. Right-click the appropriate GPO, then click Properties.
  2. From the General tab, select the Disable Computer Configuration settings check box or the Disable User Configuration settings check box, as Figure 3 shows, then click Apply.
  3. Click Yes when Windows asks you to confirm your action.
   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

WinInfo Short Takes: Week of September 8, 2008

An often irreverent look at some of the week's other news, including the long-awaited back to school season, Microsoft's first Seinfeld/Gates ad, some EU insights, another Netbook improvement, Opera silliness, and much, much more ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing