Group policies are exists a long time now. First there were the local policies, then group policies became available. It became even better when the Group Policy Management Console (GPMC) was available. Now there was truly management of all the policies. Today there is also an extension available. When using Group Policy Preferences (GPP) there will be also new Windows and Control Panel settings available to manage. With that the need of a login script isn't necessary anymore. And the good news is, it's free of use!
Best Practices of Group policies are:
- Don't create a new policy for every new setting you want to use (only for testing purposes)
- Minimize the number of policies, for faster logons (less files) and easy management
- Create a user policy and disable the computer part of it (screenshot)
- Create a computer policy and disable the user part of it (screenshot)
- For policies with an extra ADM file (imported in Administrative templates), create a separate policy for easy management (screenshot)
- When putting user settings on computer objects, use Loopback processing mode with the merge or replace option (screenshot)
How to disable user or computer policy settings (2 ways):
- Right-click the name of the GPO, and click Properties. Click Disable Computer Configuration settings or Disable User Configuration settings.
- Right-click the name of the GPO, and click GPO Status. Click Disable Computer Configuration settings or Disable User Configuration settings.
Import a ADM file in Administrative Templates:
- Right-click on Administrative Templates in the GPO, and choose for Add/Remove Templates.
- Click Add and search for the ADM file to import. (this file will be copied to the Sysvol folder after that)
This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.
To use this setting, select one of the following modes from the Mode box:
- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
Download Group Policy Management Console (GPMC):
The Group Policy Management Console is the easiest way for managing Group Policies. For using it there are different ways to follow:
- For Windows Server 2003 (and Windows XP) you must download and install it from the following URL: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
- For Windows Server 2008 you need to add it manually using the Server Manager: Add Features. After that GPMC has been installed, and you can find it as normal in the Administrative Tools.
- For Windows 7 you must download the Remote Server Administration Tools (RSAT) from the following URL and install it: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en
After that GPMC has been installed, and you can find it as normal in the Administrative Tools.
This extension of Group Policy Objects (GPO) allows the use of a logon script is less applicable. Default settings like Drive Mappings, Printers, Start Menu items and Shortcuts can now be assigned with Preferences, allowing the establishment as a whole it looks easier. The configuration of Group Policy Preferences is as follows. When opening the Group Policy Management Console on a Windows 2008 server, not just the policies are shown, but also the preferences will be shown.
Best practice for these are creating new GPO's and placing the Preferences settings in that. All you need is a Windows Server 2008 (R2) or Windows 7 or Vista for managing the preferences. You don't need a Windows 2008 domain level for Preferences!
For more information about Preferences, download the following white paper: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790
Managing GPO's with Advanced Group Policy Management:
Microsoft Advanced Group Policy Management (AGPM) is a component of the Microsoft Desktop Optimization Pack (MDOP). AGPM increases the capabilities of the Group Policy Management Console (GPMC), providing:
- Standard roles for delegating permissions to manage GPO's to multiple Group Policy administrators.
- An archive to enable Group Policy administrators to create and modify GPO's offline before deploying them to a production environment.
- The ability to roll back to any previous version of a GPO.
- Check-in/check-out capability for GPO's to ensure that Group Policy administrators do not overwrite each other's work.
Some features include:
- Offline editing of GPO's
- Difference reporting and audit logging
- Recovery of a deleted GPO (Recycle Bin) <- Nice feature!
- Repair of live GPO's
- Creation of GPO template libraries
- Subscription to policy change e-mail notifications
- Version tracking, history capture, and quick rollback of deployed changes
- Role-based administration (Editor, Reviewer, Approver)
- Change request approval
I hope you have enough information about Group Policy Management by now! Check my blog regular for more information about GPO's.
And remember: Always create a back-up when deleting GPO's! When restoring them settings and rights will be restored again.
Will loopback processing function properly if the User Configuration section of the GPO has been disabled?
ReplyDeleteI guess not, but this should be tested to know for sure!
Delete