PLANNING AND DESIGNING GROUP POLICY, PART 1



Similar documents
Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Create, Link, or Edit a GPO with Active Directory Users and Computers

Module 8: Implementing Group Policy

These guidelines can dramatically improve logon and startup performance.

DeviceLock Management via Group Policy

Group Policy 21/05/2013

DeviceLock Management via Group Policy

Guide to Securing Microsoft Windows 2000 Group Policy

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Active Directory. Users & Computers. Group Policies

Administering Group Policy with Group Policy Management Console

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

How To Write A Gpmc Script For A Gpc (Windows 2003) On A Windows 2000 (Windows 2000) On Your Computer Or Your Computer (Windows 3) On An Ipad Or Ipad (Windows 2) On The Macbook

Module 5: Implementing Group Policy

Log Management and Intrusion Detection

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

EMC Celerra Network Server

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

SHARING FILE SYSTEM RESOURCES

Stellar Active Directory Manager

How To Implement A Group Policy Object (Gpo)

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

ACTIVE DIRECTORY DEPLOYMENT

ILTA HAND 6B. Upgrading and Deploying. Windows Server In the Legal Environment

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

MCTS Guide to Microsoft Windows 7. Chapter 13 Enterprise Computing

How to monitor AD security with MOM

DriveLock Quick Start Guide

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Outpost Network Security

Objectives. At the end of this chapter students should be able to:

Group Policy Infrastructure

Windows GPO Deep Dive

WINDOWS 2000 Training Division, NIC

Fundamentals, Security, and the Managed Desktop

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Alpha High Level Description

Using Windows Administrative Tools on VNX

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

Group Policy for Beginners

Managing Windows Environments with Group Policy

Audit account logon events

Lab A: Deploying and Managing Software by Using Group Policy Answer Key

Virtual Office Remote Installation Guide

UNCLASSIFIED DISABLING USB STORAGE DEVICES THROUGH GROUP POLICY

Non-ThinManager Components

ms-help://ms.technet.2005mar.1033/winnetsv/tnoffline/prodtechnol/winnetsv/maintain...

ANNE ARUNDEL COMMUNITY COLLEGE ARNOLD, MARYLAND COURSE OUTLINE CATALOG DESCRIPTION

The Windows Server 2003 Environment. Introduction. Computer Roles. Introduction to Administering Accounts and Resources. Lab 2

ContentWatch Auto Deployment Tool

Group Policy Explained

Troubleshooting File and Printer Sharing in Microsoft Windows XP

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

523 Non-ThinManager Components

Privilege Guard 3.0 Administration Guide

LAB 1: Installing Active Directory Federation Services

Windows Logging Configuration: Audit Policy Configuration

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Group Policy Objects: What are They and How Can They Help Your Firm?

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Configuring Managing and Maintaining Windows Server 2008 Servers (6419B)

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

How to setup a VPN on Windows XP in Safari.

ILTA HANDS ON Securing Windows 7

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

R4: Configuring Windows Server 2008 Active Directory

Lesson Plans LabSim for Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

How to install Small Business Server 2003 in an existing Active

6419: Configuring, Managing, and Maintaining Server 2008

Lecture 3: Active Directory Domain Service (AD DS)

Using Microsoft Active Directory 1 Group Policy 2 with Diskeeper

Managing and Maintaining a Microsoft Windows Server 2003 Environment

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

ENABLE LOGON/LOGOFF AUDITING

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Aventail Connect Client with Smart Tunneling

Setting Up, Managing, and Troubleshooting Security Accounts and Policies

Using Logon Agent for Transparent User Identification

Active Directory Change Notifier Quick Start Guide

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Installing, Configuring, and Managing a Microsoft Active Directory

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Delegated Administration Quick Start

How To Install And Configure Windows Server 2003 On A Student Computer

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode (Windows 2000)

THE POWER OF GROUP POLICY

Transcription:

84-02-06 DATA SECURITY MANAGEMENT PLANNING AND DESIGNING GROUP POLICY, PART 1 Melissa Yon INSIDE What Is Group Policy?; Software Settings; Windows Settings; Administrative Templates; Requirements for Group Policy; Group Policy Infrastructure; Accessing Group Policy; Group Policy Hierarchy; Delegating Group Policy; Group Policy Processing INTRODUCTION When Microsoft created Windows 2000, three of the goals were to: 1. lower the total cost of ownership 2. reduce the support administrators must provide 3. improve security features of the operating system Windows 2000 meets all of these goals if Group Policy (GP) is designed and implemented correctly. This two-part series explains GP, how to implement it, and best practices. The present article explains: what GP is requirements of GP features of GP creating a GP applying a GP delegating control of a GP GP processing The second article (84-02-07) discusses: migration of NT 4.0 System Policies to Group Policy using System Policies for downlevel clients Group Policy best practices PAYOFF IDEA For years, administrators have wanted the ability to lock-down users desktops and set account settings, such as password and account lockout policies. These are some of the many things that Group Policy can accomplish. Group Policy allows administrators to create a directory-based policy that can be enforced to all, some, or none of the client machines, users, and domain controllers. This article explains Group Policy, its requirements and features, creating a Group Policy, applying a Group Policy, delegating control of a Group Policy, and Group Policy processing. Part II (84-02-06), in the next issue of Data Security Management, discusses migration of NT 4.0 System Policies to Group Policy, using System Policies for down-level clients, and Group Policy best practices. Auerbach Publications 2001 CRC Press LLC

DATA SECURITY MANAGEMENT WHAT IS GROUP POLICY? For years, administrators have wanted the ability to lock-down users desktops and set account settings, such as password and account lockout policies. These are some of the many things that Group Policy (GP) can accomplish. GP allows administrators to create a directory-based policy that can be enforced to all, some, or none of the client machines, users, and domain controllers. In NT 4.0, system policies were used to implement some of these settings. System policies, however, were not directory based and did not have the granularity of Windows 2000 Group Policy. Windows 2000 Group Policy configures computer and user settings to the administrator s preference. Group Policy contains major categories, which are subdivided into additional categories. The following article section discusses some of these major categories. SOFTWARE SETTINGS This category allows the administrator to specify software for a user or computer. The software can be assigned or published. When applications are assigned, the shortcut of the application appears on the Start menu and registry entries are added to the registry. When assigned to the computer, the application is installed during machine start-up. When assigned to the user, the shortcut is displayed on the Start menu. Once the user selects the application, it is installed. If the administrator chooses to publish the software, the application is not advertised or shown on the Start menu. The software is available to the user; however, the user will need to go to the control panel to Add/Remove programs to install the application. The Software Settings category in Group Policy can also be used to upgrade existing applications and to remove outdated ones. WINDOWS SETTINGS The Windows Settings category contains several different sub-categories. The computer and the user categories differ slightly. The computer subcategories are Scripts and Security. The user sub-categories are Internet Explorer Maintenance, Scripts, and Security. Scripts If configured under the computer settings, scripts automate certain tasks at start-up and shutdown. If configured under user settings, scripts will execute at logon and logoff. Scripts can be programmed using PERL, Visual Basic, VB Script, or MS-DOS batch files. Security Settings The Security Settings can be defined for the computer or user. Security Settings configure different settings such as:

PLANNING AND DESIGNING GROUP POLICY, PART 1 Account Policies: Password and Account Lockout Policies Local Policies: Configure Audit and User Rights Policies Configure detailed Security Options PKI Policies: Recovery Agents for certificates Trusted Root Certificates Certificate Requests IPSec Policies: Event Log Restricted Groups System Services, Registry File Systems ADMINISTRATIVE TEMPLATES The Administrative Templates category gives the administrator access to lock-down the user s desktop. Windows Components Under Windows Components, the administrator can: disable NetMeeting set Internet Explorer options and preferences under Internet Explorer set Windows Explorer options, such as Remove map network drive, No Computers Near Me in My Network Places, Hide Hardware Tab, and others set the Microsoft Management Console (MMC) to prevent users from entering Author Mode with Task Scheduler: hide the Task Scheduler Property Pages disable New Task Creation disable Task Deletion configure the Windows Installer settings under Window Components Network Options Under the Network Options category, an administrator can: configure Offline Folders for the users, so they will have access to the files saved to their network share prevent the use of Offline Folders configure the Network and Dial-up options give/deny access to users

DATA SECURITY MANAGEMENT It is so granular that some options may be available to users while others are not. The Network Options settings can be specified under the computer or user configuration. System Settings The Administrative Templates includes System Settings under the computer and user configurations. Some of the configurable settings are found under Logon/Logoff. An Administrator can: disable Lock Computer disable Change Password disable Logoff (along with several other settings) set Group Policy options such as: Group Policy Refresh Group Policy Slow Link Group Policy Domain Controller Selection configure Logon settings, such as how the logon script will run enable Disk Quotas configure a DNS suffix for a client User Configuration: Start Menu and Taskbar Options The Administrative Template also includes a Start menu and Taskbar Options section under the user configuration. Some of those options are: remove Common Groups from Start menu remove Search menu from Start menu remove Help from Start menu remove Run from Start menu add Logoff to Start menu disable Logoff on Start menu User Configuration: Desktop Another user configuration category is the Desktop category, which allows an administrator to hide all icons from the desktop. Also, the administrator can configure the Active Desktop and Active Directory (AD) settings. User Configuration: Control Panel The Control Panel category found under User Configuration allows an administrator to Hide Control Panel. Other options that are useful include limiting the access to the Add/Remove Programs, Display Icon, Printers Icon, and Regional Options.

PLANNING AND DESIGNING GROUP POLICY, PART 1 This is a brief overview of some of the settings found in Group Policy. Each category has many configurable settings. As an administrator, it is important to be aware of the Group Policy features and how to implement them. REQUIREMENTS FOR GROUP POLICY Group Policy is stored in Active Directory; therefore, there are certain requirements that must be met before Group Policy can be implemented. Because it requires Active Directory, a Domain Controller must be installed. One must have read and access permissions to the system folder (which is the SYSVOL folder), and one must also have modify rights to the directory container where the Group Policy will be implemented. If one does not have a Domain Controller installed, one can implement a Local Policy on a specific machine. However, this is not a good idea if one has many machines because each machine will have to be configured separately, and one is limited to the settings one can configure. Because the total cost of ownership to implement Local Policy is much greater than implementing Group Policy, Local Policy is not recommended. GROUP POLICY INFRASTRUCTURE Group Policy is stored in Active Directory (AD) as a Group Policy Object (GPO). Because one Group Policy may not meet all of one s needs, there might be multiple Group Policy Objects. The GPO is actually stored on the Domain Controllers in the domain in which the GPO was created. The GPO is then linked to a portion of the AD. Once it is linked to a portion of AD, the users or computers in AD will process that Group Policy. It is not necessary to create multiple Group Policies for the same settings. The same Group Policy can be applied to different areas in AD. Also, the Group Policy will only be processed for the portion of AD to which it is linked. ACCESSING GROUP POLICY Exhibit 1 shows the actual MMC (Microsoft Management Console) screen where the Default Group Policy is loaded. One can access the MMC and the Default Group Policy snap-in by taking the following steps: 1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click Group Policy. 7. Click Browse.

DATA SECURITY MANAGEMENT EXHIBIT 1 Accessing the Default Group Policy 8. Click Default Domain Policy. 9. Click OK. 10. Click Finish. 11. Click Close. 12. Expand Group Policy. Linking Group Policy Group Policy is different from NT 4.0 System Policies in that one does not link a Group Policy to a Security Group. Group Policies can only be linked to sites, domains, and organizational units (OUs). The Group Policy can be applied to many users and computers or to few users and

PLANNING AND DESIGNING GROUP POLICY, PART 1 computers. A GPO linked to a site will apply to all users and computers in that site. A GPO linked to a domain will apply to all users and computers in a domain. Likewise, a GPO linked to an OU will apply to all users and computers in the OU. To link a GPO to a site, one must start the MMC and open the AD Sites and Services Snap-In. The steps are as follows: 1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click AD Sites and Services. 7. Click OK. 8. Click Finish. 9. Click Close. 10. Expand the AD Sites and Services Snap-In. 11. Right-click the site to which the GPO is being linked. 12. Click Properties. 13. Click the Group Policy tab. 14. Click Add. 15. Click the GPO. 16. Click OK. Exhibit 2 displays the Group Policy Properties screen. Notice that one can also select New to create a new GPO, select Add to link a GPO, select Edit to edit the selected GPO, or select Delete to break the link of the GPO to the site, domain, or OU. If it is necessary to link a GPO to the domain or OU, one must add another snap-in. The steps are as follows: 1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click AD Users and Computers. 7. Click OK. 8. Click Finish. 9. Click Close. 10. Expand the AD Users and Computers Snap-In. 11. Right-click the domain or OU to which the GPO is being linked. 12. Click Properties. 13. Click the Group Policy tab. 14. Click Add.

DATA SECURITY MANAGEMENT EXHIBIT 2 Group Policy Properties Screen 15. Click the GPO. 16. Click OK. One notices that the Group Policy Properties screen is exactly the same as the Site Group Policy Properties screen. GROUP POLICY HIERARCHY Group Policy is inherited and cumulative. This means that if User Group Policies are implemented and there are Policies linked to the site, domain, and OUs, all Group Policies apply. If two Group Policies have the same setting configured, then the setting in the last Group Policy that is processed will overwrite the setting in the previous Group Policy. Group Policy hierarchy is processed in the following order:

PLANNING AND DESIGNING GROUP POLICY, PART 1 1. The Local Policy is applied. 2. The GPOs linked to the site are applied. 3. The GPOs linked to the domain (the user or computer is a member) are applied. 4. The GPOs linked to the OU are applied. 5. Finally, the GPOs linked to the Child OUs are applied. Finally, if there is more than one GPO linked at the site, domain, or OU level, the GPO at the top of the list has the highest priority. To look at it another way, the linked GPOs are processed from the bottom up in the Group Policy Properties screen. No Override and Block Inheritance Microsoft has provided a way for the administrator to override the way Group Policy is enforced. An administrator can use the No Override or the Block Inheritance features. When the No Override option is enabled on a particular GPO, the settings for that GPO cannot be overwritten by a Group Policy setting processed later. For example, if the GPO linked to the domain is set to No Override, then the GPO linked to the OU cannot overwrite any settings set at the domain level. The Block Inheritance feature allows the administrator to block settings applied at higher levels. If Block Inheritance is checked at the OU level, no GPO settings that are linked at the site or domain level will apply, provided the No Override has not been selected at the site or domain level. One cannot use Block Inheritance to block a No Override GPO. The No Override is selected by clicking options in the Group Policy Properties screen and selecting No Override. The Block Inheritance is selected by clicking the Block Inheritance checkbox on the Group Policy Properties screen. Exhibits 3 and 4 show how Group Policy is applied. Filtering the Group Policy Object GPOs linked to sites, domains, and OUs are applied to all users and computers in the site, domain, or OU. This is a cause for concern because one might want to exclude some users and computers from the GPO. This can be done using Security Groups to filter the GPO. In the GPO Properties screen, click Properties and click on the Security tab. (To get to the GPO Properties screen, right-click the site, domain, or OU. Click Properties, click on Group Policy tab [see Exhibit 5].) Notice that the Authenticated Users have Read and Apply Group Policy control. In other words, all authenticated users in the domain or OU will process and apply this Group Policy even administrators. To filter who or what receives this GPO, one must remove the Authenticated

DATA SECURITY MANAGEMENT EXHIBIT 3 Cumulative Group Policy with No Overrides at the Domain Level NA Domain Policy 1. No Run on Start Menu 2. Add Logoff to the Start Menu na.train.com Domain GP Southeast OU GP Southeast OU Policy 1. Hide all icons on the Desktop 2. Disable Control Panel Sales OU GP Sales OU Group Policy 1. Disable Command Prompt 2. Enable Run on Start Menu Cumulative Group Policy 1. Enable Run on the Start Menu 2. Add Logoff to the Start Menu 3. Hide all icons on the Desktop 4. Disable Control Panel 5. Disable Command Prompt Users Allow on Apply Group Policy. It is also a good idea to remove the Read access. If the Apply Group Policy is removed but the Read access is still there, then all authenticated users will still process the Group Policy. However, they will not apply the Group Policy. To increase performance, uncheck the Allow box for Read and Apply Group Policy for Authenticated Users. Once access from authenticated users has been removed, one can then add Security Groups, Users, or Computers and specify Read and Apply Group Policy access. One must give Read access if one wants it to apply the Group Policy. If one does not give the Read and Apply Group Policy access to anyone, then the GPO will not be processed and applied. The following steps will add a user, computer, or security group. 1. Click Add from the Security screen. 2. Click the user, computer, or security group. 3. Click OK. 4. Select the user, computer, or security group. 5. Click to check the Allow box for Read. 6. Click to check the Allow box for Apply Group Policy. 7. Click Apply.

PLANNING AND DESIGNING GROUP POLICY, PART 1 EXHIBIT 4 Cumulative Group Policy with Block Inheritance at the OU Level Americas Site sa.train.com na.train.com Site GPO Domain GP Domain GP Americas Site Policy 1. Remove Search from the Start Menu 2. Remove "Map Network Drive" and "Disconnect Network Drive" SA Domain Policy 1. Enable Control Panel and set No Override 2. Disable Logoff to Start Menu and set to No Override NA Domain Policy 1. No Run on Start Menu 2. Add Logoff to the Start Menu Southeast Sales OU GP Southeast OU Policy 1. Hide all icons on the Desktop 2. Disable Control Panel 3. Enable "Map Network Drive" and "Disconnect Network Drive" and set Block Inheritance Sales OU Group Policy 1. Disable Command Prompt 2. Enable Run on Start Menu OU GP Cumulative Group Policy 1. Remove Search from the Start Menu 2. Add "Map Network Drive" and "Disconnect Network Drive 3. Enable Run on the Start Menu 4. Add Logoff to the Start Menu 5. Hide all icons on the Desktop 6. Disable Control Panel 7. Disable Command Prompt The SA Domain Policy does not apply here since the user is in the NA domain. DELEGATING GROUP POLICY Many companies have an administration team that is dispersed. That is, they have one administrator for desktop security, one administrator for accounts, one administrator for network security, or the administration may be given to the respective departments for their OU. If this is the case, one can design AD so that an administrator can only link GPOs to certain sites, domains, or OUs, and only edit already-created GPOs or create GPOs, but not edit GPOs already created by other administrators. This is called Delegating Group Policy. One can delegate the following: manage group policies for site, domain, OU edit Group Policy objects

DAT A S EC URI T Y MA NA GEMENT EXHIBIT 5 The GPO Properties Screen create Group Policy objects Group Policy to control MMC consoles Administrators, by default, have all of these rights. Allowing a Non-Administrator to Manage an OU The following steps will allow a user or group of users to link existing GPOs to the OU. In the MMC, using AD Users and Computers: 1. 2. 3. 4. 5. Right-click the OU. Click Delegate Control. Click Next. Click Add. Select the user(s) or groups.

PLANNING AND DESIGNING GROUP POLICY, PART 1 6. Click Add. 7. Click OK. 8. Click Next. 9. Click Manage Group Policy Links. 10. Click Next. 11. Click Finish. Editing Group Policy Objects In the MMC using Group Policy Snap-In: 1. Choose the Group Policy allowed to be edited. 2. Right-click the root of the group policy. 3. Click Properties. 4. Click the Security tab. 5. Click Add. 6. Select the user or group of users. 7. Click Add. 8. Click OK. 9. If the users will not have the GPO applied to them, make sure that the Apply Group Policy is NOT allowed. 10. Check Read and Write. 11. Click OK. Creating Group Policy Objects The following steps allow a user to create a new GPO. In the MMC using AD Users and Computers: 1. Double-click the user. 2. Click the Member Of tab. 3. Click Add. 4. Select Group Policy Creator Owners. 5. Click Add. 6. Click OK twice. Controlling MMC Consoles Controlling MMC consoles is implemented in several ways. The GPO is actually used to set and limit many of these rights. For example, many of these settings are found under User Configuration, Administrative Templates, Windows Components, and Microsoft Management Console. GROUP POLICY PROCESSING As previously stated, the Group Policy objects are processed in a hierarchal manner. The Local Policy is processed first and the OU that the com-

DATA SECURITY MANAGEMENT EXHIBIT 6 Cumulative Group Policy with Multiple GPOs na.train.com Southeast Sales Domain GP OU GP OU GP NA Domain Policy NA GPO 1. No Run on Start Menu 2. Add Logoff to the Start Menu Southeast OU Policy Southeast GPO1 (Appears at Top of GPO List) 1. Hide all icons on the Desktop - Block Inheritance 2. Disable Control Panel Sales OU Group Policy 1. Disable Command Prompt 2. Enable Run on Start Menu Cumulative Group Policy 1. Enable Run on the Start Menu 2. Add Logoff to the Start Menu 3. Enable Control Panel 4. Remove Favorites from the Start Menu 5. Hide all Icons on the Desktop 6. Disable Command Prompt puter and user is a member of processes its Group Policy last. Therefore, the order is as follows: Local Policy Site Policy Domain Policy OU Policy Of course, if there are nested OUs, each OU will apply its policy. If there are multiple Group Policies (see Exhibit 6) in any container, the Policies will be applied from bottom to top in the list. The only time this order will change is if filtering is applied so that the policy is not applied for that user, if No Override has been enabled, or if Block Inheritance has been marked. The Computer Configuration Policies are processed at computer startup. Once the computer starts up, the computer will apply all the Computer Configuration Group Policies. The User Configuration Policies are applied once the user presses CTRL+ALT+DEL. By default, the desktop will not load until all User Policies are processed. The more policies one processes, the longer it takes for the desktop to appear.

PLANNING AND DESIGNING GROUP POLICY, PART 1 Once the user is logged on, the Group Policy, by default, will refresh every 90 minutes on client machines and every five minutes on domain controllers. These settings can be configured in Group Policy. The Policy can also be forced from the command line on the client machine. One cannot, however, force a refresh on the client from the server. The command-line command for the client is: secedit /refreshpolicy {machine_policy user_policy}[/enforce] Some of the Group Policy settings are not refreshed. These settings include Software settings and Folder Redirection settings. Other considerations for Group Policy processing are slow links. Group Policy will detect and determine if there is a slow link by pinging the server and measuring the time. If Group Policy determines it is a slow link, then the configuration set in Group Policy will determine if the policy is loaded. By now one should be more familiar with Group Policies and how to create a Group Policy. One should be able to create a Group Policy, link it to a site, domain, or OU. One should also be able to delegate control of the OU to a user(s). This is a very good starting point for implementing Group Policy. However, some issues still exist. For example, will one s NT 4.0 System Policies migrate to Windows 2000? How can one create System Policies for down-level clients? Finally, one may know how to create Group Policy, but what are the best practices for creating Group Policy? All these issues are discussed in the next Group Policy article (84-02-07). Melissa Yon, MCSE, MCT, MCP+I, CTT, is currently a technical trainer for Lucent Technologies Worldwide Services. She has nine years of experience in designing and implementing desktop, server, and enterprise solutions and conducting training. In the last two years, she has designed training materials and delivered training and solutions for Lucent Technologies.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information