Taking Control of Group Policy

Managing any Windows environment can be a challenging task. Features such as Group Policy, which lets administrators control a domain's clients (i.e., computers and users), are both welcome and useful. But many administrators apply security policies only after events occur that signal the need for a policy. Such events might involve a user who wreaks havoc on a computer's configuration or who changes a setting that results in domainwide problems.

When an administrator applies policies on an as-needed basis, the result is often a hodgepodge of many policies. Having too many policies can increase the logon time for client machines, ultimately annoying users. Too many policies can also result in conflicting policies that prevent some users from performing needed tasks and let other users, who should be restricted, perform tasks that affect the domain. The quick cure to these types of problems is to set yet another policy to correct the error, which of course makes everything worse.

You can, however, set policies in a way that maintains order. By planning ahead and taking steps to reduce the number of policies you need, you can avoid many of the pitfalls that administrators typically encounter when applying policies.

Use Fewer Policies More Effectively
When a Windows Server 2003, Windows XP, or Windows 2000 computer that's a member of a domain starts, the system processes and applies both domain and local computer-based policies. Then, when a user logs on to the domain from that computer, the system processes and applies both domain and local user-based policies. Because each policy takes time to apply, users can experience a significant delay between the time the computer starts and the time they can begin working. This delay is directly proportional to the number of physical policies (aka Group Policy Objects—GPOs) associated with the domain, site, or organizational unit (OU) that the system must process. You can minimize this delay by applying one or more of the following principles:

• Apply policies to OUs.
• Filter policies according to security group memberships.
• Disable unused GPO sections.
• Process policies asynchronously.

Apply policies to OUs. If you add computers to OUs, you can apply policy settings more effectively and at a more granular level than domainwide policies afford. For example, you can apply specific GPOs to all members of a particular OU and use those GPOs as a condition of membership for joining that OU. An added benefit of applying GPOs to OUs is that you minimize the need to process unnecessary GPOs. To create a GPO for an OU, perform the following steps:

1. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
2. Right-click the appropriate OU, then choose Properties from the context menu.
3. Select the Group Policy tab, then click New.
4. Enter a descriptive name for the GPO in the New Group Policy Object dialog box.
5. Click Edit, then select the Enabled radio button to enable the policy, as Figure 1 shows.

Filter policies according to security group memberships.
Although many policies aren't relevant to particular security groups, an administrator can still allow or deny GPOs according to security group memberships. Many professionals in the field consider this alternative to the "apply policies to groups" paradigm to be the backdoor approach that they wish Microsoft had built into Active Directory (AD). To filter policies according to security group memberships, perform the following steps:

1. Select the appropriate GPO from the Active Directory Users and Computers snap-in, then click Properties.
2. In the Properties dialog box, select the Security tab, as Figure 2, page 70, shows.
3. Select a group, then select the Allow option for the Apply Group Policy permission to include that group in the policy or the Deny option to exclude the group. Repeat these steps for any other groups that you want to filter for this particular policy.

For example, if you create a policy to expand user rights, you might want to select the Allow option for the Apply Group Policy permission only for administrative security groups. If you create a policy to restrict user rights, select the Deny option for administrative security groups (to preserve administrators' rights) and select Allow for all other users.

Disable unused GPO sections. All GPOs have a Computer Configuration section and a User Configuration section. If the policy that you want to apply affects only the computer profile or only the user profile, but not both, you can configure the GPO so that the system doesn't spend time processing the unused section. To disable an unused GPO section, perform the following steps:

1. Right-click the appropriate GPO, then click Properties.
2. From the General tab, select the Disable Computer Configuration settings check box or the Disable User Configuration settings check box, as Figure 3 shows, then click Apply.
3. Click Yes when Windows asks you to confirm your action.