Microsoft Certifications

Windows Server 2003 Group Policy and Security – 70-290

Managing the User Environment Using Group Policy

In this section you will learn:

  • Configure Group Policy settings
  • Assign scripts with Group Policy
  • Configure folder redirection
  • Determine applied GPOs

You will find throughout these tutorials you will be shown examples of Group Policy Objects you can configure to achieve your goals. Understanding how Group Policy works will be a great foundation for your career as a systems administrator and on the MCSE exam 70-290.

Configuring Group Policy Settings

Group Policy settings are easy to edit and implement. A Group Policy Object (GPO) is a collection of Group Policy settings. Each computer has a local GPO which is stored on the computer. In addition, an administrator can create any number of Active Directory based (also called nonlocal) GPOs.

To create a new Group Policy Object and create a collection of Group Policy settings:

  1. Start Group Policy Management.
  2. Right-click on the Domain, OU, or Site you want to create a Group Policy for and select Create and Link a GPO Here. If you want to define a Group Policy Object which can be used in multiple areas, you can also right-click on Group Policy Objects and select New.

  1. Name your Group Policy Object. Click OK.
  2. Your new GPO will appear to the right. Right-click on the GPO and select Edit.

  1. Group Policy Object Editor will open. You can now begin editing the Group Policy settings you want to have applied.
  2. In this example, we are going to disallow Mi
    crosoft Windows Messenger from running. Navigate to User Configuration: Administrative Templates: Windows Components: Windows Messenger.

  1. You will see two Group Policy settings in this category. Double-click on the first policy setting, Do not allow Windows Messenger to be run.

  1. You have three options available: Not Configured, Enabled, and Disabled. Not Configured allows for other GPOs to take precedence or just allows the default action (in this case, Not Configured would allow the user to run Windows Messenger). Enabled turns the policy on. In this example, by enabling the policy, you are actually not allowing Windows Messenger to be run. Disabled specifically allows the user to run Windows Messenger.
  2. Click on the Explain tab.

  1. The explanation provided describes what will happen with each selection.
  2. Click OK.
  3. Continue throughout the Group Policy making any changes you require. Once you have completed your configuration, close the Group Policy Object Editor MMC console. You will return to Group Policy Management.
  4. You can assign a GPO to an OU, Site, or Domain by right-clicking the container and choosing Link an Existing GPO.
  5. Select the GPO you want to apply and click OK.

Assigning Scripts with Group Policy

Group Policy also allows you to assign startup and shutdown scripts within a Group Policy Object. This is a convenient way to control specific scripts for specific OUs or domains.

  1. Edit the Group Policy Object you would like to add a script to. This opens the Group Policy Object Editor MMC.
  2. Navigate to Computer Configuration: Windows Settings: Scripts (Startup/Shutdown).
  3. Choose to add a Startup or a Shutdown script. Double-click on your choice.

  1. Click Add to add a script.
  2. Click Browse to find the script.

  1. Select the script you want to add. Click Open.
  2. Add any required parameters for the script. Click OK to close the Add a Script window.

  1. The script is now part of your Group Policy Object. Click OK to close the Startup Properties.

You can also add Logon/Logoff scripts in the User Configuration section.

Configuring Folder Redirection

Group Policy also allows you to redirect certain folders to a specified location. For example, if your company does not wish a user to store their documents in their local profile, you can force a redirection for the “My Documents” pointer to redirect to another location – such as the user’s home drive.

There are four folders you can redirect: Application Data, Desktop, My Documents, and Start Menu.

  1. Open Group Policy Object Editor.
  2. Navigate to User Configuration: Windows Settings: Folder Redirection.
  3. Right-click the folder you want to change and select Properties.

  1. Each folder has its own customizable settings. We selected to change the My Documents folder. There are three available settings:
    Not Configured – no setting configured
    Basic – Redirect everyone’s folder to the same location – you can specify a location on the computer to redirect the folder to, redirect to a user’s home directory, or redirect to the local userprofile location.
    Advanced – Specify locations for various user groups – you can customize the setting based on what group a user is a member of.
  2. Click on the Settings tab.

  1. Select any options you may require.
  2. Click OK to save the settings.

Determining Applied GPOs

The Group Policy Results Wizard allows you to target a specific user or computer and determine what the effective Group Policy settings are for that user.

  1. Open Group Policy Management.
  2. Right-click on Group Policy Results and select Group Policy Results Wizard.
  3. Click Next.

  1. You can select the current computer or another computer. Click Next.
  2. Select the user you want to display policy settings for. Click Next.
  3. Click Next to continue.
  4. Click Finish to close the wizard.

  1. The report will display under Group Policy Results.

  1. You can click show in the report to see specific sections of interest.