Types of Group Policy in Windows Server 2008



Group Policy has power over just about every process, application, or service on a Windows network. Both servers and workstations are powered by GP (Group Policy), so unless you deploy Windows Vista or Windows XP, or Windows Server 200X, GP is not pervasive throughout the enterprise. Windows 9x and NT 4.0 workstations are not powered to the same extent as Windows 2000/XP/Vista clients, because client-side extensions that pull down and read policy are not present in these legacy desktop operating systems.

A network consisting of many different versions of Windows (in some cases, as many as five), therefore, is also going to be less secure or at least not as manageable. Obviously, a hard-to-manage or hard-to-control network is going to be a lot more expensive to maintain in the long run. The initial cost of upgrading to Windows Server 2008 throughout the enterprise pays off in the long run. In terms of security, such as the capability to stave off a hacker thanks to encryption or the capability to save critical data thanks to folder redirection, not only can you save a bundle by going ‘‘native,’’ but you may even save the company as well. The more versions that you eliminate, the more secure and more manageable life is going to be for you.

You can have many different types of Group Policy ‘‘collections.’’ (The term policy collection is not a Microsoft term as far as we know, but it is useful for describing the policy types.) The following list describes the ‘‘intent’’ of these collections:

1) Application deployment: These policies are used to administer user access to applications. Application deployment or installation is controlled or managed in the following ways:

a) Assignment: GP installs or upgrades applications and software on the client computers. The assignment can also be used to publish an icon or shortcut to an application and to ensure that the user cannot delete the icon.

b) Application publication: Applications can be published in Active Directory. These applications are then advertised in the list of components that appears whenever a user clicks the Add/Remove icon in the Control Panel.

2) File deployment: These policies allow you to place files in certain folders on your user’s computer. For example, you can take aim at the user’s My Documents folder and provide the user with files that user needs to complete a project.

3) Scripting: These policies allow you to select scripts to run at predetermined times. They are especially useful for ensuring that scripts are processed during startup and shutdown or whenever a user logs off a machine and a new user logs on to the same machine. Windows Server 2008 can process VB scripts, JScripts, and scripts written to the Windows scripting host.

4) Software: These policies allow you to configure software on user workstations on a global or targeted scale. This is achieved by configuring settings in user profiles, such as the desktop settings, Start menu structure, and the other application menus.

5) Security: Perhaps no other collection in Windows Server 2008 is as important as the security policies, given that the next hacker who wipes out the assets could be the kid next door.

In addition to eventually reducing the total cost of ownership (through lowering the cost of administration), you should consider that Group Policy has other roles. It exists not to create problems for users and administrators, but to secure the environment and enhance the work and user environment.

In your endeavours to secure the environment, you no doubt come across conflicts that violate the principle to maintain a ‘‘user-friendly’’ environment. Going wild on password length is a good example. If you set password length too long to increase security, users not only get peeved, but they also start sticking the passwords on their monitors because they are so hard to remember. That is not security. If you must have tight security, your best option may be to take the security need to management and suggest smart cards or biometrics. Remember that locking down an environment should not lock out the user at the same time.

The environment can be enhanced in many different ways. If users need access to new software, you need to determine which of the following three methods of delivery is more pleasing or enhancing to the user from the user’s perspective:

1) Waiting hours or days for the administrator to show up at your desk with the new software

2) Being asked to log on to a network distribution point and install the software yourself

3) Taking a break while the software mysteriously installs itself onto your machine with seemingly no human intervention

Enhancing the users’ environment also means helping them easily to locate applications, intelligently redirecting folders or mapping their folders to resources, and automating processes during the twilight times of the workstation — namely, at logoff and logon.