Group Policies
By Ed Duncan, Consultant, SBSC, MCSE, MCSA
Hello, this month's topic is centered on Group Policies. Group Policies are common on enterprise networks but are not used too often on small business networks. If standardization, security, or compliancy is a concern for your business, then it is something you should consider implementing.
So what are Group Policies? Let me explain by using a simple team sport analogy. The players on a team compete to achieve a certain objective, which is usually to score more points than their opponent. Every sport has rules and an authority figure, usually a referee or umpire that oversees gameplay and makes sure that the rules are followed. Group Policies perform a similar function in a Windows networking environment. They are rules defined for the computers on your network, and a Group Policy Manager (the operating system) acts as the referee to ensure that the rules are followed.
What type of rules are we talking about? Practically any behavior you want the users or computers on your network to observe can be set as a policy. For example, let's say you want everyone's Internet browser to have their home page set to your company's website. You can create an Internet Explorer policy that sets the home page to mycompany.com. When the policy is active on the domain, every computer on the domain will receive the policy and have its home page changed to mycompany.com. If someone tries to change their home page to a different site, the computer will change it back when it refreshes and receive a policy update. In other words the Group Policy won't permit the employee to break the rule.
Let's take another example and say you don't want your employees playing Solitaire at work, you can create a policy that blocks the executable program from running. If your company keeps a lot of sensitive information, you may not want to allow employees to use flash drives. You can create a policy that disables the USB ports on computers rendering flash drives useless. There are literally hundreds of different policy settings you can apply. There are even applications that will allow you to set policies as well like Microsoft Office. You can create a policy that forces all Word files to be saved to a specific location, for example. Group Policies can even be used to install applications on computers on the network. This comes in handy when setting up a new computer, and you have a set of standard applications that you want installed. When the new computer receives the policy update, the applications install automatically.
What is required to run Group Policies? You need Group Policy template files (most come with the operating system), Group Policy Management Console (included in Windows Server 2008 and Windows Vista), and Active Directory. The domain administrator uses the Group Policy Management Console to create the policies.
What if you don't want the policies to apply to everyone in the office? Is it possible to enforce policies on specific users or computers? The answer is yes. You can set policies that are enforced on just certain groups of people or computers. The way objects are structured and placed in Active Directory is the key to making this work successfully. For example, you may want to restrict regular employees from having access to make changes to settings in the Control Panel, but you want to allow IT staff and Executives to have access. Active Directory would have to structured so that the IT staff and Executives are placed in containers where the policy is blocked.
Now if your company is not using Active Directory you can also create and use policies. In this case you would create what are called Local Policies, which will only apply to the local computer itself. More management is required when using Local Policies, because you will have to create them individually on every computer that you want to have policies. Also the policy will apply to the local administrator account as well, so you want to be very careful when using them, or else you may run the risk of preventing administrators from performing tasks that they should be able to do. There are steps you can take to prevent policies from applying to the local administrator account, but we won't go into the details in this article.
If your company or organization want tighter control over the actions your users are allowed to perform, Group Policies is a powerful feature worth evaluating.