Configuring Group Policy settings enables you to customize the configuration of user’s desktop, environment, and security settings. The actual settings are divided into two subcategories: Computer configuration and User Configurations. The subcategories are referred to as Group Policy nodes. A node is simply a parent structure that holds all related settings. In this case, the node is specific to computer configurations and user configurations.
Group Policy nodes provide a way to organize the settings according to where they are applied. Defined settings can be applied to client computers, users, or member servers and domain controllers. The application of settings depends on the container to which the GPO is linked. By default, all objects within the container with which the GPO is associated are affected by the GPO’s settings.
Configuring Group Policy Settings
The Computer configuration and the User configuration nodes contain three subnodes, or extensions, that further organize the available Group Policy settings.
Within the Computer Configuration and User Configuration nodes, the subnodes are as follows:
- Software Settings: The Software Settings folder located under the Computer Configuration node contains settings that apply to all users who log on from that specific computer. Settings modified here are computer specific, meaning that these settings are applied before any user is allowed to log on to the desktop. Rather than being computer specific, the Software Settings folder located under the User Configuration node contain settings that are applied to user designated by the Group Policy, regardless of the computer from which they log on to Active Directory.
- Windows Settings: The Windows Settings folder located under the computer Configuration node in the Group Policy Management Editor contains security settings and scripts that apply to all users who log on to Active Directory from that specific computer. This means that the settings are computer specific. The Windows Settings folder located under the User Configuration node contains settings related to folder redirection, security settings, and scripts that are applied to associated users. The computer from which a user logs on does not affect these policy settings. Rather, the policies are applied regardless of the User’s log on location.
- Administrative Templates: Windows Server 2008 includes thousands of Administrative Templates policies, which domain all registry-based policy settings. Administrative Templates are files with the .admx extension. They are used to generate the user interface for the Group Policy settings that you can set using the Group Policy Management Editor. The Windows Server 2008 .admx files are based on the eXtensible Markup Language (XML), unlike the Windows Server 2003 .adm files, which are Unicode-based text files. ADMX files can be stored in a single location called the Central Store in the SYSVOL directory.
Because Administrative Templates is an area of Group Policy where many commonly used administrative settings reside it is important to be familiar with how you can determine the purpose of each settings. In the Group Policy Management Editor, you can view description of policy settings using the Explain tab. This comprehensive help feature describes the function of the policy setting. Additionally, the Group Policy Management Editor console itself includes a Requirements section for each setting that indicated the minimum operating system revision that will support it.
To work with Administrative Template settings, you need to understand the three different states of each setting. First, a setting can be not configured, which means that no modification to the registry from its default state occurs. Not Configured is the default setting for the majority of GPO settings. When a GPO with a Not Configured setting is processed, the registry key affected by the setting is not modified or overwritten. Next, a setting can be Enabled, which means the registry key is modified by this setting. Last, a setting can be disabled, which means the policy setting is not selected. A disabled setting will undo a change made by a prior Enabled setting.
One new feature of Group Policy management in Windows Server 2008 is the ability to search for a particular GPO setting under the Administrative Templates folder based on elements such as keywords or the minimum operating system level. This is a convenience to administrators, because literally hundreds of settings are available under any number of nodes and subnodes within the Administrative Templates folder.
In addition, each Administrative Templates setting now includes a comment tab that allows you to enter free-form text to describe the entry. You can search against the text in these comments fields using the filter options window. Finally, you will also see the All Settings node below Administrative Templates node for User Configuration and Computer Configuration, which allows you to browse and sort all available policies alphabetically or by state.