What is Group Policy?
Group Policy is a component of Active Directory that allows you to configure mandatory settings for all members of a certain group of your domain. For example, if I wanted to make all members of the “Sales” group automatically have the program “Quicken” installed, I could do that with Group Policy. Alternatively, if I wanted to disallow certain software from being installed, I could also do that with Group Policy. Software installation, however, is not the only area that Group Policy touches on. Group Policy can be utilized to configure almost every aspect of the end-user experience and can make administration infinitely easier for the systems administrator.
GPMC
Before we begin to play around with Group Policy, however, we will download a free tool from Microsoft that makes Group Policy management much easier. Microsoft’s Group Policy Management Console can be found at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx and is required for this introduction to Group Policy. While it is not required to configure Group Policy, it makes management of said configuration much easier.
After you have downloaded and installed GPMC, go to Start -> Administrative Tools -> Group Policy Management. Select your domain (under the Domains folder) and expand it. You will notice that there is a shortcut to “Default Domain Policy.” Right click that and press “Edit.” The Group Policy Editor will open. Here you will see the policy that applies to all members of the domain by default, including the built-in groups, the domain controller, and all users. On the left side are all of the possible settings that can be configured, organized by two main categories: Computer Configuration and User Configuration. These two large categories share some settings but represent fundamentally different styles of Group Policy management. Computer settings apply to a computer in a specified group, regardless of which user is logged on. User Configuration is applied only when a specific user (specified in the group for which the policy is written) logs on. Under these two categories lie many settings, including Software, Windows, and Administrative Template settings. Under each of these lie specialized settings for more specific categories.
While entire books have been devoted to group policy management, I feel that much of it is very self-explanatory, so I will cover a few common tasks that can be achieved through group policy so that you will know how to not only perform these tasks but understand the logic behind the steps so that you can extend that logic to perform other actions and configurations.
The First Task: Assigning Norton Antivirus to All Users
(Note: Do not fret if you do not have Norton Antivirus. This tutorial applies to all software that you may wish to publish.)
Before we begin, we need to make sure that NAVCLIENT is in a place that is available to the users that we wish to deploy it to; that is, we must assure that NAVCLIENT is in a shared folder. I like to create a shared folder called “ClientApps” that has all client applications in it, but you can do as you prefer. Make sure that the Users group has access to the Share by setting Read Access in the Security tab and Read Access in the Permissions button under Sharing.
Start by closing the Group Policy Object Editor for Default Domain Policy. Although we can use the Default Domain Policy object to configure this, it would be more prudent to create a new GPO (group policy object) and configure it specifically for this setting; doing so ensures an easy policy removal process (in other words, rather than trying to manually fish out and find each policy you no longer wish to maintain, you can just delete the policy object). To create this policy, select the Group Policy Objects folder and press Action -> New. You will be prompted for a name, so give it one. The new object will be created as will a shortcut under your domain. We begin by selecting the shortcut. On the right-hand side of the screen, you will see that the policy applies only to “Authenticated Users,” which is exactly what we were trying to accomplish to begin with, so we can go ahead and edit the policy. Right-click your new policy and press “Edit.”
When the GPO Editor opens, expand “Software Settings” under “User configuration” and select “Software installation.” Next, go to Action -> New -> Package. A dialogue will appear asking you to locate the msi package that you wish to install, so select it and press “Open.” (To utilize Group Policy installation services, you must have an MSI package for the program that you wish to install. Creating such packages is out of the scope of this tutorial.) Finally, it will ask you whether you wish to “Publish” or “Assign” it. Since you wish to make the installation of NAVCLIENT mandatory, you should assign it. Norton Antivirus should show up in the list of packages. We’re not done yet, though! Exit the GPO Editor and drag the policy that you just edited from the “Group Policy Objects” folder to the domain icon. You will be asked if you wish to link the GPO to the domain. Obviously you do, so click Yes. (Note: Sometimes Windows automatically links new GPO’s to the domain, so don’t be surprised if it says: “This group policy is already linked to the domain.”) Now, right-click on the link you just created (it bears the same name as the GPO but has a shortcut icon next to it) and select “Enforced.”
The Second Task: Configuring Home Folders
Users sometimes change PC’s. Whether multiple users logon to one PC, one user logs on to multiple PC’s, or multiple users logon to multiple PC’s, it invariably leads to files being spanned across many PC’s and therefore difficult to retrieve. Through Group Policy, you can configure a user to access his/her “My Documents” folder exclusively through the Network. In other words, you can alias a user’s “My Documents” folder to redirect to a network location. Such an ability is invaluable to many systems administrators. In Group Policy, this is known as “folder redirection” and is very easy to configure.
To begin, however, we must first create a shared folder that all Users can access. (After all, they need to be able to reach their folders!) I usually create a folder “C:/Home” and share it, but you can do as you wish. More importantly, make sure that the permissions are configured as follows (these are straight from Microsoft):
Table 12 NTFS Permissions for Folder Redirection Root Folder
| User Account | Minimum permissions required |
|
Creator/Owner |
Full Control, Subfolders And Files Only |
|
Administrator |
None |
|
Security group of users needing to put data on share. |
List Folder/Read Data, Create Folders/Append Data – This Folder Only |
|
Everyone |
No Permissions |
|
Local System |
Full Control, This Folder, Subfolders And Files |
Table 13 Share level (SMB) Permissions for Folder Redirection Share
| User Account | Default Permissions | Minimum permissions required |
|
Everyone |
Full Control |
No Permissions |
|
Security group of users needing to put data on share. |
N/A |
Full Control |
Note: If the above confuses you, its not as hard as it looks. First, go to the “Security” tab and manually set permissions per user. For example, I am using the folder C:Home, so I would right-click the folder, press “Properties,” press “Security,” and look at the existing permissions. If they are correct, I would not modify them, but if they do not match Microsoft’s recommendations (requirements) I would change them by clicking on the boxes in the bottom-half of the screen. If permissions exist for a user that is not already included on the list, such as the group “Users” in our case (as our group policy needs to apply to this group), I would press “Add” and type in “Users,” press OK, and move on (note that the Users permissions are automatically set to Microsoft’s requirements). For the second half (Table 13 Share Level Permissions), I would go to the “Sharing” tab, click “Permissions” and add the “Users” account, giving “Users” full control access.
Now, go to GPMC and create a new policy object that is applied to Authenticated Users (basically, just create a new policy object and name it as you like). Open the policy object by Right-click -> Edit and go to User Configuration -> Windows Settings -> Folder Redirection -> My Documents and click Action -> Properties. When the dialogue window opens, the setting will be set at “Not Configured.” Change that to “Basic” and some new options should appear underneath. Choose “Create a folder for each user under the root path” and set the root path to be the UNC PATH to the shared folder that you created – in my case, “FOXSOXHome” – and press “OK.” Link the GPO to the domain as you did in the First Task and enforce it.
Now, by default, when an Authenticated User logs in, a folder will be created for that user under the location C:/Home/$USERNAME and the permissions will be automatically set such that only that user can access his particular folder (and subfolders/files). To test this out, login to the domain with a client PC and watch as a “Documents” folder for that particular user is automatically created.
The PCMech.com weekly newsletter has been running strong for over 8 years. Sign up to get tech news, updates and exclusive content - right in your inbox. Also get (several) free gifts.
i really want to know more about windows server 2003.
After I setup my Windows Server 2003, I am failig to log on with the domain server that I have just created. Can somebody tell me how to link other computers (with Win XP and Vista) to my server
Hi folks,
I appreciate the effort, but the title is “Windows Server 2003 Setup Guide” and I was hoping for some setup information – not a buyers guide.
Thanks ,
— Deck
This was not a bad beginner’s article. In fact, it is the first one that explained the domain name in AD setup. I was really confused by this initially. There was nothing saying you could have yourcompanydomain.com or yourcompany.local and what the differences were. It REALLY pissed me off when the books would all say (Use Appropriate Server Info) for that section. How was I supposed to know what was appropriate on my first install. You might want to even expand that a little. You should do a follow on or expansion for the DHCP, DNS, and WINS as well. This can be confusing as well, and in an XP or Vista environment, you would be using them.
To John’s comment – You need to add the workstation to the Domain. I am assuming you got into the server just fine. On one of the workstations, go to My Computer and right click, and then select Properties. Now click on the Computer Name tab. Near the bottom right of the window select change. At the top will be the comnputer name, and at the bottom will be Workgroup and Domain. Change the radio button to Domain, and then enter the name of the domain you created. If you picked YourCompany.local in the setup, enter YourCompany, and select OK. You will be prompted for the domain administrator credentials. Administrator and what ever you set the server administrator password to. You will get a series of dialogue boxes you hiy ok to. After the last one, you will need to restart the workstation. When it restartes, you can use Administrator, the domain administrator password, and there will be a new drop down box. It will probably says “This Computer”. Change it to the domain you picked, and then login. You are now on the domain. If you followed the tutorial and setup user accounts, you need to add those domain users to the workstation to login as the user. The user effectively has no right at the moment to the workstation. If you setup a user named “userone”, we add them to the workstation as follows. Right click My Computer and select Manage. Select Local User and Groups. The Users folder is “LOCAL” user accounts – meaning only on that workstation. So you want to select GROUPS. You can select the level of user rights and add them to that group. generally you do not want your users above Power User, but this is dictated by the software you use, and the level of control you want the user to have. There are tons of articles on this stuff. So let’s click Power Users. In the new window, select Add, and in the white open space, start typing “userone” (this is just an example name – you might use first initial and last name such as jsmith – or – john.smith – etc — again – there are tons of articles on naming schemes for users and workstations). So in our example, we start typing “userone” – we can actually type “user” and then use the check name button to the right, and it should either find the user or give you a list. For example if we had userone, usertwo, userthree – it would find all three in the list because they all start with user. It would be waiting for you to pick which one. So pick the user, and it should appear in the white window where you were typing. Be careful if you have a local user account with the same name, it can get confused. You see people using things like John for user names. They have no place on a domain – so don’t do it. It also gives you the chance to migrate the user’s profile to their new domain account profile you are going to create the first time you login as the user. So once you have the use in, hit ok until your boxes are gone, and then logoff as the Domain Administrator. Now change the user name to the user you picked. In our example it was userone. Login with the password. The first login will take a while as it sets up the profile. You are now on the domain as a user you setup.
Deck hanzen – dude – you have to clieck the next button at the bottom of the article. In his defense – i did not see it at first either. You guys need to put space between the buttons. Keep up the good work though.
Oops – made a typo in there when I was changing a few things around. WINS for a mixed NT, 98 with XP and Vista.
beginner question.. what is the difference between windows server 2003 and r2?
after i installed windows server 2003, what should i do next?
tnx
Google it =:) as there is way to much to list on that one, but in general 03 is much the same as r2 !
I thought this tutorial for an entry level tutorial was laid out quite well. I pass this tutorial to others who are curious or have questions on a base level how a domain is set up. In my opinion this tutorial is 5\5 stars. For those who commented about the websites format and lay out; I agree about the previous-Next Page link. Whoever href’d that was in a hurry and it probably was not at focus, but it makes up for such a nit picky code eye pain by the one of a kind windows server 2003 tutorial. This gentlemen really took his time of the day to paint the bigger picture in a “for Dummies” level tutorial. If you have been working as a desktop technician pushing images to workstations, building batch scripts and been using AD users and Computers snap in with limited rights to AD and always wanted to grasp the true understanding of how your jobs network operates this tutorial teaches you how you would set it up. The rest of the gaps were clearly stated “Out Of Scope”, thus issues that go to mind such as security policy settings, and all the in’s and out’s of security options one could do would have taken way to long. A great job here was done, and if anyone has written a tutorial you know the temptation to want to deviate and go on tangents explaining things more in depth while at the same time getting further off track of the focus of the tutorials direction. He kept great control here with that, and this tutorial litterally brought it together for me. My mind goes crazy on what I want to do at work with this information in mind. Most of us who work desktop support jobs have what it takes to engineer a domain, and could code in share point scripts to write credentials to apps, and so forth, but because were not MCSE certified we dont get to touch the DC’s. “In my case that is” . I recently took a job where “I” am the “ADMIN” over the domain for a very small business, and with freedom to do as I wish on the domain I created with only but 60 machines and users I am advancing allot. We use a cisco router here and a business line broadband modem since I am the sould systems engineer per say I am also responsible for it. So I play with subnetting and so forth in my free time, and every day is not a boring day all because of this tutorial which helped me get the job! Every day I am setting policies, locking down users machines. The boss\Owner who didnt have a domain setup and each phone agent was just taking calls, and had an independent machine with full admin rights didnt know any better. I made suggestions and told him we were going to need to domain this work environment and sold him on letting me go to Dell’s website, bought a server with a packaged lisence deal. Then I setup 3 other child servers, one as a file server, printer server, and using newer workstations with the w2k3 OS for the roles. I build scripts in c++ to do profile backups etc… my days flyyyyyyy it’s almost not even a job to me, but a do something I love and get paid type of work. This tutorial being primarily text based versus youtube video’s really put the confidence in me enough to present the benefits to the owner to make him buy a $3k server package. It was all worth it to him once I setup policies that allowed him to stealthly RDC into his employee’s workstations and see what they are doing when he wanted. I am doing research on Magic Jack type phone setups to save the token phone setup he is paying out the nose for on a monthly basis. My ideal is to have a very cost efficient call system in which phone calls can be recorded and monitored and even be remotely monitored real time to kind of do some call quality. All of these measures are being coerced by the knowledge I have and how it can save money and make business operations more efficient ALL THANKS TO GOOD LAID OUT TUTORIALS LIKE THIS ONE!!! It’s only until now that I wrote a comment on this tutorial I should have done so when I first read it.
I can’t see the link for the next page of the tutorial. Where is it?
Guide is excellent however please correct the images. They are currently broken due to a script error.
Any chance you could fix the images and also expand on roaming profiles?
Thanks
Cant say much for this posting its of little or no use to anyone setting up sever 2003 like my dad used to tell me if you dount know what ur talking about just shut up and listen to some one thats done it instead of waisting every ones time good intensions are like ass holes everyones got one
Bla Bla Bla why don’t you suck my dick???