figuring out group policies

From: Mike Downey (mike_at_ProphetTechnologies.nospamxxx.com)
Date: 02/26/04 

Date: Thu, 26 Feb 2004 08:25:21 -0600

Does anyone know of a document that will get me started on figuring out how
Group Policies work? I'm kind of lost with all the GPs that SBS 2003
creates by default. For example, both the Default Domain Controllers Policy
and the Small Business Server Domain Password Policy define the Enforce
password history, Minimum passowrd length and other criteria. I'd like to
know how they're applied to the various OUs, users, machines, etc.

My first inclination is to create a GP that applies to the SBS Users OU so
that it doesn't affect administrators on any computers.

Also, it seems like most of the policies allow or prevent users from
changing things, but it seems to me that it would be more useful to set
properties for them automatically. For example, I can prevent users from
changing their wallpaper, but I'd prefer if there was a setting where I
could set it to (None) and prevent them from changing it. Also, I can
prevent them from using the Add/Remove programs applet, but how do I just
prevent them from installing or removing any programs instead?

And finally, I'm not sure about the three values of Enabled, Disabled and
<undefined> and how they apply. Let's assume that I'm created a Policy that
applies to all users. My understanding is that if a value is not set, it
doesn't affect any of the users. That part is easy. Now, if I set it to
Enabled, the next time the user logs on, I believe that value affects a
change in their profile on the computer they just logged onto. If I change
it to Disabled, the next time they log onto any computer, that setting is
removed from their profile on that computer. If I then change it to
<undefined>, does GP just stop controlling that setting? That is, if I'm
experimenting as described above and the user logged onto two separate
computers, one while setting was Enabled and one while setting was Disabled,
are their profiles different on those two computers now?

Any guidance to help me get started on this would be appreciated.

Thanks,
Mike

Relevant Pages

  • Re: Assigning user profiles based on OU
    ... the computers via Group Policy. ... > to user student workstations and pull the student profile. ... create OU's for specific client machine sets and apply ... If the policy settings are specific to the ...
    (microsoft.public.win2000.group_policy)
  • Re: Assigning user profiles based on OU
    ... Consider designing GPO/s that include settings for the users that are common ... policy in the computer configuration. ... > users but have mutiple computers with differ applications. ... > can be based on OU or mapping a profile to a drive letter which is mapped ...
    (microsoft.public.win2000.group_policy)
  • Re: Assigning user profiles based on OU
    ... > Consider designing GPO/s that include settings for the users that are common ... > policy in the computer configuration. ... >> users but have mutiple computers with differ applications. ... >> can be based on OU or mapping a profile to a drive letter which is mapped ...
    (microsoft.public.win2000.group_policy)
  • RE: roaming profiles conflicts
    ... My suggestion is to get rid of the global setting in AD Users and Computers ... that defines where a user's TS profile is. ... policy is only getting applied to users who logon to the specific computers, ... When these same users attempt to login to a terminal server ...
    (microsoft.public.windows.terminal_services)
  • Re: Reinstall everytime assigned applications through GPO on start
    ... Software installation extension has been called for background policy refresh ... Stations - R&D Software (EMEA computers). ... Stations - R&D Software (EMEA computers) is set for installation because it ... The assignment of application Remote Administrator v2.1 from policy Software ...
    (microsoft.public.windows.group_policy)