6.7 Group Policy Objects
Group Policy provides you with administrative control over users and computers in your network. You can
use Group Policy to configure a user’s desktop environment and let Windows Server 2003 enforce the
Group Policy settings that you have configured. You can apply Group Policy settings across a network, or to
a specific group of users and computers.
You can use Group Policy to:
• Centralize policies by applying the Group Policy for an entire organization at the site or domain level
• Decentralize policies by applying the Group Policy for departments at the organizational unit level.
• Ensure that users have the desktop environment and software applications that they require. You can also
prevent users from installing applications that they do not require.
• Control where users store their data folders.
• Control user and computer environments, to reduce the level of technical support that users might
• Enforce a company’s policies, including business rules, goals, and security needs.
Note: Group Policy applies only to Windows 2000, Windows Server 2003
and Windows XP Professional, but not to earlier versions of the Windows
The types of Group Policy settings that you can configure are:
• Administrative Templates, which allow you to configure registry settings. These allow you to
configure application settings and user desktop environments, including operating system components
and applications to which users can gain access, the degree of access to Control Panel options, and
control of users’ offline files.
• Security, which allows you to configure local computer, domain, and network security settings. These
include controlling user access to the network, setting account and audit policies, and controlling user
• Software Installation. This allows you to centralize the management of software installations, updates,
and removals. You can install applications automatically on client computers, you can upgrade
applications automatically, or you can automatically remove applications. You can also make
applications available in Add/Remove Programs in Control Panel, which provides users with a central
location to obtain applications for installation.
• Scripts, which allows you to specify when Windows Server 2003 runs specific scripts. You can specify
scripts to run when a computer starts and shuts down, and when a user logs on and logs off. You can
specify scripts to perform batch operations, control multiple scripts, and determine the order in which the
• Remote Installation Services, which allows you to control the options when running the Client
Installation Wizard used by Remote Installation Services (RIS), available to users.
• Internet Explorer Maintenance, which allows you to administer and customize Microsoft Internet
Explorer on Windows Server 2003 computers.
• Folder Redirection, which allows you to specify where specific user profile folders are stored on the
Windows Server 2003 applies the Group Policy settings that are contained in the GPO user and computer
objects. GPOs can be associated with sites, domains, or organizational units. The content of a GPO is
stored the Group Policy container and in the Group Policy template (GPT). The Group Policy container is
an Active Directory object that contains GPO attributes and version information. This allows computers to
access the Group Policy templates, and domain controllers to access it to obtain version information. The
Group Policy template is a folder in the SYSVOL directory, which is a shared directory that stores the
server copy of the domain's public files, on domain controllers. These files are replicated among all domain
controllers in the domain. When you create a GPO, Windows Server 2003 automatically creates the
corresponding Group Policy template folder.