Recently, I created a video for Citrix's Tech Videos website covering best practices for group policies, user profiles, and folder redirection. In the video, I talk a bit about how to use each feature to your advantage on a high level - things that would work for pretty much any environment.
In this three-part article series, we're going to take a look at Group Policies, Folder Redirection, and Profiles in their own articles. I'm sure to stir up some conversation, so I want to make it clear right away that these aren't for everybody, but are high level enough to work for most. There are as many different environments as there are people reading this article, so pick and choose the solutions you use wisely, and if you have any suggestions, feel free to comment. Also, there is no mention of any third-party products here (except for Flex profiles, which will be covered in the Profiles article). This is meant to cover what you can do out-of-the-box. If you use third party utilities to make your Group Policy life easier, please post them in the comments.
Today, we'll talk about Group Policies and and some ways to build a good group policy foundation. We'll also take a quick look at Microsoft's new Group Policy Preferences feature that will be included in Windows Server 2008 and Vista SP1.
By now you are familiar with Group Policies, but there are a few things to get out of the way. First, if you don't have the Group Policy Management Console yet, get it. It'll make your life a lot easier from an administration, documentation, and auditing standpoint.
Next, let's go over the nomenclature that is used. Group Policies are actually broken down into a few different types of items. We have Group Policy Objects (GPO's), Group Polcies and Linked Policy Objects. These terms are used interchangeably quite often, which is fine, but when it comes down to the nitty-gritty of GP administration, it's good to know the difference:
Group Policy Objects are containers for Group Policies. A GPO is basically a group of settings, the "settings" being the individual Group Policies. Group Policy Objects are created in the domain, and are referenced at the container level by linking to the GPO--this is a Linked Policy Object. It's essentially just a shortcut to the actual GPO object in the domain.
There are many schools of thought when dealing with Group Policies. Many people are afraid to create too many policies for fear of affecting performance. In reality, the quantity of policies doesn't affect performance as much as what you're doing with those policies. If you're using policies to configure the user's environment (like the Start Menu, Control Panel, or Office settings), you can generally have as many policies as you need. However, if you're installing software with your policies, you can expect logon times to be affected as the system checks for existing software and/or installs new software. Sometimes this in unavoidable, but its important to know where the problems lie.
My favorite method of using Group Policies is to start by creating a standard default user policy object for your Terminal or Presentation servers. This policy object should have every setting that every user needs. This can be forcing the classic start menu or the default save location for Word -- anything that everyone should have configured. Inevitably, you'll run into exceptions - the secretary that has her documents stored elsewhere on the file server and wants her default save-to location to be different, for instance. In these situations, you can break that policy out of the default object and into its own policy object. The process would look something like this:
- Using the GPMC, create and link a GPO to the same container as the default policy.
- In your new policy object, configure the save-to location policy the exact same way as it is in the default policy object.
- In your default GPO, change the save-to location setting to Not Configured
At this point, nothing has changed from the users' standpoint. The only backend change is that there are now two GPO's being applied to them at logon instead of one. Now we need to exclude the secretary from having that policy applied to her.
- I usually create a group in Active Directory PE_. The "PE" stands for "Policy Exempt." In this case, I would create a group called PE_SaveLocation.
- Add the secretary and other users for which you'd like to exempt from the policy to the group you just created.
- In the GPMC, select the new linked policy object that you created a minute ago, and select the Delegation tab on the right side of the GPMC window.
- Click the Advanced button, and add the PE_SaveLocation group to the ACL.
- Select the PE_SaveLocation group, and in the bottom portion of the window, choose to DENY access to the Apply privilege.
Now, when the exempted user logs in, he or she will have the default policy applied to them, but when it's time to apply the save location policy, their access will be denied and they will be able to change the location on their own.
What typically ends up happening is you'll start with a large default policy object and no other GPO's. As time goes by and you need to exempt people from certain settings, you'll break those settings out into their own objects (with their own security). Hopefully you can identify some trends and group some of the exempted policies together, but this is not that important. It's not uncommon to end up with ten or twenty GPO's that cover all of your users.
Group Policy Preferences
The final item to talk about for this part is the new feature called Group Policy Preferences. This feature comes from Microsoft's acquisition of a company called Desktop Standard in late 2006.
Group Policy Preferences will be released with Vista SP1 and Windows Server 2008 (in RTM as of this writing). GP Preferences will essentially allow administrators to configure the same settings as you can with group policies using the GPMC. In fact, GP Preferences are deployed as part of a Group Policy Object. The difference is that GP Preferences are simply default settings that aren't necessarily enforced.
For instance, if you used a group policy to configure the default IE home page for your users, they would not be able to change the home page. They would be locked out of the interface to do so. With GP Preferences, you'll be able to configure the default home page, but the interface to change the home page will remain available to the user, and the user will be able to change it. As the admin, you'll be able to configure whether this change is static between logoffs or is reset each time the user logs back on.
GP Preferences will be included with Windows Server 2008. Admins will also be able to configure and deploy GP Preferences in a Windows Server 2003 environment by installing the Remote Server Administration Tools on a Windows Vista SP1 system (Vista SP1 is supposedly coming any day now).
GP Preferences can be supported on computers running Windows XP with SP2, Windows Vista, and Windows Server 2003 w/ SP1 by installing GP Preferences client side extensions. These allow the clients to interpret the new types of settings coming to them. Client side extensions will be available for download on Microsoft's website upon release of the Vista SP1 and/or Server 2008. The client side extension is already built in to Windows Server 2008.
GP Preferences is pretty exciting for me, as I'm always open to ways to make terminal server environments less rigid, while still maintaining control. We don't have to wait much longer to get our hands on it, though. If anyone's used the Desktop Standard product and has anything to share, feel free to leave a comment below.
Next time, we'll be taking a look at Folder Redirection and some things to consider as you configure it for your environment.