How To: Setting Up Active Directory Group Policies
March 10, 2006
The policy settings framework is extensible using configuration files, also known as ADM templates. If a specific application in your organization has an ADM template, you can, for example, control that application's settings using Group Policy. Unfortunately, there are few third-party ADM templates, though more are being developed.
Click on the image to launch a video screencast presentation of Group Policy Management deployment.
To apply policy settings to users and computers in your AD environment you must first configure a Group Policy Object (GPO), which resides in a special folder called "Group Policy Objects" within the AD domain. A GPO is a named collection of configured policy settings. As a best practice, only configure those settings necessary to accomplish an administrative task inside a GPO. If as part of your corporate security policy you require Windows Firewall be enabled on each computer, for example, you could create a GPO titled "Default Windows Firewall Settings" and configure the policy settings to match the desired firewall behavior on the target workstations, just like you would in the Windows control panel. Note that if the targeted operating system doesn't understand the setting, it will ignore it.
The policy settings in the GPO don't get enforced until you link the GPO to an Active Directory site, domain or organizational unit (OU). Once the GPO is associated with a site, domain or OU, the policy settings take effect for the users and computers defined within the scope of that container. If we link our firewall GPO at the domain level, for example, the policy settings apply to all XP workstations and 2003 servers in the domain. If we instead link the GPO to the Product Management Group (PMG) OU, the firewall settings only apply to computers inside that OU. GPOs can be linked in multiple places such as two different OUs, and a site, domain or OU can even have multiple GPOs linked to it.