Chapter 7. Profiles and Group Policy Primer

Profiles and group policies are large topics, and they are worth treating properly so that you get the most from them in your environment. The goal of policy-based administration is for an administrator to define the environment for users and computers once, then rely on the system to enforce that state. Under Windows NT, this could be very challenging, but with Active Directory group policies, this capability is much more readily available. This chapter is the introduction to the subject, and Chapter 10 builds on it to show how policies work in Active Directory, how to design an OU structure to incorporate them effectively, and how to manage them with the Group Policy Management Console, a new MMC snap-in available for Windows Server 2003 Active Directory.

In Windows NT, system policies had a number of limitations. System policies:

  • Were set at the domain level

  • Were not secure

  • Could only apply to users, groups of users, or computers

  • Tended to set values until another policy specifically unset them

  • Were limited to desktop lockdown

The scope and functionality of Active Directory group policies is much greater than system policies. Group policies:

  • Can be applied to individual clients, sites, domains, and Organizational Units

  • Are highly secure

  • Can apply to users, computers, or groups of either

  • Can set values and automatically unset them in specified situations

  • Can do far more than just a desktop lockdown

With group policies, an administrator can define ...

Get Active Directory, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.