Domain-based GPs offer a much more flexible and configurable set of standards and settings for your organization than local GPs. In this section, I’ll discuss the four most common methods of managing your IT assets centrally using domain GP: configuring a security standard, installing software using the IntelliMirror technology found in Windows Server 2003, redirecting folders present in the user interface to network locations, and writing and launching scripts triggered by events, such as logons and logoffs.
As discussed earlier, one of the most useful aspects of GP is its ability to control security settings and configuration from a central location across the organization. Security policy comprises three key components: restricted groups, registry settings, and filesystem settings. In this section, I’ll take a look at each of them.
The restricted groups option allows you to
modify the current group configuration and membership on your client
computers. When this policy is applied to workstations and servers,
their individual group configurations are modified to match that
configured inside the policy. The policy contains
lists that overwrite any configuration on the target computers. For example, if you were to add the Administrator group to the policy but not add any users to the members of this group list, and then you applied the policy, Windows would remove any users currently in those groups ...