Chapter 6. Group Policy


Active Directory Group Policy Objects (GPOs) can customize virtually any aspect of a computer, user’s desktop, or server. They can also be used to install applications, secure a computer, run logon/logoff or startup/shutdown scripts, and much more.

Group Policy is one of the most important security tools in your toolbox. The level of granular control you have over your users is almost unfathomable. You can do things that protect users from their own mistakes, such as disabling access to Control Panel or disallowing the installation of ActiveX controls through Internet Explorer. You can also make highly restrictive desktop configurations to stop unauthorized access, such as restricting which applications a user can run and preventing them from installing or running any other application. The security benefits should be readily apparent: behavior and privilege control over the user experience results in less likelihood of accidental or intentional compromise of a system. There are also business benefits such as reducing the total cost of ownership (TCO) through centralized management and reducing help desk calls by restricting user actions.

There are over 1,600 built-in Group Policy settings in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Group Policy is extensible by both Windows and third-party software; so more policies may appear every time Microsoft updates the operating system or whenever you install a Group Policy-aware ...

Get Windows Server 2003 Security Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.