Applying Windows XP Group Policy in a Windows 2000 Domain (Part 1)
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Introduction to GPOs
What is a GPO? A GPO stands for Group Policy Object and before we get into what those objects are, let's cover what the policy is and why it's important to understand in the world of Windows Networking and Security. Polices are nothing new. Poledit was an old utility used on Windows 9x systems to apply a set of configuration settings to the PC that would restrict users from doing things or seeing things. Because this was so effective, once Microsoft moved to a Active Directory, it would allow for users to log into the Domain and receive these same types of configuration settings en masse. In other words, you could say that everyone in the Finance Group should receive a Minimum Password length of no less than 8 characters, everyone who was part of that group and logged on would have that policy enforced on them. GPO's are the objects created that house all these settings. It makes for much easier change management.
Change Management is nothing more than the system in place that safely manages the efforts of constant change in the information technology world. (Example: policy deployment, service packs deployments and so on).
So, in sum - Group Policy is what is used to define configurations for users and computers. The Policies are called Objects (GPOs) because once created in the Active Directory, they are objects that can be assigned to other objects, such as sites, domains, or organizational units (OUs). The operation is simple; apply the GPO to an OU and every object in that OU will have that GPOs policies filtered down to the objects in that OU. This allows for very easy management of change. It also allows added security. Why? If you need to make a security change on every user in an OU and you have 500 users in that OU, then you may make an error or miss something while applying the GPO filters down to the entire OU without missing anything and if an error occurs, you will be altered of it.
Introduction to GPOs with XP
Windows XP introduces new options with Group Policy use that weren't included in the 2000 version so this article covers how to utilize XP with 2000 and Group Policy. What this means is that Windows 2000 Domain Controllers will push policies to Windows XP if configured correctly. This means that if you want to use Windows 2000 and update XP systems with it, you must edit the GPO on a Windows XP system. The question does come up, what if I make a GPO on an XP machine and a GPO on a 2000 machine... how will it affect a container with mixed systems? That means an OU with mixed XP and 2000 clients, how would that work? Well, if you make the GPO on XP and apply it, the 2000 clients will ignore any of the XP-specific settings.
Setting up your MMC with Group Policy
Now that we have covered Group Policy and what is important about it in relation to XP, let's look at how to set it up so that you can utilize the GPO. In this article we cover the GPO and how to configure your system to use a GPO.
1. Run the Microsoft Management Console (mmc.exe)
2. Select File => Add/Remove Snap-in
3. Once you select to add and remove snap-ins, you will see the Add/Remove Snap-in dialog box appear
4. Click Add
5. Select Group Policy from the Add Standalone Snap-in dialog box
6. Click Add
7. Once you select Add, you will be presented with the Select Group Policy Object dialog box. You can either select the local Computer, or you can browse to another machine in the Domain. For purposes of this exercise, you can select Local Computer, but we will continue to show you the steps in locating a remote computer.
8. To change and edit another GPO, click the Browse button. When you do you will be presented to browse for a GPO.
9. Now, you can either Browse for a remote or you can stay Local. If you stay Local than click Ok, Close and then Ok.
That's it, that's all you need to do to is look at the Console Root of the MMC you have open and you will be able to view your GPO.
Viewing the GPO
Now that you have the GPO open, you can see its contents. Just like we mentioned earlier, you have a computer policy and settings specific to that policy ready to apply to any computers that it is assigned too. The end of this article has some links to Microsoft's website to find more information, but for the purpose of this article set, you have enough fundamental knowledge to follow into the next article which covers XP directly.
Security Settings Extension
When you open the MMC (Microsoft Management Console) that houses your access to Group Policy, you can see within it the 'Security Settings' which will allow you to set a very granular security policy which when utilized properly, will allow for very specific security settings to be applied to desktops from a central location.
This is just one of the areas, but this is the one we will concentrate on since this is a Windows Security based site. You can configure Account Policies which basically cover security related items like account policies which will allow you to keep passwords at a minimum or maximum password age, or minimum password length. You can also set the account lockout features as well. Local Policies are also configurable which allow you to configure specific things to the system itself, such as configuring auditing, or setting who can do specific things like 'add workstations to the domain' for instance. PKI (Public Key Infrastructure) polices are also configurable as well as IPSec polices to help encrypt transmissions from this system as well as setting software restriction polices. As you can see there is a lot you can configure in the GPO.
In this article we covered the basics of the GPO. For those of you who are Microsoft Guru's, I hope this article served as a refresher for you, but if you already know all this, make sure to read the next article in this series which applies directly to GPO's and Windows XP. You will need this basic information in this article to proceed to the next one. Stay tuned!
Links and Reference Material
Also, see the Microsoft article on "Upgrading Windows 2000 Group Policy for Windows XP" at: http://support.microsoft.com/support/kb/articles/Q307/9/00.asp
GPO Information for Windows 2000 and XP I
GPO Information for Windows 2000 and XP II
GPO Information for Windows 2000 and XP III