Group Policy basics

Group Policy basics
By Jason Rush, Technical Writer, Microsoft Corp.

There are some simple methods for making the most of the Group policy functions within Windows 2000:

  1. Disable unused parts of a Group Policy object.
    If, under the User Configuration or Computer Configuration node of the console, a Group Policy object only has settings that are Not Configured, then you can avoid processing those settings by disabling the node. This expedites startup and the logon session for those users and computers subject to the Group Policy object.
    Disabling both parts of a Group Policy object makes it behave as if it is not linked to any site, domain, or organizational unit, even though the links still exist.
  2. Use the Block Policy Inheritance and No Override features sparingly.
    Routine use of these features makes it difficult to troubleshoot policy.
  3. Minimize the number of Group Policy objects associated with users in domains or organizational units. Each additional Group Policy object applied to a user extends log-on time. 4. Filter policy based on security group membership. A Group Policy object will not apply to a user if the Read or Apply Group Policy access control entries (ACEs) are not set to Allow on security groups of which the user is a member. This is the mechanism that prevents policies applying to users (or computers)

Requires Free Membership to View

  1. who would otherwise be subject to it either by links or by inheritance. 5. Override user-based Group Policy with computer-based Group Policy only when necessary. Do this only if you need the desktop configuration to be the same regardless of which user logs on. 6. Avoid cross-domain Group Policy object assignments. The processing of Group Policy objects slows the logon session and startup if Group Policy is obtained from another domain. 7. Don't confuse policy and security. Since IPSEC policy settings are set late in the processing of Group Policy, the data Group Policy sends across the network is not and cannot be encrypted. 8. Don't refresh Group Policy too often if you are using a laptop computer. Each refresh resets the hibernate timer, so too short an interval causes the computer never to hibernate. Laptop computers need to be frugal with power consumption. 9. Use Loopback only in pure Windows 2000 environments. Loopback is a setting for certain tightly managed environments like kiosks. The client computer must run Windows 2000 Server or Windows 2000 Professional. Windows 2000 domain controllers must handle both the computer account and the user account.

    This was first published in January 2001

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.