Group Policy basics
By Jason Rush, Technical Writer, Microsoft Corp.
There are some simple methods for making the most of the Group policy functions within Windows 2000:
- Disable unused parts of a Group Policy object.
If, under the User Configuration or Computer Configuration node of the console, a Group Policy object only has settings that are Not Configured, then you can avoid processing those settings by disabling the node. This expedites startup and the logon session for those users and computers subject to the Group Policy object.
Disabling both parts of a Group Policy object makes it behave as if it is not linked to any site, domain, or organizational unit, even though the links still exist.
- Use the Block Policy Inheritance and No Override features sparingly.
Routine use of these features makes it difficult to troubleshoot policy.
- Minimize the number of Group Policy objects associated with users in domains or organizational units. Each additional Group Policy object applied to a user extends log-on time. 4. Filter policy based on security group membership. A Group Policy object will not apply to a user if the Read or Apply Group Policy access control entries (ACEs) are not set to Allow on security groups of which the user is a member. This is the mechanism that prevents policies applying to users (or computers) who would otherwise be subject to it either by links or by inheritance.
5. Override user-based Group Policy with computer-based Group Policy only when necessary.
Do this only if you need the desktop configuration to be the same regardless of which user logs on.
6. Avoid cross-domain Group Policy object assignments.
The processing of Group Policy objects slows the logon session and startup if Group Policy is obtained from another domain.
7. Don't confuse policy and security.
Since IPSEC policy settings are set late in the processing of Group Policy, the data Group Policy sends across the network is not and cannot be encrypted.
8. Don't refresh Group Policy too often if you are using a laptop computer.
Each refresh resets the hibernate timer, so too short an interval causes the computer never to hibernate. Laptop computers need to be frugal with power consumption.
9. Use Loopback only in pure Windows 2000 environments.
Loopback is a setting for certain tightly managed environments like kiosks. The client computer must run Windows 2000 Server or Windows 2000 Professional. Windows 2000 domain controllers must handle both the computer account and the user account.
This was first published in January 2001