News Stay informed about the latest enterprise technology news and product updates.

Group Policy may ease Active Directory pain

Setting up Microsoft's Active Directory can be a pain, but a few of the features in Active Directory Group Policy for Windows Server 2003 may help lessen some of those pain points.

Few IT administrators have fond memories of setting up their Microsoft Active Directory, but some of the features in Active Directory Group Policy for Windows Server 2003 may help lessen the pain.

One expert cited several additions to the Group Policy Management Console that make administration of domains and sites within forests easier to manage. There are time-saving tricks in Group Policy that many IT administrators are unaware of, said Howard Marks, principal of Networks Are Our Lives, a Hoboken, N.J., consulting firm.

Here are three of his favorites.

Folder redirection. There are two Group Policy objects in folder redirection -- "My Documents" and the desktop. Most end users save files in their default location, which also happens to be the local hard drive. It's a bad place to save data because it's insecure and not backed up, Marks said.

Saving documents to the desktop is also bad because the desktop is part of the user profile. If your shop uses roaming profiles, then every time the user logs on or off, all the contents are copied from the workstation to the server or vice versa. This can bog down the process of logging on and off.

If you select a Group Policy and it redirects a user's desktop to the home server, then the next time that Group Policy is applied, it will automatically move data from the desktop to the server. It will also access data on the server, which should speed up the login and log-off processes. At the same time, the user will be backed up.

The next step is to manage what gets copied and what gets profiled. For this, there is a Group Policy object called Exclude Directories in Roaming Profile Properties. This lets IT administrators list the directories they don't want to be copied from the server at login and log-off.

Restrictions. IT managers can hide Control Panel applets to prevent users from accessing them.

For example, you might want to prevent users from changing their network settings or remove "Run" from the start menu so they can't run programs you don't want them to run, such as the games "Doom" and "Quake," Marks said. This is a good feature for organizations that have users with a restricted set of tasks or users with a penchant for curiosity.

The default installation for servers is small, but it can be increased. "This one is a pet peeve," Marks said. The default installation leaves the size of event logs at 512 KB, and then it starts to overwrite data.

"Clients call and say something went wrong," he said. "When I look at the event logs, all the information is gone."

This is what happens: One problem creates hundreds of entries in the event log and the one you are interested in is the first program, which has been overwritten. The system policy object in Windows lets you change the size of an event log to 10 MB. You can also change the overwrite setting to where it will not overwrite errors more than three days old.


Article: Group Policy: Good for what ails ya!

Tip: Assigning group policies to groups

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.