Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 8. Group Policy: AD's Gauntlet > Modifying Group Policy Default Behavio... - Pg. 370

370 | Chapter 8 Group policy: AD's GAuntlet by the Knowledge Consistency Checker and the Intersite Topology Generator), and SySVOL is con- trolled by the File Replication Service or Distributed File Replication Service. GPOs Undo Themselves When Removed All the administrative template GPO settings write their information to certain parts of the reg- istry and clean up after themselves when the policy setting is removed or the GPO is deleted. This fixes the dreaded "tattooing" issue that has plagued "policy management" since it was first introduced. For example, suppose you had created an NT 4­type system policy that set everyone's background color to some nauseating hue and also set up a policy that kept them from changing the color. Those changes got written into the system's registry. If you then deleted the policy, the entries in the registry would not be removed, and therefore the ugly background would remain intact on the system. you'd actually have to write a second policy to undo the registry effects. With GPOs, that's not necessary. Just removing the policy will undo its effects. You Needn't Log On to Apply GPO Settings The true glory of Group Policy is related to the "background refresh." Since all domain-based computers check in to see whether there are any changes every 90 minutes or so, policy settings are constantly being applied. This means that a setting that you make at 6 a.m. on a Monday morning to control some security setting on each desktop won't require that the computers be up and running. Rather, the background refresh will apply to the computer before the user arrives at 8 a.m. On Windows 2000 and later with Active Directory, machines get their policy settings from the domain they have membership within when they power up (recall that machines log on also), and users get policies from their domain when they log on. Group policies Work Only on Windows 2000 and Later Machines Group Policy was created as part of Windows 2000 and won't work on earlier operating systems. Also, to take advantage of domain-based GPOs, you must be running Active Directory, although it is possible to apply a more limited set of "local policies" without AD. Windows 9x and Windows NT Workstation 4 use the same old tools as before--Windows 9x pro- files, Windows NT 4 profiles, and system policies. Because there aren't many "ancient" OSs still in use, it's unlikely that you'll have to worry about one set of policies and profiles for the Windows 9x machines, another for the NT 4 machines, and a third set of GPOs for the 2000, XP, and Vista machines. If you're unlucky enough to be working in such an environment, you can store all of these things on Windows Server 2008--you don't have to keep an old NT 4 server around to hold the 9x/NT profiles. That's something of a consolation. Modifying Group Policy Default Behavior Group Policy is fantastic all by itself, but there are some behaviors that you might want to tweak or control. It might seem cyclical, but there are GPO settings to control the behavior of Group Policy and some of its settings. you will find that many of these settings don't need to be configured, but in the instances where you need to make some minor adjustments, they will come in handy.