Group Policy is a key component of IntelliMirror^TM management technologies in the Windows® 2000 operating systems. Group Policy helps administrators control user access to desktop settings and applications by group rather than by individual user and computer. Group Policy allows Windows 2000 network administrators to define and control the amount of access users have to data and applications and to their organizations’ networks. As a result, administrators spend less time on everyday tasks such as fixing problems caused by novice users. Using Group Policy, Windows 2000 administrators can tailor users’ access to the following:

Sandra, the Windows 2000 network administrator for a large city hospital, needs to set up several desktop computers to help volunteers at the hospital’s information desk provide basic information to visitors. In order to provide this information, the volunteers need to have access to the hospital’s staff list and the patient roster.

Sandra creates a group called Info Volunteers on the network. She installs Windows 2000 on the desktops that the volunteers share, and she assigns the appropriate policies, applications, data, and settings to the group. In this example, the group’s access to the information on the hospital’s Windows 2000-based network will be relatively limited. Because the Info Volunteers group’s computers are in a very public area of the hospital, and because the group is composed of novice computer users who only need access to a few applications in order to provide the information that visitors request, Sandra locks down the computers as much as possible. Users will not be able to change desktop settings, access the Control Panel, or use any applications or databases other than those that Sandra assigned to the group.

Not only is Sandra able to use Group Policy to set up the new group from her desktop, she will also be able to update the group’s policies whenever she needs to do so, from any computer on the hospital’s Windows 2000 network. For example, if the hospital administration decides to provide volunteers with additional applications in the future—perhaps an application that allows volunteers to print a map of the hospital, complete with large-print directions for visitors with limited eyesight—Sandra can update the Info Volunteers group policies, data, applications, and settings.

Sandra, the hospital’s network administrator, uses Group Policy to make the nursing station computer available to different groups with different needs. The employee team that uses the computer includes not just nurses, but doctors, residents, interns, physician assistants, and administrative personnel. The team uses various core applications--the software that controls the database of patient records, the prescription-writing application, the software that controls the database of health insurance information, the hospital’s online catalog for the medical library, the staff scheduling application, and the hospital’s e-mail application. However, not every team member needs access to all applications. All the groups need access to patient records and scheduling information, but doctors, interns, and nurses also need to be able to access and update patients’ records. Doctors also use the prescription-writing software, which feeds information into the health insurance database. Doctors don’t need access to the health insurance information database, but administrative staff members do. All team members use the hospital’s online medical library catalog for research, and everyone uses e-mail.

Group Policy allows Sandra to control each group’s access to the applications on the hospital’s Windows 2000-based network. She sets up groups according to members’ responsibilities and the applications they need. Each Windows 2000 user’s policies, settings, applications, and data are assigned as a member of a particular group. When a team member—for example, a nurse—logs on to the nursing station computer, he has access to the applications assigned to his group. He updates a patient’s information and logs off. An intern logs on immediately after the nurse leaves the computer station. He checks a patient’s record; uses the medical library catalog to check the symptoms of an unfamiliar disease he noticed in the patient’s history; answers e-mail from a colleague; and logs off. Later that day, Sandra updates the computer to reflect several organizational changes—two interns have left the team, three more have joined, and two nurses have become nurse practitioners, which means that they can now write prescriptions.

Group Policy’s value in this scenario lies in its flexibility as well as its control. It’s easy for Sandra to change the policies that apply to each group, regardless of the group’s size, as well as the policies that apply to individual team members. Group Policy makes her job easier, and it helps the hospital’s IT department get the most out of its budget by helping Sandra spend more time managing users and desktops and less time fixing them.

In Windows 2000, administrators use Group Policy, a key component of IntelliMirror, to provide managed desktop configurations for groups of users and computers. With Group Policy, administrators can specify settings for registry-based policy, security settings, software installation and maintenance, scripts (for computer startup and shutdown, and for user logon and logoff), folder redirection, Internet Explorer Maintenance, and Remote Installation Services. The policy settings are contained in Group Policy objects (GPOs), which are associated with Active Directory sites, domains, or organizational units.

Previously, Microsoft introduced the Zero Administration Kit (ZAK) for Windows, a set of predefined system policies and profiles for the Windows NT® 4.0 family of operating systems. To help customers reduce the total cost of ownership of Windows-based computing, ZAK provided two standard desktop configuration modes, TaskStation and AppStation. TaskStation is configured to hide areas of the Windows-based user interface, preventing users from accessing any applications or data other than those they require to perform their jobs. AppStation is configured to provide three or four business applications for those knowledge workers who don’t have the experience or the need to access system configurations, or to install additional applications.

For Windows 2000, Microsoft has created six end-user classifications and determined a set of Group Policy settings for each, based on the users' typical job requirements. A Group Policy object was created for each scenario, and administrators can install them by using a batch file. System Administrators can use these scenarios as a starting point from which to develop policy settings customized for their particular business requirements.

The following scenarios are included:

A Microsoft installer package (.msi file) is provided which includes a white paper entitled "Using Group Policy Scenarios," and reference Excel spreadsheet files. It also installs representative GPOs on the local computer. A batch file is included that populates a domain with these GPOs. Administrators can then test these GPOs, and link them to their site, domain, or OUs.

Group Policy is a key component of the IntelliMirror feature of Windows 2000 operating systems. Group Policy helps administrators control users’ access to desktop settings and applications for a group rather than for an individual user or computer. Group Policy allows Windows 2000 network administrators to define and control the amount of access users have to data and applications and to the organizations’ networks.

As described in this overview, network administrators can tailor the data and applications that different groups may access. The appearance of the desktop, printer settings, system settings, and so on, can be preset. Security settings can be configured for user groups at the local, domain, and network levels.

Further, files from users’ computers can be automatically redirected to a server specified by an administrator. And, if users are working offline, or if the connection to the network breaks, offline files can be set to be saved in the cache store. Then, when users log back on to the network, the Synchronization Manager automatically synchronizes offline files with those on the server.

Introduction to Windows 2000 Group Policy
Step-by-Step Guide to Understanding the Group Policy Feature Set
Using Group Policy Scenarios
Exploring Management Services

Last Updated: Wednesday, April 19, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of use.