|
|
|
|
Group Policy Simplifies
Administration
| |
Contents
Group Policy is a key component of
IntelliMirrorTM management technologies in the
Windows� 2000 operating systems. Group Policy helps
administrators control user access to desktop settings and
applications by group rather than by individual user and
computer. Group Policy allows Windows 2000 network
administrators to define and control the amount of access users
have to data and applications and to their organizations�
networks. As a result, administrators spend less time on
everyday tasks such as fixing problems caused by novice users.
Using Group Policy, Windows 2000 administrators can tailor
users� access to the following:
| Registry-based settings for the
operating system and its components. The Windows
2000-based network administrator controls the appearance and
behavior of all users� desktops. For example, the
administrator can restrict access to the Control Panel so
that users cannot alter any computer settings, including
desktop appearance, system settings, or printer settings.
| | Security settings. The
administrator defines security configurations for all users
at three levels�local, domain, and network.
| | Software installation and
maintenance options. The administrator manages
software centrally and can assign and publish software on a
per-group basis.
| | Scripts. The administrator
can use scripts to automate logon and logoff to the network,
as well as startup and shutdown procedures for all users and
groups.
| | Folder redirection. For
protection of corporate information, users� data files can
be redirected to network servers where administrators can
centrally manage them.
| | Offline Folders and
synchronization. The Offline Folders feature
complements the folder redirection feature. When users need
to work offline, or when they lose their network connection,
they will continue to work with data stored in Offline
Folders until the network connection is restored. At that
point Synchronization Manager will ensure that the most
recent version of each file is synchronized between the
networked and offline store. |
Provide Varying Levels of Access to
Resources
|
Back
to Top |
Sandra, the Windows 2000 network administrator
for a large city hospital, needs to set up several desktop
computers to help volunteers at the hospital�s information
desk provide basic information to visitors. In order to provide
this information, the volunteers need to have access to the
hospital�s staff list and the patient roster.
Sandra creates a group called Info Volunteers
on the network. She installs Windows 2000 on the desktops that
the volunteers share, and she assigns the appropriate policies,
applications, data, and settings to the group. In this example,
the group�s access to the information on the hospital�s
Windows 2000-based network will be relatively limited. Because
the Info Volunteers group�s computers are in a very public
area of the hospital, and because the group is composed of
novice computer users who only need access to a few applications
in order to provide the information that visitors request,
Sandra locks down the computers as much as possible. Users will
not be able to change desktop settings, access the Control
Panel, or use any applications or databases other than those
that Sandra assigned to the group.
Not only is Sandra able to use Group Policy to
set up the new group from her desktop, she will also be able to
update the group�s policies whenever she needs to do so, from
any computer on the hospital�s Windows 2000 network. For
example, if the hospital administration decides to provide
volunteers with additional applications in the future�perhaps
an application that allows volunteers to print a map of the
hospital, complete with large-print directions for visitors with
limited eyesight�Sandra can update the Info Volunteers group
policies, data, applications, and settings.
Sharing Computers: The Strength of
Group Policy
|
Back
to Top |
Sandra, the hospital�s network
administrator, uses Group Policy to make the nursing station
computer available to different groups with different needs. The
employee team that uses the computer includes not just nurses,
but doctors, residents, interns, physician assistants, and
administrative personnel. The team uses various core
applications--the software that controls the database of patient
records, the prescription-writing application, the software that
controls the database of health insurance information, the
hospital�s online catalog for the medical library, the staff
scheduling application, and the hospital�s e-mail application.
However, not every team member needs access to all applications.
All the groups need access to patient records and scheduling
information, but doctors, interns, and nurses also need to be
able to access and update patients� records. Doctors also use
the prescription-writing software, which feeds information into
the health insurance database. Doctors don�t need access to
the health insurance information database, but administrative
staff members do. All team members use the hospital�s online
medical library catalog for research, and everyone uses e-mail.
Group Policy allows Sandra to control each
group�s access to the applications on the hospital�s Windows
2000-based network. She sets up groups according to members�
responsibilities and the applications they need. Each Windows
2000 user�s policies, settings, applications, and data are
assigned as a member of a particular group. When a team
member�for example, a nurse�logs on to the nursing station
computer, he has access to the applications assigned to his
group. He updates a patient�s information and logs off. An
intern logs on immediately after the nurse leaves the computer
station. He checks a patient�s record; uses the medical
library catalog to check the symptoms of an unfamiliar disease
he noticed in the patient�s history; answers e-mail from a
colleague; and logs off. Later that day, Sandra updates the
computer to reflect several organizational changes�two interns
have left the team, three more have joined, and two nurses have
become nurse practitioners, which means that they can now write
prescriptions.
Group Policy�s value in this scenario lies
in its flexibility as well as its control. It�s easy for
Sandra to change the policies that apply to each group,
regardless of the group�s size, as well as the policies that
apply to individual team members. Group Policy makes her job
easier, and it helps the hospital�s IT department get the most
out of its budget by helping Sandra spend more time managing
users and desktops and less time fixing them.
In order to understand what is particularly
useful about Windows 2000 and Group Policy from an
administrator�s point of view, it helps to look at the Zero
Administration Kit, or ZAK. ZAK is a standard set of predefined
policies and profiles in the Windows NT� 4.0 family of
operating systems. Microsoft delivered ZAK to help customers
reduce the total cost of ownership of Windows-based computing.
This was done by creating two standard lockdown scenarios�TaskStation
and AppStation. TaskStation mode completely locks down the
desktop. It hides areas of the Windows-based user interface,
preventing users from accessing any applications or data other
than those they need to work. AppStation mode is appropriate for
organizations with knowledge workers who typically run three or
four business applications but don�t have the experience or
the need to access system configurations or to install
additional applications.
Group Policy is a component of IntelliMirror
that goes several steps further than ZAK. In addition to
simplifying and centralizing the administration of policy,
network administrators can use Group Policy to choose how much
freedom to allow each user on the network. Group Policy allows
administrators to set these policies according to the resources
needed by users in different business roles and locations. When
an administrator sets up appropriate Group Policies for an
organization, the policies that apply to each user will be
applied each time a user logs on to the network. Data,
applications, and settings follow the user on the network to any
computer.
Group Policy is a key component of the
IntelliMirror feature of Windows 2000 operating systems. Group
Policy helps administrators control users� access to desktop
settings and applications for a group rather than for
an individual user or computer. Group Policy allows Windows 2000
network administrators to define and control the amount of
access users have to data and applications and to the
organizations� networks.
As described in this overview, network
administrators can tailor the data and applications that
different groups may access. The appearance of the desktop,
printer settings, system settings, and so on, can be preset.
Security settings can be configured for user groups at the
local, domain, and network levels.
Further, files from users� computers can be
automatically redirected to a server specified by an
administrator. And, if users are working offline, or if the
connection to the network breaks, offline files can be set to be
saved in the cache store. Then, when users log back on to the
network, the Synchronization Manager automatically synchronizes
offline files with those on the server.
| |
|
|
|