Group Policy is one of the best features of Microsoft Active Directory. Introduced in Windows 2000, Group Policy provides a way for administrators to apply consistent configurations to groups of users and computers. Group policies can help you enforce your organization's written policies. For example, your company's security manual might require that all computers in the research department display a message when users log on, informing them of increased security monitoring in that department. Group Policy allows you to centrally configure, implement, and manage such a warning message, and apply it to the necessary computers.
One of the greatest security-related features of Group Policy is the ability to deploy security templates across an enterprise. Security templates, which I'll discuss throughout this chapter, make it possible to bundle an entire security configuration into a single file (the template). For example, you might create a security template for client computers in your organization and then use Group Policy to deploy the security template to the client computers. In this manner, you can centrally configure computers to have a consistent security configuration. You're assured that the configuration will be enforced, thus protecting your computers. Because templates can be centrally managed, you can update, revise, and improve your security configuration over time as required by your organization.
Group Policy has many other important benefits. These include its ability to configure logon and logoff scripts for users and computers, which allows you to run code on target computers that can perform any management or configuration operations you desire. Also, Group Policy has a useful though somewhat limited software distribution feature. While not nearly as robust as Microsoft's Systems Management Server (SMS), this feature can prove useful in deploying necessary software to your end users and servers.
In this chapter, I'll introduce you to Group Policy and show you how Group Policy can be used to enhance the security in your organization. I'll also introduce you to security templates and to the tools Windows Server 2003 provides to create and manage security templates. Keep in mind that Group Policy offers much broader functionality than just security, which is what I focus on in this chapter. If you'd like to learn more about Group Policy and its many other uses, refer to Group Policy, Profiles, and IntelliMirror from Sybex.