New Group Policies

Windows Server 2003 introduces more than 160 new group policies. Because there are so many new ones, we will assume familiarity with existing policies and just concentrate on the new ones, particularly the new categories of policies. Some of the new policies are more appropriately covered in other chapters and are referenced there. In typical Microsoft fashion, not only are there a ton of new policies, but a lot of existing policies have been renamed, moved to other sections, or otherwise reorganized.

For example, the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options section has been completely rearranged and all the policies have been renamed. Each policy name now starts with a general category description, such as Accounts or Network Access. Similarly, the Shut Down the Computer when the Security Audit Log Is Full policy has been moved from the Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs section to the Security Options section mentioned previously and is now called Audit: Shut Down System Immediately if Unable to Log Security Audits.


Group Policy is no longer refreshed using secedit /refreshpolicy. This function is now performed by the new command-line utility gpupdate.

This reorganization, although initially confusing, is helpful going forward in that it lets you more easily determine the scope of the policy setting. However, it is confusing coming from Windows 2000 because it makes finding the policies with which you might already be familiar more difficult.

New Computer Configuration Policy Sections

The following are whole new sections in the computer configuration section of group policies.

Windows Settings\Security Settings

This broad category is for configuring general Windows security settings. The new security related categories are

  • Wireless Network (IEEE 802.11) Policies? This new section is used to configure a wireless policy for your network. You can configure such things as the type of network devices to access (access point preferred, ad hoc, or infrastructure). Additional settings are for configuring the network name (SSID), Wireless Encryption Protocol (WEP) encryption, as well as the 802.11x configuration specifications (transmit parameters, authentication, and so on).

  • Software Restriction Policies? This is a new section for controlling which applications are allowed to run on the machines in the scope of the Group Policy. This provides essentially the same functionality as the previous Windows 2000 user configuration policy settings Run Only Allowed Windows Applications and Don't Run Specified Windows Applications, but it is more flexible and can be applied as a computer configuration policy.

    Software Restriction Policies are implemented by first specifying a default security level, such as unrestricted (where anything is allowed to run) which is the default or disallowed (where nothing can run), and then creating Additional Rules that provide exceptions to the default security level to either allow or deny (depending on the default) specific programs from running.

Administrative Templates\Windows Components

Administrative templates are just that: templates for configuring H-Key Local Machine (HKLM) and H-Key Current User (HKCU) Registry key settings. Because this is the Computer Configuration section, these settings manipulate HKLM Registry keys. The Windows Components section is used for configuring settings for built-in Windows applications:

  • Application Compatibility? This section is for configuring the new Application Compatibility features of Windows XP and Windows Server 2003. Application Compatibility enables you to configure an operating environment to allow applications that wouldn't ordinarily run on XP or .NET to run. It is essentially lying to the application so it thinks it is running under Windows 95, 98, NT 4, and so on. This section enables you to turn on or off application compatibility globally. You can also specify whether to allow 16-bit applications to run.

  • Terminal Services? Terminal Services enables you to remotely connect to Windows Server 2003 via a graphical console as if you were physically at the box.

    • For more information on Terminal Services Policies, see "New Administration," p. 186.

  • Windows Messenger? Windows Messenger is Microsoft's Instant Messaging client. These Group Policy settings can be use to determine whether to allow Windows Messenger to run and whether it should be launched at startup.

  • Windows Update? Windows Update allows you to configure the Automatic Updates feature. If enabled, you can specify the amount of user interaction you want with the download and installation process: whether to notify before downloading updates and then again before updating, to notify after downloading but before installing, or to download and install on a particular schedule without notifying. Additionally, you can also specify whether to redirect the Windows Update to a URL of your choice. This affects all occurrences of Windows Update: in Internet Explorer, off the Start menu, in updating printer drivers, and so on. Redirecting the URL enables you to use your own Windows Catalog for dispensing updates, presumably after you've tested them, rather than directly downloading from Microsoft. This gives you, the administrator, more control of what gets updated.

Administrative Templates\System

The following new categories contain settings for defining the behavior of various Windows system components:

  • User Profiles? This section contains a number of settings concerning profiles: from whether to detect slow WAN links, to what to do with roaming profiles if a slow WAN link is detected. Other settings include whether to allow changes to be saved back to the server (thus making them mandatory read-only profiles), to cache roaming profiles locally, to only using local profiles, and so on.

  • Scripts? These are settings for configuring the behavior of some scripts, such as whether logon scripts should run synchronously (one after the other) and whether startup scripts should run asynchronously (all run at the same time). If logon scripts run synchronously (the default), they all must complete before the desktop is available. If, on the other hand, startup scripts run asynchronously (the default), they all run at the same time before the logon screen is displayed. Other options are how long to wait for startup, logon, logoff, and shutdown scripts to process before killing them and whether to show startup and shutdown scripts.

  • Net Logon? This section determines various settings for domain logon, such as dynamic registration of DNS SRV records for domain controllers, which records how frequently they should be refreshed. It also includes compatibility of the SYSVOL and NETLOGON shares, meaning whether to allow exclusive locks. Other settings are used to configure discovery options, such as how frequently computers attempt to discover domain controllers, and other maintenance tasks. One particularly beneficial setting is the designation of site name. By specifying the site name, the computer will not attempt to determine it from Active Directory. Thus, you can use Group Policy to specify in which site a computer thinks it is regardless of its actual IP address. In addition, a subcategory of this section, DC Locator DNS Records, enables configuration of the behavior of DNS service records for Active Directory. Among the settings you can configure are whether to dynamically register the records and whether records should be automatically created to cover all sites.

  • Remote Assistance? Allows the configuration of the new Remote Assistance feature in Windows XP. The two settings are Solicited Remote Assistance and Offer Remote Assistance. Solicited Remote Assistance allows users to open a Remote Assistance session and send a request to support personnel (called helpers). These helpers can then remote control (using the RDP protocol like Remote Desktop) into the Remote Assistance session and help the user. The Group Policy settings can be configured to enable Solicited Remote Assistance, and if enabled, they specify which helpers are allowed to connect to the machine. You can also control whether they can only view the desktop or interact with it. The other setting is for configuring Offer Remote Assistance, which is essentially the same, but if it's configured, it allows helpers to initiate Remote Assistance sessions. Remote Assistance is a potentially powerful new feature, particularly for remote help desk support. It is similar to Remote Desktop (Terminal Services), but the user can see what the support person is doing and disconnect at any time.

  • System Restore? System Restore is a new feature in Windows XP that performs automatic backups of critical system files under certain conditions, such as right before installing an application. The Group Policy settings in this section allow administrators to enable or disable the System Restore feature. They also can be used to determine whether users are allowed to configure the System Restore settings.

  • Error Reporting? A new feature of Windows XP and Windows Server 2003 is Error Reporting. If this setting is enabled (which it is by default), whenever an application crashes, it prompts to send information to Microsoft. This policy can be configured to turn this off altogether or only for certain programs. This section also has a subcategory called Advanced Error Reporting. The settings in the Advanced Error Reporting subfolder enable configuration of error reporting for specific applications. Additionally, you can use them to specify whether to report operating system errors and whether to report unplanned shutdown events.

  • Remote Procedure Call? Includes various configuration settings for troubleshooting RPC connections, such as maintain state information, generate extended error information, and whether to ignore delegation failure. Another setting specifies the timeout values for RPC over HTTP.

  • Windows Time Service? Used to configure a Network Time Protocol (NTP) time service (client and server) to control automatic time synchronization across your network. This section contains a subcategory called Time Providers, which enables configuration of the NTP service. This allows you to configure whether time is synchronized via the domain hierarchy (the default) or via other NTP servers you specify.

Administrative Templates\Network

These new sections contain settings for configuring various network-level properties:

  • DNS Client? This category was formerly under the Net Logon section and was only a setting for Primary DNS Suffix. Now several settings exist for configuring the DNS client. These settings allow configuration of the DNS client properties over and above what can be set using DHCP?for example, DNS suffix search order, whether to dynamically register DNS records, what to do if a conflict occurs when registering DNS records, whether to register PTR (reverse lookup) records, how long the records should be registered (Time To Live [TTL]), and the like.

  • Network Connections? This section was formerly called Network and Dial-up Connections and now contains additional settings for controlling network connections over and above the previous setting of whether to allow Internet Connection Sharing (ICS). You can specify whether to allow Internet Connection Firewall (ICF) and network bridging, which are new features in Windows XP. ICF enables clients to block ports on their machines. Because most corporate networks have their own firewalls, ICF on individual machines is usually redundant and serves only to cause support headaches. So, having a global way to shut it off can be an advantage.

  • QoS Packet Scheduler? Just as its name implies, this section is used for configuring the Quality of Service features of Windows XP and Windows Server 2003. Included are settings for specifying limits to the amount of bandwidth to reserve for QoS as well as settings for manipulating layer 2 and layer 3 priority values.

  • SNMP? This section enables administrators to easily configure SNMP community strings and trap servers, which is beneficial for network management applications. A lot of management infrastructures use SNMP for gathering information. Previously these settings had to be manually configured in the SNMP service properties of each machine, which meant changing them was difficult. Now they can be done once and applied globally.

New User Configuration Policies Sections

The following are new sections in the computer configuration section of group policies.

Administrative Templates\Windows Components

The user configuration Administrative Templates section configures H-Key Current User (HKCU) Registry settings. Like its counterpart in the Computer Configuration section, the Windows Components section is used to configure built-in Windows applications. The following are the new categories in this section:

  • Application Compatibility? The only setting in this category is to prevent access to 16-bit applications, which disables the MS-DOS subsystem (ntvdm.exe). It is used more for disabling unnecessary application compatibility features than for making applications compatible. If all your applications are 32-bit, there is no need for the MS-DOS subsystem and disabling it with this setting frees up system resources.

  • Help and Support Center? The only setting in this section is Do Not Allow "Did you know" Content to Appear. The new Help and Support Center in Windows XP and Windows Server 2003 replaces Windows Help. The "Did you know" section on the Help and Support Center home screen is dynamically updated from the Internet for providing tips and hints. Currently, it displays as "Top Issues," not "Do you know" and is in the bottom-right portion of the screen.

  • Terminal Services, Windows Messenger? These new User Configuration Policies sections contain similar configuration settings as previously discussed in the "New Computer Configuration Policy Sections" section. The settings are used for the same functions, but they apply based on the user accounts instead of the computer accounts. Additionally, because they are user configuration settings, they are usually applied after any computer configuration settings.

  • Windows Update? The setting in this category is Remove Access to Use All Windows Update Features, which effectively disables the entire Windows Update Service. It is no longer on the Start menu, in Internet Explorer, or in updating printer drivers.

  • Windows Media Player? These settings are for configuring Windows Media Player. They include such options as proxy settings (HTTP or MMS), protocols to use for streaming media (multicast, UDP including which ports, TCP, or HTTP), and whether to prevent users from changing these settings by hiding the network tab. You can even configure the look and feel of Media Player by specifying skins.

Administrative Templates\Shared Folders

This section determines whether to allow shared folders and DFS roots to be published in Active Directory.

  • For more information on shared folders and DFS, see Chapter 8, "Network Services," p. 125.

Administrative Templates\System

Similar to its counterpart in the Computer Configuration section, the System section is used to configure the behavior of Windows system components. The following are the new categories in this section:

  • User Profiles? These user profile configuration settings differ from those in the computer configuration section. These settings are user specific and allow specification of the home directory as the root path for folder redirection. This helps ease the transition from environments currently using home folders because you can transition to using Group Policy to do the same thing as the Home Folder user property setting. Other settings enable administrators to place restrictions on the user's profile by specifying a maximum profile size and which directories to include in roaming profiles to improve performance.

  • Scripts? Similar to the computer configuration section on scripts, the user configuration section enables configuration of script behavior. The settings configured here are whether to display legacy logon scripts (the scripts configured in the user's properties page, not Group Policy) and whether they should run synchronously. Additional settings are for whether to display logon and logoff scripts.

  • Ctrl+Alt+Del? This section can be used to configure which options appear when Ctrl+Alt+Del is pressed (Task Manager, Lock Computer, Change Password, Logoff).


    Disabling the Shutdown button from the Ctrl+Alt+Del security screen is still configured via a Start menu and Taskbar setting, only now it is called Remove and Prevent Access to the Shut Down Command.

  • Power Management? The setting in this section is Prompt for Password When Resume from Hibernate/Suspend. This essentially locks the computer when it goes into a low power state, requiring the user (or an administrator) to reenter his password when coming out of sleep or hibernation. Presumably, because this is a section unto itself, additional policies will eventually be added for managing power settings.

Windows Server 2003 extends the Group Policy infrastructure introduced in Windows 2000 and includes several changes to make Group Policy administration and troubleshooting easier. All these improvements enhance the usefulness of Group Policy as a management tool. They also give administrators more control over their networks, yet at the same time provide additional flexibility to customize to end user needs. Can it be that Windows desktop management has finally come of age?