While more than 80 percent of Windows users in North America have deployed Active Directory, according to market research firm IDC, Microsoft officials say only 50 to 60 percent are using its Group Policy technology. If you manage Windows computers, Group Policy can reduce IT costs, improve security and increase uptime by giving you centralized control of your client and server computers.
Though there are some limitations in its capabilities, here’s how to deploy and benefit from Group Policy. For administrators already using Group Policy, here’s an opportunity to review its capabilities and verify that you are getting the most out of your infrastructure.
Group Policy is a way to manage settings and software on multiple Windows computers. Some of the settings you can define include:
Additionally, administrators or software vendors can add custom Group Policy settings by using Administrative Templates . To familiarize yourself with Group Policy settings, follow these steps  to browse Group Policy settings on your local computer, or review the Group Policy Settings Reference .
All Windows computers have a local Group Policy object that defines settings for that computer. However, the real benefit of Group Policy is the ability to configure multiple computers. For that, you need an Active Directory domain. If you’re not familiar with Active Directory , it is a Microsoft directory service that requires Windows Server 2003 . Active Directory can scale to any size enterprise and provides many other benefits besides Group Policy, including centralized user management, simplified DNS management and software distribution.
When deployed in an Active Directory environment, Group Policy gives you the flexibility to apply settings to computers in a way that mirrors your organization’s structure. Figure 1 shows a simple Group Policy organizational hierarchy. In this hierarchy, a Group Policy object applied at the Domain level would apply to every user and computer in the organization. However, you could overwrite some or all of those settings for the Marketing, IT or Accounting departments by applying Group Policy to those organizational units. For example, if developers need Visual Studio and local Administrator rights, no problem—just specify those settings in a Group Policy object and add the Group Policy object to the Developers organizational unit.
In addition to custom organizational units, you can assign Group Policy objects based on location (known as Sites in Active Directory), operating system and a variety of other factors. Ultimately, this gives you total control over how you configure the computers in your organization. You can even delegate management over parts of your organization, enabling regional and departmental IT groups to make their own decisions about the computers they are responsible for.
There are several tools you can use to configure, apply, and audit Group Policy settings:
The GPMC is a requirement for all administrators managing Group Policy objects in an Active Directory domain.
Group Policy is a necessity for any organization managing more than a handful of Windows computers. It’s not perfect, however. First, Group Policy has only very limited abilities to manage non-Windows computers, so you may need to purchase third-party software such as the LANDesk Management Suite or Symantec’s LiveState Client Management if you manage UNIX, Linus or Apple clients or servers.
Second, it’s difficult to use Group Policy to manage computers not in an Active Directory domain. Consumer versions of Windows, including Windows XP Home Edition, Windows ME, and Windows 98, cannot join a domain. Therefore, you may need to upgrade some client computers to realize all the benefits of Group Policy.
Finally, the Group Policy and Active Directory infrastructure are included with Windows Server 2003, but that doesn’t mean it comes free. Depending on the size of your organization, you may need anywhere from two to dozens of Windows Server 2003 computers for the Active Directory infrastructure. You’ll also have to train your IT staff to use Group Policy and manage the deployment of your organization’s computers.
Group Policy will almost certainly save you time and money if you manage more than a handful of Windows computers. If you want to deploy Group Policy, start by deploying an Active Directory. Then, design a Group Policy hierarchy that will enable you to efficiently manage your environment with the fewest number of Group Policy objects possible. For information about how to design and deploy a Group Policy infrastructure, a good place to start is Chapters 1 through 4 of the Windows Server 2003 Deployment Kit: Designing a Managed Environment .