Profiles and group policies are large topics, and they are worth treating properly so that you get the most from them in your environment. The goal of policy-based administration is for an administrator to define the environment for users and computers once by defining policies, and then rely on the system to enforce those policies. Under Windows NT, this could be very challenging, but with Active Directory group policies, the capability is much more readily available. This chapter is the introduction to the subject of user profiles and group policies. Chapter 10 then shows how policies work in Active Directory, how to design an OU structure to incorporate them effectively, and how to manage them with the Group Policy Management Console, a new MMC snap-in available for Windows XP and Windows Server 2003 computers.
In Windows NT, system policies had a number of limitations:
They were set at the domain level.
They were not secure.
They could apply only to users, groups of users, or computers.
They tended to set values until another policy specifically unset them.
They were limited to desktop lockdown.
The scope and functionality of Active Directory group policies is much greater than system policies:
They can be applied to individual clients, sites, domains, and Organizational Units.
They are highly secure.
They can apply to users, computers, or groups of either.
They can set values and automatically unset them in specified situations.
They can do far ...