Profiles and group policies are large topics, and they are worth treating properly so that you get the most from them in your environment. The goal of policy-based administration is for an administrator to define the environment for users and computers once, then rely on the system to enforce that state. Under Windows NT, this could be very challenging, but with Active Directory group policies, this capability is much more readily available. This chapter is the introduction to the subject, and Chapter 10 builds on it to show how policies work in Active Directory, how to design an OU structure to incorporate them effectively, and how to manage them with the Group Policy Management Console, a new MMC snap-in available for Windows Server 2003 Active Directory.
In Windows NT, system policies had a number of limitations. System policies:
Were set at the domain level
Were not secure
Could only apply to users, groups of users, or computers
Tended to set values until another policy specifically unset them
Were limited to desktop lockdown
The scope and functionality of Active Directory group policies is much greater than system policies. Group policies:
Can be applied to individual clients, sites, domains, and Organizational Units
Are highly secure
Can apply to users, computers, or groups of either
Can set values and automatically unset them in specified situations
Can do far more than just a desktop lockdown
With group policies, an administrator can define ...