Lessons Learned

First, policies can be assigned in a number of locations. Specifically:

• the local computer
• the entire site
• a domain
• an Organizational Unit (OU)

In an SBS installation, only the last two really apply. SBS creates GPOs that apply at the domain and OU levels. Note that GPOs cannot apply to Active Directory Containers, only domains and OUs. When you open up Active Directory Users and Computers on your network, you'll see "folders" for Users and Computers underneath the domain. These are containers and not OUs.

Second, each policy object contains two parts: computer configuration and user configuration. Computer configuration settings apply to all users who log on to a computer, and user configuration settings apply to a user no matter which computer they log in on. The types of settings that can be applied also differ in these two sections. For example, both configurations have Scripts settings under the Windows Settings section. But under the Computer Configuration, the scripts that can be set a startup and shutdown scripts, whereas the Use Configuration scripts are logon and logoff.

Third, you can create any number of GPOs, but until they are linked to an object in AD, they will never get applied. There are a couple of documents floating around the 'net that provide detailed steps to creating a GPO, but never make the point that once the GPO is created it must be linked to an AD object. This may seem like redundant information to those who wrote these docs, but someone who is working with GPOs for the first time can get confused without this being noted specifically.

With this information, you may be able to understand why the SBS wizards put user and computer objects into different locations in AD. When using the wazards, computer accounts are placed in the My Business -> Computers -> SBSComputers OU. User accounts are similarly placed in the My Business -> Users -> SBSUsers OU. This was done so that GPOs could be created and applied to these OUs for specialized settings. While this hasn't been used yet with a default install, it's created the framework for system administrators to get in and easily create and apply GPOs for specific purposes in the domain.

Group Policy management has become even easier with the introduction of the Group Policy Management Console (gpmc.msc) wiht Server 2003. With the GPMC, you can visually see which GPOs have been applied to a particular domain or OU obejct. Additionally, the GPMC has graphical interfaces for Group Policy Modeling and Group Policy Results that allow youto drill down into the actual settings that will or have been applied and see which GPO enabled those settings. Perhaps a more detailed discussion on troubleshooting group policy issues using these tools will appear in a future entry.

Bottom line, there is a lot of power in Group Policy. When used correctly, it can ease the management of the network. When used incorrectly, it can bring you network to its knees very, very quickly. Do yourself adn your clients a favor and do some research on group policy before you go out and start implementing changes on the live network. You'll save yourself, and your customers, headaches in the short and long run.