Group Policy Gurus Needed

[star_topology]

I purchased a nice resource book last week (Using Windows XP, Platinum Edition) for pretty much the sole purpose of learning more about Group Policy, and this book had the most text available on the topic.

I'm off to a good start, and I can assign local policy, but what the book doesn't tell me (or at least it doesn't come right out and tell me directly) is how to assign local policy to a security template so that I can distribute the policy across Active Directory. It skips right to Security Templates and says "Policy can be applied in these templates." Per the book's instructions, I've dabbled in gpedit.msc and mmc and have yet to see anything that looks correct.

An excerpt: "Computer Configuration applies policy locally. User Configuration applies policy to ALL users on Active Directory."

Hence, I realize I can go to each computer and edit Computer Configuration individually, but how can I utilize Active Directory (Windows Server 2003) to make policy apply to a specific group? I see no option tabs in the group for which I wish to apply the policy.

Thanks in advance.

 

[xotix]

i'm actually learning this group policy thing myself. have another thread where the guys have been really helpful, especially inaris.

maybe i need to get my hands on one of those books.

 

[star_topology]

Ok, I figured out how to apply policy through Active Directory groups.

DomainObject/Properties/GroupPolicy/Properties/Security
Apply Group Policy for desired groups/users.

Hooray for me. So scratch half of my first post, now I just have to make sure the policy I'm creating on the server can be exported to templates and installed on my clients. Help!

Edit: And if there's an easy way to run a logon script to make a window pop up and say something along the lines of "we are watching you" (but not in that exact wording of course) that would be great!

 

[Inaris]

The best resource I have on the topic of GPO's is in the Windows 2003 Deployment Kit. It's a set of 7 books that cover this stuff very well.
The best thing you can use is called a logon banner. It's seen after you press Ctrl, Alt, del and requires you to click ok to clear it. gives you the ability to fill in the details on what they can and can't do if you want...
here is the policy area you want...
Computer config, Windows settings, Local Policies, Security options:
Interactive Logon: Message Test for Users attempting to log on.
and
Interactive Logon: Message title for users attempting to log on.

That should do it for you.
Good luck

 

[star_topology]

Thanks, Inaris! I found the Interactive Logon and applied the settings and it works properly. However, is there a way to have that popup come up AFTER logging in?

Edit: You know what? Scratch that. I think I'm going to leave that message there and post the School District's Computer Policy, that way the kids will have that message right there.

Also, it appears I'm having issues applying the Group Policy to certain groups/members on the domain. Although I changed the Policy's settings to "Apply Group Policy" to said members, it still appears that it is applying to everyone in the AD. Odd.

 

[star_topology]

*bumping, not finished yet*

Inaris, that policy is Computer Configuration so that means it's local, right? How can I get a local policy across the domain, as it were a User Configuration?

 

[Inaris]

it's applied to the workstations. not the users. so it's in effect for everyone...

 

[star_topology]

Isn't that the other way around? I'd have to apply it to every workstation, instead of having the policy distributed through Active Directory, right?

So my next question would be, how do I put policy (user and computer policy) into a template and export it to the other computers? I messed around with the export option, but none of it seems to work.

 

[Inaris]

In ad, users and computers are just seen as same with different container template types. The template for the computers apply settings to the workstation. the settings for the users apply for the users. Workstation based policy effects all users that logon to workstations with that policy. So if a user logs onto a machine that doesn't have the Initial logon message applied to it, it won't be on that machine. You have to apply machine policies to the container with the machines in it.
Users policy effects those users with that policy on any machine they go to.
Does that make sense?

 

[star_topology]

That makes perfect sense. So how do I apply policy to said "containers?"

Do I use mmc to do that?