Group Policy In An Organization Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Group policy is a popular security tool that is used in many big organizations. It is important to make sure it is properly implemented and setup. Employers do not want their employees to roam around free on their servers without any restrictions. A tool that can be used to monitor an organization is Group Policy. However, in order to have a good group policy implemented, a technician needs to understand what group policy is and what is incorporated with it. An interview with Jeremy Moskiwitz, a very famous technician who wrote multiple books on Group Policy, was conducted in order to provided an expert opinion on the importance of Group Policy. There are security templates and hundreds of different security configurations that have unique purposes.

The importance of Group Policy in an Organization

Business owners cannot have a huge organization with thousands of computers and not have security. Just like how places have video cameras, sensors, and security guards, computers need to have some type of security also. In an industry that is run mainly by computers, there will be different users and groups that need certain privileges or need certain restrictions. Everybody in a business cannot have administrative privileges and be allowed to roam free on a computer system to do what they want when they want. Most companies will assign certain users and groups with rights and privileges, depending on what that person or group needs to do to complete their job. There are certain tools on a computer that are used to assign these users the rights they need to a computer. The main tool used to assign rights on a computer is called group policy. Group policy is a very important security tool used to manage privileges on a single person, a computer, a group of users, or a group of computers at once. First, in order to implement good group policy security, there has to be an understanding of what group policy can do, an understanding of active directory in a organization, and how does active directory tie in with group policy. It is good to understand a tool that will be used as security in an organization (Active directory: An Overview, 2008, p.5).

What is Group Policy?

Group policy is a security tool that is implemented in order to manage the rights of users and computers. Through this tool, administrators are able to monitor what the users and computers have access to. The group policy tool can be found on Windows XP Professional, Windows Server 2000, and Windows Server 2003 operating systems. Not only can Group Policy defined configurations for groups of users but also help manage server computers (Group Policy Policies, 2003, p.63). This is done by configuring server-specific operational and security settings. Group Policy settings that are created containing what computer technicians call Group Policy Objects (GPO). To create and edit a GPO, use the Group Policy Management Console (GPMC). GPOs are created for Active Directory Sites, domains, and organizational Units (OUs). In order to successfully set up a GPO, technicians need to have a clear understanding of what the organization’s business needs are, service level agreements, and requirements for security, and network. The group policy tool has hundreds of different configurations that can be enabled or disabled based on what the administrators want the technicians to have on their computers or accounts. There are three main configuration groups in group policy (Group Policy Collection, 2003, p.77). The first one is software installation. Software installation is used to publish or assign programs and applications to multiple computers at once. This method of distribution is a lot faster than going from one computer to the next, especially with a business that has over 200 computers. The second of the three configuration groups is windows settings. This security group allows the domain administrator to add startup or shutdown scripts or security settings. The third of the three groups is administrative templates. Things such as windows components, system, network, and printers can be configured. There are multiple ways to access group policy. On a computer running Windows XP Professional, a network administrator can access the group policy tool by selecting the run box on the start bar and typing in GPedit.msc (Group Policy Collection, 2003, p.78). This will bring up a window called group policy. The tool, Group Policy, can also be accessed by using Microsoft Management Consol (MMC); there is a snap-in called Group Policy. This will open a window that has the same items as when group policy was accessed through GPedit.msc. There are different types of securities policies that are utilized and configured in group policy (Active directory architecture 2008, p.6)

What are the two different types of policies?

Group policy consists of two different policies sets that are utilized in order to configure security for users or computers. The first of the two types of security policies is computer policy. Things such as windows update, windows explorer, windows installer, and disk quotas are the things that have be monitored on a computer. These options are found in the computer configurations. This policy is configured when an organization wants a group of computers to be used for a specific purpose. The different options that a tech can configure are software settings, windows settings, and administrative templates. These configuration settings are combined in different ways in order to give one or a group of computers the permissions they need. The second of the two security configurations is user configuration. Users often have certain tools or applications that are removed from their account (Group Policy Processing, 2003, p.137). They may be things that the administrator does not want the employees to mess with in order to prevent anything from happening to the computer. The different options that a tech can configure are active desktop, control panel, and shared folders. These settings are mainly for personalizing a user’s account. Computer policy configuration is applied every time a computer boots up (Wilkins, 2001, p1). Things such as application and updates are applied automatically, or applied network settings take effect at start up. User configurations are applied when a user logs on to a computer or a domain. For a user, things such as startup scripts (if presented) are executed in synchronous mode or files are deployed to client at logon (Wilkins, 2001, p.7).

Multiple configurations at once

Windows XP Professional has a feature called Fast Logon Optimization. This feature is set for both domain and workgroup members. This result is that the asynchronous application of policies is started up when the computer starts and when the user logs on (Wilkins, 2001, p.6). This application of policies is similar to a background refresh process and can reduce the length of time it takes for the Logon dialog box to display and the length of time it takes for the display to be available to the user. An administrator can change the default by using the Group Policy Object Editor. It would be a pain if there were a large amount of computers and users that had to have their policies configured one by one. Thankfully, policies for massive amounts of computers and users can all be configured at once. Computers and users are organized into groups based on what their purpose is. The main three different types of groups are orgazational units (OUs), domain, and sites. Different site levels take priority over other levels in an organization. OUs take priority over domains. Domains take priority over local level (Wilkins, 2001, p.7). There are other tools that are needed for organization for massive configuration for large organization. By priority, that means the configurations override the other configurations if they are different. If a user has access to command prompt at the site level and does not have access to command prompt at the domain level, the user will not have access to command prompt (Zacker, 2004, p.198).

Active Directory?

Active Directory stores information about all objects on the computer network and makes this information easy for administrators and users to find. Both administrators and users have ability to gain access to resources anywhere on the network with a single logon. .Active directory is deployed for the setup of users and computer systems (Wilkins, 2001, p.6). Active directory is the tool that is used to add computers and users to a domain. The computers and users are also organizing into their groups in active directory. When computers are added to a domain, active directory keeps a list of all the computers that have been added to the domain (Optimizing Group Policy Performance, 2003, p.47). When a computer is removed from a building or office, the computer names are also removed from the domain using active directory. Computers can be moved from one group to another group through active directory. User accounts that are needed to logon into a domain are created in active directory. After the users are created, they are moved to the groups they need to be in. In order to have good security, group policy and active directory have to be combined to work together (Active directory collection, 2003, p.45).

How Group Policy and Active Directory Works Together

You can combine multiple domains into structures called domain trees. The first domain in a tree is called the root of the tree, and additional domains in the same tree are called child domains. A domain immediately above another domain in the same tree is referred to as the parent of the child domain. All domains within a single domain tree share a hierarchical naming structure. Domains that share a common root share a contiguous namespace. Domains in a tree are joined together through two-way, transitive trust relationships. These trust relationships are two-way and transitive, therefore, a domain joining a tree immediately has trust relationships established with every domain in the tree. Group Policy is applied in the background on a periodic basis, and can also be triggered on demand from the command line. During a background refresh, a client side extension will by default only reapply the settings if it detects that a change was made on the server in any of its GPOs or its list of GPOs.Not all Group Policy extensions are processed during a background refresh. Software Installation and Folder Redirection processing occurs only during computer startup or when the user logs on. Processing periodically could cause undesirable results. For example, for Software Installation, if an application is no longer assigned, it is removed. If a user is using the application while Group Policy tries to uninstall it or if an assigned application upgrade takes place while someone is using it, errors would occur (What is Group Policy Object Editor? 2003, p.73). Users are organized in domain based responsibilities. Computers may be placed in groups based on what they are used for. Group policy settings are contained in group policy containers. The Group Policy container is an Active Directory container that stores GPO properties; it includes sub-containers for computer and user Group Policy information. The containers have properties such as Version information, status information, list of components, file system path and functionality version. For instance, there are computers that are used just for backing up data for the entire business. In a business for art there may be specific graphical computers that have to have certain programs installed on them. For a gaming company, they may need the latest updates and news for their next greatest hit, so they are required to get certain files from their superiors every morning. With the help of group policy, programs or applications can be published or assigned to multiple users or computers at once (What is Group Policy Object Editor? 2003, p.76). Users are placed into their groups based on their responsibilities. On a server, their groups are already created, such as remote desktop users, administrators, backup operators, and power users. After all the users and computers are placed in the groups they need to be in, then the security is set up. In order to edit the policies of the groups, a technician has to access the properties of the group he or she is trying to configure. Next, the technician must click on the group policy tab, and then select either edit an existing group policy or create a new policy from scratch. Some of the things that would be configured for a computer are their network settings and their windows components. User configuration is having things configured, such as desktop, control panel, or start bar and task manager. Some of the different configuration settings are the same for both of the two policies. For instance, both policies have software installation, security settings, and scripts (Beaver, 2005, p.78).

Group Policy has great importance in an organization. It is ability to manage security for multiple computers and users is a huge aspect. It can perform tasks that would take weeks in a matter of minutes. If there was no Group Policy implemented then a technician would have to use the sneaker net method, which is physically walking from one computer to another.