Change Control
and Policy and
Workspace
Management
T
his chapter discusses workplace management and
change control services.
What Is Change Control?
During the writing of this chapter, one of our clients almost
lost a small fortune in business due to the lack of change
control. Our client is a small (only five people) insurance
broker. One of the brokers, Dave, writes marine insurance,
and on a fine cool January day in Florida, he got the break
the company was waiting for . . . an order for a policy to
insure a $10 million yacht . . . the premium would be a killer.
He returned from the marina shaking and shivering, realizing
that he was about to write the policy of his career. The com-
mission would be staggering, and from this many more deals
would flow. You get a name for writing big policies like this.
Nothing would stand in his way . . . nothing but his faithful
workstation.
Dave likes to fiddle with his computer. When he is not looking
for insurance business, he likes playing around with his desktop
settings, fonts, resolution, and more. Dave lives in Control Panel
more than his apartment. We had maintained a “loose” change
management policy in this company. In other words, we main-
tained minimal desktop control because Dave was the only wild
card and was considered an advanced user. The company had
been our client for several years, and we had never had an issue
with users changing anything that could cause a problem.
11

11
CHAPTER
✦✦✦✦
In This Chapter
Group Policy
Overview
Creating Policy
and Change
Management Plans
Applying Group
Policy
✦✦✦✦
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 373
374
Part III ✦ Active Directory Services
On the day that Dave needed to write up his policy, his desktop went berserk. He
logged into his workstation as usual, but when he opened the insurance application,
the application began to tremble and then the session froze. If you know insurance,
you know that if you cannot write the policy, the client will make another call. Dave
was getting ready to jump off the jetty with an anchor around his neck.
We jumped in and disabled Dave’s account. And because we were deploying the
Windows Desktop and agency software applications through terminal services, we
were able to get Dave back to his policy writing in record time. He admitted that he
had changed his font again and some other “things” that he could not remember.
The client learned a lesson and advised that no employee (all four of them) was
allowed to tamper with the applications or desktop sessions. But we learned a
bigger lesson. Change control is as important for our small clients as it is for the
big ones. It cannot be ignored anywhere.
Change control on Windows NT and other server environments has been lacking
since the invention of client/server. Policy and profile maintenance is possible on

Windows NT and Windows 9x desktops, but it is not secure, and users can override
settings with little effort. A Windows NT workstation/server environment is more
secure. But change control empowerment is still lacking.
Windows 2000 and Active Directory change all this with the introduction of Group
Policy. Group Policy governs change control policy on many facets of the operating
system. These include the following:
✦ Hardware configuration and administration
✦ Client administration and configuration (desktop settings, logon, connection,
and more)
✦ Operating system options and policy, such as IntelliMirror and remote OS
installation
✦ Application options and policy (such as regional settings, language and
accessibility, deployment, and more)
✦ Security options and policy
✦ Network access
We are not going to take you through every detail of creating and managing Group
Policy objects because the Windows 2000 Help system adequately handles that.
But we will show you how to take control of the change control issue, apply
security policy, and more. But before we get to that, let’s discuss the science
and philosophy of change control and management.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 374
375
Chapter 11 ✦ Change Control and Policy and Workspace Management
Understanding Change Management
In our highly complex worlds of information technology and information systems,
the only constant is change. The more complex and integrated our IS systems
become, the more important it is to have change control. Managing change has
thus become one of the most important MIS functions in many organizations. If
you do not manage change, the unexpected results of an unmanaged change could
render you extinct.

Processes, routines, functions, algorithms, and the like do not exist in vacuums
or some form of digital isolation from the rest of the universe. Just as in life, all
processes depend on or are depended on by other routines or processes. When you
change the way a process behaves, you alter its “event course.” In other words, you
alter its destiny. Altering the event course of a process is in itself not the problem.
Problems arise when processes dependent on a particular course of events are no
longer afforded the opportunities they were expecting.
Think about how you feel and are inconvenienced when a person you were going to
meet does not turn up or cancels the engagement unexpectedly. In software and
computer systems, such events can have catastrophic results. They in turn fail, and
their event courses are also altered. When processes begin to crash, an unstop-
pable domino effect takes place, leading to systems failure and disaster from one
end of the system to the other.
Besides the first example when Dave’s job was almost toasted, here are other
examples:
✦ The FTP service on a server is turned off. AS/400 connections expecting to
find the connection up are not able to transfer route information to a network
share. A process that was expecting the information to be in the FTP folder
cannot calculate the daily routes for orders that need to go out. The trucks do
not arrive, and the orders do not get established. The orders are not shipped.
Clients place more than $10 million in business elsewhere.
✦ A software engineer makes a change in source code that reintroduces the
Millennium bug into the process pool. Programs begin to collapse because
the receiving data function does not know how to deal with data that appears
to be more than a hundred years old.
✦ A user downloads new software from the Internet onto his company’s notebook
computer. The new software contains a backdoor virus that silently attacks
the notebook’s anti-virus suite. It inserts a replacement file into the anti-virus
software and causes the software to reload the old inoculation data file, which
is akin to taking an antibiotic that has expired. When the user connects back to

the corporate network, the hostile code moves to the network servers and does
the same thing. Once on the servers, the virus shuts down the company
systems, and the company almost goes insolvent as a result.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 375
376
Part III ✦ Active Directory Services
These examples sound far-fetched, but they are not. We have seen all three of them
on our networks. Such is the need for change control. In fact, the unit of time in
which no change takes place is too small to be studied by humans.
So, we have to control change; we have to manage it in such a way that the effects
of change are planned for and that all dependencies are informed and allowed to
compensate when change comes. In a nutshell, no change can be allowed to take
place without a) the proposed change being put to a board of change management
for consideration; b) the consequences of the change are fully investigated, and
the change is deemed necessary. Because change is always inevitable, another
factor comes into change control— contingency planning, of which disaster
recovery is a part.
In the past, problems caused by unmanaged change affected standalone systems.
Because computers were once islands and isolated, the effects of the change were
local and confined. When we started to network, change control problems began
to affect the global corporate or organizational environment. But the effect was,
and still is to a large extent, confined to the corporate or enterprise information
network.
However, in the world of e-commerce, change control has become critical because
any change that causes an unplanned-for new course of events will affect the external
environment where systems crashes can have catastrophic results and cause untold
damages and liability. In the world of Internet banking, for example, a change control
disaster can affect many people who have no relationship with the bank . . . besides
its innocent account holders.
In various parts of this book, we have also discussed service level and quality of

support. As you know, more and more people are signing service level agreements
that guarantee availability of systems all the time. These agreements have to be
covered with effective change control management.
The change control or change management board reviews all changes and, based on
the board’s research, consultation, and findings, a change request is either approved
or denied. (In the companies we consult for, all change management approvals have
to be signed off by the officer in charge.)
But the problems arise when you have a fully functional board and compliant team
leaders, but no means of enforcing change control policy at all levels of the enterprise.
To figure out how this all comes together, let’s look at change control conceptually.
The respective parts of change control or change management systems resemble the
justice system, or at least the enforcement parts of it. They include the items listed in
Table 11-1.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 376
377
Chapter 11 ✦ Change Control and Policy and Workspace Management
Table 11-1
Change Control
Description Purpose
Change Control Board A group of people in an organization responsible for
reviewing change requests, determining validity, deciding
change of course or procedure, and so forth. This board
also determines regulation and enforcement protocol and
deploys change management resources.
Change Management Functions to manage signed-off or approved change or
contingency. Change management may include lab tests,
sandpit projects, pilot projects, phased implementation,
incremental change, performance monitoring, disaster
recovery, backup/restore, and so on.
Change Control Policy Rules, and the formulation thereof, governing change

control and management.
Change Control Rules The enforcement of policy and the methods or techniques
and Enforcement of such enforcement.
Change Control Tools On Windows 2000 networks, this includes local security
policy to protect machines, Group Policy to enforce change
policy throughout the forest, security policy throughout,
auditing, and so on.
Change Control Stack The change control “stack,” which comprises the various
layers that are covered by change control.
To better understand where in the information systems environment change
control needs to be enforced, consider the change control stack in Figure 11-1.
At the bottom of the change control stack (CCS) is the hardware (physical) area.
Objects in this layer that you place under change control enforcement are all
hardware, computer components, and hardware requirements. The following list
provides an idea of what is covered by change control at the hardware or physical
layer:
✦ Hardware compliance with the existing infrastructure
✦ Hardware acquisition and determination of hardware needs
✦ Technology deemed necessary or not
✦ Protection and security of storage, and access to media
(such as FDDs and CD-ROMs)
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 377
378
Part III ✦ Active Directory Services
Figure 11-1: The change control stack
✦ Protection of network interface cards
✦ Access to memory and system components
✦ Availability and stability of hardware device drivers
✦ Hardware problem abandonment point (when do you give up trying to
fix a part or computer and buy a new one)

✦ Parts replacement (such as procedure for replacing media, and so on)
✦ Hardware availability (such as RAID, clustering, load balancing, and so on)
Next up is the network layer, which encompasses change control on the data link,
network, transport, and session layers of the OSI model.
According to Newton’s Telecom Dictionary, The Open Systems Interconnect (OSI)
model of the International Standards Organization (www.iso.ch) is the only
accepted framework of standards for interconnection for communication between
different systems made by different vendors. The OSI model organizes the
communications process into a system of layers. OSI has become the foundation
model for many frameworks in both software and computer hardware
engineering. The OSI model is also referred to as the OSI stack.
Note
OS and Applications
Network
Hardware Layer
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 378
379
Chapter 11 ✦ Change Control and Policy and Workspace Management
The following list includes areas that are targets of change control at the network
layer of the CCS:
✦ Security needs (encryption, IPSec, access to routers, circuits, hubs, and so on)
✦ Quality of service
✦ Network bandwidth
✦ Topology
✦ Transport technology (Ethernet, SNA, Token Ring)
✦ Routing, bridging, switching
As we get higher up the CCS, the number of variables begins to increase (there are
more opportunities for change and thus change control, because we are getting into
the area where the user lives). The following list includes areas that are targets of
change control at the operating systems and applications layer of the CCS:

✦ Logon/user authentication
✦ Network services
✦ File systems and storage
✦ Network protocols
✦ Device driver installation and version control
✦ Device operation
✦ Application services
✦ Disaster recovery services
✦ Internet/intranet services
✦ Media services and telephony
✦ File transfer
✦ Sharing and access control
✦ Virus protection
✦ Directory services
✦ User levels/access to resources
✦ Communications
✦ Desktop configuration (menus, shortcuts, icons, access to folders, and so on)
✦ Access to information (such as access to the Internet)
✦ Cultural and regional options
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 379
380
Part III ✦ Active Directory Services
✦ Accessibility
✦ Access to software/applications
✦ Access to data
Not only are there more factors or “opportunities” for change control in this top layer,
but also it is the most vulnerable of the layers. While certain parts of the operating
system and the lower layers provide a barrier to entry due to their complexity, this
does not mean that change control should be any more lax or less important. The
more obscure the service, regardless of the layer it resides in, the higher the risk of

a skilled attacker doing undetectable and lasting damage. However, it goes without
saying that the biggest threat to the stability or health of IT/IS systems comes from
users. Most of the time, it is just a case of “curiosity killed his computer” (remember
Dave). But users also generate security threats, introduce viruses, download hostile
applications (most of the time unwittingly), and so on.
The User
First, the term user rarely refers to a single biological unit. This is why we have
security groups, as discussed in Chapter 10. As soon as you define or categorize
the levels of user groups that you need to support in your organization, you will
be able to apply change management procedures that can be enforced on those
groups.
If you are involved in client management, you should make an effort to become
a member of the change control team. You should also get to know your users,
the type of software and applications they need, and how they work with their
computers, treat their computers, and interact with their computers.
There are two main types of user or worker, as discussed in the following list:
✦ Knowledge workers: Your knowledge workers are usually the workers who are
applying a particular skill set or knowledge base in their job. These people are
your engineers, technical support people, accountants, lawyers, designers, and
so on. Knowledge workers usually have a permanent office. These people use
their computers for most of the day. Their machines are constantly in use,
and losing them would be costly for the company. They can be considered
advanced users.
✦ Task-oriented workers: These workers are data entry personnel, receptionists,
office assistants (to varying degrees), order takers, and so on. Most of these
users would not need more than a terminal and a terminal service account to
perform their duties. These users can be considered your basic users.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 380
381
Chapter 11 ✦ Change Control and Policy and Workspace Management

The two main types of user are further broken down into the following categories
(by computer resource used):
✦ Stationary (office) workstation user: This user (usually a knowledge worker)
does not need a notebook computer because he or she only needs the machine
at work. This machine is usually a small-footprint workstation running Windows
9x, Windows NT Workstation, or Windows 2000 Professional.
✦ Remote workstation user: This worker connects to the network from home or
a remote office, over a WAN connection or modem. The user still uses a fixed
desktop computer because he or she does not move around.
✦ Notebook/docking station user: This user uses his or her computer at work
and at home. The user is usually accommodated with a docking station at
home and at the office, which makes it easier to connect and disconnect from
the network.
✦ Multi-user workstation: This computer does not belong to any specific user.
Users making use of this resource are usually guests, users that move around
from location to location, temp staff, shift staff (such as call center or
customer service representatives), and so on.
✦ Mobile computer: This is usually a notebook or laptop computer, sans docking
station, that spends most of its life in a carrying case stuffed inside the cubby
of a jetliner. Mobile users can either connect to the office from the road (such
as a hotel or conference center) or from branch locations where they will be
able to connect to the corporate network.
In each of these cases, you will need to establish workstation and user management
policy with respect to each user and computer. Also note that it often makes more
sense to further tag your user as being advanced or basic in the literacy level of
computer usage. We have had knowledge workers who cause endless problems for
the administrators, and basic workers who should be writing software instead of
using it.
Create a list or database of these categories and in each category list a computer
name and a user name (pay close attention to these lists because we will return to

them later). For example:
Mobile Computers
✦ Mobile Computer Accounts
1. MCPD98
2. MCPD99
3. MCPD100
4. MCPD101
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 381
382
Part III ✦ Active Directory Services
✦ Mobile Computer Users
1. Henry R. James
2. Catherine H. Anderson
3. Jill J. Smith
4. Michael F. Wolf
User Applications
You now need to create another list underneath each user that determines what each
requires in terms of software and hardware to perform his or her functions. You will
create two lists. The first is for basic users who need no more than the standard
applications adopted by the enterprise. For example, if your company has adopted
Microsoft Exchange 2000, then Outlook 2000 will be on that list, as will MS Word,
Excel, and other applications . . . if the company has standardized on Microsoft
Office components, which is very common.
A second list next to the first one will be an advanced user choice list. The user (if
policy allows) will be able to choose a specialized list of software for which he or she
must justify deployment. This justification, by the way, is presented to change control
or management for review. A good example is a software engineer who is hired to
create a certain application. He or she will then request that a development tool or
component be installed or made available to complete the task.
Managing software is a daunting task for anyone. In a small organization, one person

can typically be saddled with the job of managing anywhere in the region of 10 to 20
applications. In large companies, the number of software components can run into
the thousands. Defining and enforcing policy regarding installation and configuration
of applications is thus critical. Why do you have to do this? Consider the following if
you allow users to install their own applications:
✦ The application may be unstable and could damage existing systems. For
example: During the early beta testing of Windows 2000 Professional, a
technical support engineer at one of our clients installed the Release
Candidate 3 code on his workstation to check it out. The code corrupted
the databases belonging to help desk and shut down the call center for
three days.
✦ Applications may not be legally obtained. If you do not enforce change control
policy, your enterprise may be risking lawsuits and criminal charges. You cannot
claim ignorance of users using illegal or pirated software. Your boss goes away
for 20 years or more if your users steal software.
✦ The act of installing the software can introduce viruses and security risks to
the network. If the user installs from a source on the Internet, there is the
risk that the download may bring with it hostile applications. We have seen
backdoor viruses pop out of downloaded zip files and kill a machine in under
a minute.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 382
383
Chapter 11 ✦ Change Control and Policy and Workspace Management
✦ Increased cost of support. Users are likely to run into problems and will come
to you for help with an application you likely know nothing about. It is amazing
how the network or server administrator is expected to know everything about
every application that has ever been invented.
Application Management
Another category in addition to applications is application management and
configuration. This involves determining and managing the deployment process,

local and remote installation, configuring the software, user education, user
support, and so on. Windows 2000 provides nifty services to manage deployment
and configuration.
Information for Workstation Lockdown
You now have a lot of information with which to determine how best to lock down
workstations. Let’s recap what you know, or should know, before you learn about
Group Policy:
1. You should know what type of user you support.
2. You should know the category of workstation the user uses.
3. You should also know what applications are required and how they are used
(usage level). For example: Is the user advanced or basic?
4. You should know the list of applications your classes of users need.
In addition to this list, it is imperative to understand the following information
before you can begin to determine how best to lock down a workstation.
1. Have users logged onto their computers as the local administrator? This is
common practice on NT workstations because it is not possible to log on as a
domain user in an offline state, or if a domain controller cannot be found. If
users have access to the local account and registry, they may circumvent
change management policy. Decide which users fall into this category and
which may be candidates to obtain a Windows 2000 desktop or session.
2. Do your users install their own unauthorized software on their computers? If
you do not have policy to control this malady in an enterprise, you need to
formulate this policy as soon as possible.
3. Do your users store data on their own workstations? If they do, you need to
plan or devise a strategy to have them move the data to network share points
or folder resources published in Active Directory folders. Understand that
the data is at risk in such practice, because workstations do not typically get
backed up, which means data can be lost when a computer crashes or is
stolen. In Windows 2000, we talk about folder redirection, which is a way of
making sure that a user’s documents or data folders reside on the server

where the data is backed up. More about this later.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 383
384
Part III ✦ Active Directory Services
4. How often do users call with “broken” workstations or desktop configura-
tions? A broken configuration is usually the outcome of a user trying to
install his or her software or hardware on the machine. Another form of
broken configuration results from users tampering with the operating
systems, fiddling with registry settings, Control Panel applets, and so on.
The problem stems from users who have a false sense of security because
they have a home computer they have mastered. They then eschew policy
that strips them of that power at work. However, only your administrators,
and only a few at that, or power users who are testing software as part of
change management board activity, should have such rights over the
enterprise or corporate computer property. The risk of a change causing
damage to the workstation or network services is just too high to be up
for discussion with users who consider themselves king of computers.
Windows 2000 Group Policy
The change control tool on Windows 2000 is the Group Policy Editor (GPE). As illus-
trated in Figure 11-2, this application is an MMC snap-in from which policy can be
applied to the security principals — computer, users, and groups— of a Windows
2000 network. And as discussed earlier, Group Policy can be applied to items such
as security management and hardware configuration as well.
Figure 11-2: The Group Policy Editor snap-in
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 384
385
Chapter 11 ✦ Change Control and Policy and Workspace Management
Group Policy is applied by creating an object that contains the properties that extend
control of the computer and user’s access to network and machine resources. This
object is known as the Group Policy Object or GPO. When a security principal is a

member of a container that is associated (linked) to the GPO, that security principal
falls under the influence of that GPO. When a container is linked to multiple GPOs,
the result is that the effects of all GPOs on the linked container are merged. This is
illustrated in Figure 11-3.
Figure 11-3: Multiple Group Policy Object policies merge to affect the container.
Sophisticated object-oriented engineering is at work in the GPO application
process. The Group Policy architecture is complex, spans hundreds of pages, and is
beyond the scope of this book. It is, however, well worth studying if you are an
engineer at heart, because such advanced knowledge can only make you a better
server or network administrator. You can search for the GPO architecture papers
on the Microsoft Web site.
Group Policy is not applied directly to an individual security principal (although you
can attain such granular control by creating specific OUs), but rather it is applied to
collections of security principals. As you are aware, there are three places where
security principals gather under one roof on a Windows 2000 Network: the site, the
domain, and the organization unit. As GP applies to all three types of containers, you
can refer to this as a GP hierarchy.
Windows 2000 Group Policy is vast and extremely powerful. It will take some getting
used to, and you will need to spend a lot of time trying different things, as you
will later see. In large companies, the role of managing GP should be assigned to
individuals, possibly members of the Change Management Board. Managing GP can
easily become a full-time occupation for an administrator. GP will become your main
technology with which to manage change, user configuration and desktop settings,
workstation lockdown security, software installation, and so on.
Note
ContainerGP
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 385
386
Part III ✦ Active Directory Services
GPOs have more than 100 security-related settings and more than 450 registry-

based settings, and the GP technology can also be extended or enhanced with
certain APIs. Specifically, GP technology provides you with the following
functionality:
✦ The GPO is configured and stored in Active Directory, or it can be defined as a
local policy object. Standalone computers are secured or locked down with local
GPOs. GP, however, depends on Active Directory.
✦ You apply GPOs to users and computers in AD containers (domains, sites,
and OUs).
✦ The GPO is secure. You can lock down a GPO just like any other object in
Windows 2000 (by now, you should be familiar with the Security tab on the
property page of any object).
✦ The GPO can be filtered or controlled by membership in security groups.
This, in fact, speeds up application of policy on the membership of the
security group.
✦ The GPO is where the concentration of security power is located on Windows
2000 networks.
✦ The GPO is used to maintain Microsoft Internet Explorer.
✦ The GPO is used to apply logon, logoff, and startup scripts.
✦ The GPO is used to maintain software and software installation.
✦ The GPO is used to redirect folders (such as My Documents).
✦ The GPO does not expose the user profile to tampering when policy is
changed, as was the case with Windows NT 4.0.
Types of Group Policy
Group Policy has influence over just about every process, application, or service on
a Windows 2000 network. Both servers and workstations are influenced by GP, and
therefore, unless you deploy Windows 2000 Professional, GP will not be pervasive
throughout the enterprise. Windows 9x and NT 4.0 Workstations are not influenced
to the same extent as Windows 2000 clients because client-side extensions are not
present in these legacy desktop operating systems.
This means that a network consisting of many different versions of Windows (in

some cases, as many as five versions) is also going to be less secure, or at least
not as manageable. Obviously, a hard-to-manage or control network is going to be
a lot more expensive to maintain in the long run. The initial cost of upgrading to
Windows 2000 throughout the enterprise will pay off in the long run. In terms of
security, such as being able to stave off a hacker thanks to encryption or being
able to save critical data thanks to folder redirection — and there are many more
examples — you can not only save a bundle going “native,” you may even save the
company. The more versions you eliminate, the more secure and more manageable
life is going to be for you.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 386
387
Chapter 11 ✦ Change Control and Policy and Workspace Management
There are many different types of Group Policy “collections.” The following list
describes the “intent” of these collections (the term “policy collection” is not a
Microsoft term as far as we know, but it is useful for describing the policy types).
✦ Application deployment: These policies are used to govern user access to
applications. Application deployment or installation is controlled or managed
in the following ways:
• Assignment: GP installs or upgrades applications and software on the client
computers. The assignment can also be used to publish an icon or shortcut
to an application and to ensure that the user cannot delete the icon.
• Application publication: Applications can be published in Active
Directory. These applications are then “advertised” in the list of
components that appears when a user clicks the Add/Remove icon
in Control Panel.
✦ File deployment: These policies let you place files in certain folders on your user’s
computer. You can, for example, take aim at the user’s My Documents folder and
provide him or her with files that he or she needs to complete a project.
✦ Scripting: These policies allow you to select scripts to run at predetermined
times. They are especially useful for ensuring that scripts get processed during

startup and shutdown, or when a user logs off a machine and a new user logs
onto the same machine (refer to the earlier discussion in this chapter on the
different types of users). Windows 2000 is able to process VB scripts, Jscripts,
and scripts written to the Windows scripting host.
✦ Software: These policies allow you to configure software on user workstations
on a global or targeted scale. This is achieved by configuring settings in user
profiles, such as the desktop settings, Start menu structure, and the other
application menus.
✦ Security: Perhaps no other collection in Windows 2000 is as important as the
security policies, given that in current times, the next hacker who wipes out
the assets could be the kid next door.
Besides being able to eventually reduce the total cost of ownership (through lower-
ing the cost of administration), there is a piece of advice you should consider with
respect to Group Policy. It exists not to create problems for users and administrators,
but to secure the environment and enhance the work and user environment. You
thus need to be sure that you have the wherewithal to balance the two needs, or
you could end up with cold pizza instead of rare sirloin for dinner.
In your endeavors to secure the environment, you will no doubt come across con-
flicts that violate the tenet to maintain a “user friendly” environment. Going wild on
pass-word length is a good example. If you set password length too long to increase
security, users will not only get peeved, they will also start sticking the passwords
on their monitors because they are hard to remember. That is not security. If you
must have tight security, your choice in such a matter might be to take the security
need to management and suggest smart cards or biometrics. Remember that
locking down an environment should not lock out the user at the same time.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 387
388
Part III ✦ Active Directory Services
The environment can be enhanced in many different ways. When users need access
to new software, which of the following three methods of delivery is more pleasing

or enhancing to the user, from the user’s perspective?
1. Waiting hours or days for the administrator to show up at your desk with the
new software.
2. Being asked to log on to a network distribution point and install the software
yourself.
3. Taking a break while the software mysteriously installs itself onto your
machine with seemingly no human intervention.
Enhancing the users’ environment also means helping them easily locate applications,
intelligently redirecting folders or mapping their folders to resources, and automating
processes during the twilight times of the workstation, logoff and logon.
Before you study how Group Policy works, you should at least take some time to
get familiar with the technology.
The Elements of Group Policy
A programmatic discussion of the elements is beyond the scope of this book. However,
it helps to understand the various elements with which you interact. Several compo-
nents make up GP from the administrator’s perspective. These components include
the following:
✦ The Group Policy Object
✦ Active Directory containers
✦ Group Policy links
✦ The Policy or Group Policy
✦ Explain text
✦ The Group Policy Editor
✦ Computer Configuration and User Configuration nodes
✦ GP Containers and GP Templates
✦ The
gpt.ini
file
The Group Policy Object
The Group Policy Object or GPO is the object that contains Group Policy properties.

The GPO is really a container, at the highest level, into which properties or attributes
are stored. Policy is conveyed by association with a GPO . . . that is, its properties
“rub off” on a user or computer object contained inside a GP target. GPOs have to
be created and named for a particular container before their policies can be used.
4667-8 ch11.f.qc 5/15/00 2:01 PM Page 388