Playing Well in Groups

My vote for the Windows 2000 feature that will be the most popular with domain administrators goes to Group Policy. It’s an undeniably cool idea, and it’s also tremendously useful.

The basic notion is straightforward: An administrator can centrally specify and apply policies that should be applied to groups of users and computers -- such as where a user’s My Documents folder is stored, how long passwords must be, what commands are available on the desktop, what the wallpaper on a user’s screen looks like, and many, many more -- through the Windows 2000 Group Policy mechanism. To do this, the administrator creates one or more group policy objects (GPOs), each containing some set of policies. Each GPO can then be associated with an entire Windows 2000 domain or with some subset of that domain. Once this is done, all users and computers in that domain or subset will have those policies applied.

One of the most useful aspects of Group Policy is the ability to centrally configure which applications are visible to individual users. Rather than manually installing relevant applications on each desktop, an administrator can make an application visible via GPOs. If a particular application is "assigned" to a group of users or computers, it will appear as if it’s already installed. In fact, the application is located via Active Directory and is automatically installed the first time it’s accessed. A "published" application, on the other hand, must be installed explicitly by users through the Add/Remove Programs tool. But like assigned applications, published applications are located via Active Directory -- there’s no need to manually insert a disk containing the app on each desktop machine.

Group Policy is a good example of the kinds of things a centralized directory service makes possible. We’ve waited a long time for Microsoft to ship a directory -- and of course, we’re still waiting -- but once Windows 2000 is released, I expect plenty of software will ship that exploits Active Directory, from Microsoft and other vendors. Group Policy is also a big part of what Microsoft used to refer to as Zero Admin Windows, or ZAW. That term is now deprecated, but the goal of making Windows desktops easier to administer remains. Microsoft’s apparent commitment to doing this is just about the only good thing to come out of the short-lived enthusiasm for Java-based network computers (NCs). While NCs seem to have died a quick death, they did scare Microsoft enough to motivate the creation of things like Group Policy.

As always, there are some potential negatives. For example, Group Policy only works with systems running Windows 2000. Getting its full benefit will require upgrading all of your desktops and servers, something that’s just not feasible in the short term for many organizations. Also, I expect to see some resistance from end users who will no longer have complete control over their desktops. Group Policy allows the kind of Stalinist approach that warms the hearts of administrators, but tends to leave some users angry.

Finally, as with most powerful technologies, Group Policy can be remarkably complex. It’s possible, and even useful, to create many GPOs and assign them to different, nested parts of a domain. By default, policies are inherited from higher in a domain’s hierarchy, which provides a straightforward way to exert centralized control. Inheritance can be blocked for parts of the hierarchy, however, so figuring out exactly which policies apply to a given user or computer can be difficult.

One of the designers of GPOs pointed out to me that this level of flexibility -- and complexity -- was exactly what large customers were requesting. A year from now, when you’ve spent an entire day trying to debug some anomaly in your newly deployed Group Policy configuration, keep this point in mind. Remember, you asked for this. -- David Chappell is principal of Chappell & Associates (Minneapolis), an education and consulting firm. Contact him at

Must Read Articles