An important difference between Windows NT system policies and Windows Server 2003 group policies is the ability that users had to, in effect, change or bypass system policies, limiting their security and in many ways their effectiveness. Users could open the Registry Editor and change registry settings defined by the system policy, negating the effect of the system policy (or at least the portion of the policy that related to the modified registry setting). Windows NT system policies also caused problems when a user’s group membership changes, because elements of the system policy may have conflicted with the user’s new needs and responsibilities. Overcoming the problem required directly modifying the user’s registry or applying a different system policy through the user’s profile, both of which required manual intervention either by the user or by an administrator.

Windows Server 2003 group policies can be applied based on site, domain, and organizational unit, and they can be further controlled through security group membership. This means that Windows Server 2003 group policies apply automatically and follow the user automatically. If the user moves to a different security group or other container in the AD, the group policies that apply to that group or container automatically apply to the user at the next logon. Restrictions and other policy settings defined by the user’s old group membership are replaced automatically by the new policies.

Given the exceptional degree of control as well as ease and flexibility for administration that Windows Server 2003 group policies provide, upgrading to Windows Server 2003 has become much more attractive and cost effective.