2. Creating and managing Group Policy Objects
GPOs are created using the Group Policy Management console in Server Manager. To create a new GPO, perform the following tasks:
-
Log on to a DC and open Server Manager.
-
Expand the nodes Features | Group Policy Management | <your forest name> | Domains | <your domain name>.
-
Right-click an OU where you want to create a new GPO and select the option Create a GPO in this domain and link it here. Optionally, you could right-click on the Domain itself if you wanted to assign the GPO to the entire domain.
-
Enter a name that describes the use of this policy. For example, HR Computer Policy. The new policy will appear under the OU you selected to apply it to (see Figure 2).
-
Right-click on the newly created policy and select Edit.
-
The GPO management editor window will open.
Here, you can configure specific settings for users and computers. In
our example, we will configure the HR GPO to turn on branch cache as
seen in Figure 3. After editing the setting, close the GPO management editor window.
-
The new GPO will now apply to all computers in the HR OU as seen in Figure 4.
We will now assume that we have a VPs OU
that we want to be sure they do not get the new settings. To prevent
them from having the GPO applied, we need to block inheritance. By
blocking inheritance, we tell the OU to not apply any parent GPOs. To
block inheritance to the VPs child OU, right-click the OU and select
the option Block Inheritance. You should now notice that a blue exclamation appears over the OU as seen in Figure 5.
3. Troubleshooting Group Policy
Group Policy can be one of the toughest
technologies to troubleshoot in an AD deployment. Luckily, Microsoft
has provided some good tools to assist with troubleshooting issues.
GPUDATE and GPRESULT
GPUDATE and GPRESULT are two command-line
utilities you can run from a machine to perform a group policy update
or display the results of the currently applied GPOs.
-
GPUPDATE can be used to update the current
computer's Group Policy Settings. By issuing the/force parameter,
GPUDATE will force a fresh push of policies down to the specific user
and computer.
-
GPRESULT can be used to display currently
applied GPOs and those that have been filtered out due to security
settings or other configurations. If you do not see changes taking
effect after creating a new GPO, run GPRESULT from the machine or user
the policy is applied to. If it does not show up as applied, then you
need to troubleshoot possible security misconfigurations on the GPO.
Resultant Set of Policies and modeling tools
The Resultant Set of Policies (RSOP) can be
used to help iron out GPO conflicts. The RSOP will take a specific user
and computer choice and will provide a report of what policies will be
applied if the selected user logs on to the selected computer. RSOP can
be very powerful in verifying your GPO configuration as well as
troubleshooting issues.
The Modeling tool is helpful
when you are still planning your GPOs. The modeling tool allows you to
walk through “whatif” scenarios for deploying Group Policy. This tool
is very useful when blocking inheritance and enforcing GPOs.
