Implementing a GPO
The tasks for implementing a GPO are:
Creating an MMC for the GPO Delegating administrative control of the GPO Configuring Group Policy settings for the GPO Disabling unused Group Policy settings Indicating any GPO processing exceptions Filtering the scope of the GPO with security groups Linking the GPO to a site, domain, or OU
Creating a GPO
The first step in implementing a Group Policy is to create a GPO. Recall that a GPO is a collection of Group Policy settings.
To create a GPO, complete the following steps:
1. | Determine
whether the GPO you’re creating will be linked to a site, domain, or
OU. If the policy will be linked to a site, open Active Directory Sites
And Services. If the policy will be linked to a domain or OU, open
Active Directory Users And Computers.
| 2. | Right-click the site, domain, or OU for which you want to create a GPO, and then click Properties.
| 3. | In the Properties dialog box for the object, click the Group Policy tab. In the Group Policy tab, shown in Figure 1,
click New, and then type the name you would like to use for this GPO.
By default, the new GPO is linked to the site, domain, or OU in which it
was created, and its settings will therefore apply to that site,
domain, or OU.
| 4. | Click Close.
|
Creating an MMC for a GPO
After you create a GPO, you
can create an MMC to manage it. When you create an MMC for a GPO, you
can open it whenever necessary from the Administrative Tools menu.
To create an MMC for a GPO, complete the following steps:
1. | Click Start, and then click Run.
| 2. | In the Run dialog box, type mmc in the Open box and then click OK.
| 3. | In the new MMC, on the File menu, click Add/Remove Snap-In.
| 4. | In the Add/Remove Snap-In dialog box, click Add.
| 5. | In the Add Standalone Snap-In dialog box, select Group Policy Object Editor and then click Add.
| 6. | In the Select Group Policy Object page, click Browse to find the GPO for which you want to create an MMC.
| 7. | In the Browse For A Group Policy Object dialog box, click the All tab, click the GPO name, and then click OK.
| 8. | In the Select Group Policy Object page, click Finish, and then in the Add Standalone Snap-In dialog box, click Close.
| 9. | In the Add/Remove Snap-In dialog box, click OK.
| 10. | In the MMC, on the File menu, click Save As.
| 11. | In
the Save As dialog box, type the GPO name in the File Name box and
click Save. The GPO is now available on the Administrative Tools menu.
|
Note Windows
Server 2003 has two Administrative Tools menus: one on the Start menu
and one on the Start\All Programs menu. Where you save a newly created
console will determine whether the console will appear in the
Administrative Tools menus. If you save a console in the Documents and
Settings\Administrator\Start Menu\Programs\Administrative Tools folder,
the console will be available on the Start\All Programs\Administrative
Tools menu. If you save a console in the Documents and Settings\All
Users\Start Menu\Programs\Administrative Tools folder, the console will
be available on both the Start\Administrative Tools menu and the
Start\All Programs\Administrative Tools menu. |
Delegating Control of a GPO
After you create a GPO,
it is important to determine which groups of administrators have access
permissions to the GPO. The default permissions on GPOs are shown in Table 1.
Table 1. Default GPO Permissions| Security group | Default settings |
|---|
| Authenticated Users | Read, Apply Group Policy, Special Permissions | | Group Policy Creator Owners (also shown as CREATOR OWNER) | Special Permissions | | Domain Admins | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions | | Enterprise Admins | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions | | ENTERPRISE DOMAIN CONTROLLERS | Read, Special Permissions | | SYSTEM | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
By
default, only the Domain Admins, Enterprise Admins, and Group Policy
Creator Owner groups and the operating system can create new GPOs.
Nonadministrative users or groups can be given the ability to create
GPOs by adding the users or groups to the Group Policy Creator Owners
security group. Membership in the Group Policy Creator Owners group
gives a user full control of only the GPOs created by the user or
explicitly delegated to the user. It does not give a nonadministrative
user rights over any other GPOs. If an administrator creates a GPO, the
Domain Admins group becomes the Creator Owner of the GPO.
By default, the Default
Domain Policy GPO cannot be deleted by any administrator. This prevents
the accidental deletion of this GPO, which contains important required
settings for the domain.
GPO-related tasks for which you can delegate control are
GPO editing GPO creation GPO linking
Note The
Delegation Of Control Wizard is not available for automating and
simplifying the process of setting administrative permissions directly
for a GPO. |
To delegate control of GPO editing, complete the following steps:
1. | Access the Group Policy Object Editor for the GPO.
| 2. | Right-click the root node of the GPO, and then click Properties.
| 3. | In the Properties dialog box for the GPO, click the Security tab. In the Security tab, shown in Figure 2, click the security group for which you want to allow or deny administrative access to the GPO.
If
you need to change the list of security groups for which you want to
allow or deny administrative access to the GPO, you can add or remove
security groups using Add and Remove.
| 4. | To provide administrative control of all aspects of the GPO, set both the Read permission and the Write permission to Allow.
Important A
user or administrator who has Read permission for a GPO but does not
have Write permission cannot use the Group Policy Object Editor to see
the settings that it contains. Write access is required to open a GPO. |
| 5. | Click OK.
|
To delegate control of GPO creation, complete the following steps:
1. | Click Start, point to Administrative Tools, and then click Active Directory Users And Computers.
| 2. | In the console tree, click Users.
| 3. | In the Name column in the details pane, double-click Group Policy Creator Owners.
| 4. | In the Group Policy Creator Owners Properties dialog box, click the Members tab.
| 5. | In
the Members tab, click Add, and then type the name of each user or
security group to whom you want to delegate creation rights in the Enter
The Object Names To Select box. Click OK.
| 6. | In the Group Policy Creator Owners Properties dialog box, click OK.
| 7. | Execute
the procedure for delegating control of GPO linking (shown next). By
default, nonadministrators cannot manage links, and unless you execute
the procedure for delegating GPO linking, they cannot use the Active
Directory Users And Computers console to create a GPO.
|
To delegate control of GPO linking, complete the following steps:
1. | Click Start, point to Administrative Tools, and then click Active Directory Users And Computers.
| 2. | Right-click the OU to which you want to delegate the right to link GPOs, and then click Delegate Control.
| 3. | On the Welcome To The Delegation Of Control Wizard page, click Next.
| 4. | On the Users Or Groups page, click Add.
| 5. | In
the Select Users, Computers, Or Groups dialog box, type the user or
group for which you want to delegate administration in the Enter The
Object Names To Select box and then click OK. Click Next on the Users Or
Groups page.
| 6. | On
the Tasks To Delegate page, click Delegate The Following Common Tasks,
select the Manage Group Policy Links check box, and then click Next.
| 7. | On the Completing The Delegation Of Control Wizard page, review your selections. Click Finish.
|
Important Delegated control is inherited by all child containers below the container to which control is delegated. |
Note Delegation
across forests is supported for managing GPO links. Other tasks—such as
creating, deleting, or modifying GPOs across forests—are not supported.
This is a new feature of the Windows Server 2003 family. |
Configuring Group Policy Settings
After
you create a GPO and determine the administrators who have access
permissions to the GPO, you can configure the Group Policy settings.
To configure Group Policy settings for a GPO, complete the following steps:
1. | Open the Group Policy Object Editor for the GPO, as shown in Figure 3.
| 2. | In the console tree, expand the node that represents the policy setting you want to configure. For example, in Figure 5-15, the User Configuration, Administrative Templates, and Start Menu And Taskbar nodes are expanded.
| 3. | In the details pane, right-click the setting that you want to configure and then click Properties.
| 4. | In the Properties dialog box for the Group Policy setting (an example is shown in Figure 4),
click Enabled to apply the setting to users or computers that are
subject to this GPO and then click OK. Not Configured indicates that no
change will be made to the setting. Disabled means that the registry
will indicate that the setting does not apply to users or computers that
are subject to this GPO.
|
Disabling Unused Group Policy Settings
If
the Computer Configuration or User Configuration node for a GPO has
only settings that are Not Configured, you can prevent the processing of
those settings by disabling the node. Disabling unused Group Policy
settings is recommended because it expedites startup and logging on for
those users and computers subject to the GPO.
To disable the computer configuration or user configuration settings for a GPO, complete the following steps:
1. | Access the Group Policy Object Editor for the GPO.
| 2. | Right-click the root node, and then click Properties.
| 3. | In the General tab in the Properties dialog box for the GPO, do one of the following:
To disable the computer configuration settings, select the Disable Computer Configuration Settings check box. To disable the user configuration settings, select the Disable User Configuration Settings check box.
| 4. | Click OK.
|
Exam Tip Remember
that disabling unused User Configuration or Computer Configuration
nodes of GPOs will improve startup and logon times because the computer
will not process disabled nodes. |
Indicating GPO Processing Exceptions
GPOs are applied according to the Active Directory hierarchy: local
GPO, site GPOs, domain GPOs, and OU GPOs. However, the default order of
processing Group Policy settings can be changed by modifying the order
of GPO links for an object, specifying the Block Policy Inheritance
option, specifying the No Override option, or by enabling the Loopback
setting. This section provides procedures for accomplishing these tasks.
To modify the order of GPO links for an object, complete the following steps:
1. | Open
the Active Directory Users And Computers console to set the order of
GPOs for a domain or OU, or open the Active Directory Sites And Services
console to set the order of GPOs for a site.
| 2. | In
the console, right-click the site, domain, or OU for which you want to
modify the GPO order, click Properties, and then click the Group Policy
tab.
| 3. | In the Properties dialog box for the object, in the Group Policy tab, shown in Figure 5,
select the GPO for which you want to modify the order in the Group
Policy Object Links list. Click the Up button or the Down button to
change the priority for the GPO for this site, domain, or OU. Windows
Server 2003 operating systems process GPOs from the bottom of the list
to the top of the list, with the topmost GPO having the final authority.
| 4. | Click Close.
|
To specify the Block Policy Inheritance option, complete the following steps:
1. | Open
the Active Directory Users And Computers console to specify the Block
Policy Inheritance option for a domain or OU, or open the Active
Directory Sites And Services console to specify the Block Policy
Inheritance option for a site.
| 2. | In
the console, right-click the site, domain, or OU for which you want to
specify the Block Policy Inheritance option, click Properties, and then
click the Group Policy tab.
| 3. | In
the Properties dialog box for the object, in the Group Policy tab,
select the Block Policy Inheritance check box. By checking this box, you
specify that all GPOs linked to higher level sites, domains, or OUs
should be blocked from linking to this site, domain, or OU. You cannot
block GPOs that use the No Override option.
| 4. | Click Close.
|
To specify the No Override option, complete the following steps:
1. | Open
the Active Directory Users And Computers console to specify the No
Override option for a domain or OU, or open the Active Directory Sites
And Services console to specify the No Override option for a site.
| 2. | In
the console, right-click the site, domain, or OU to which the GPO is
linked, click Properties, and then click the Group Policy tab.
| 3. | In the Properties dialog box for the object, in the Group Policy tab, select the GPO and then click Options.
| 4. | In the Options dialog box for the GPO, shown in Figure 6,
select the No Override check box to specify that other GPOs should be
prevented from overriding settings in this GPO and then click OK.
| 5. | In the Properties dialog box for the site, domain, or OU, click OK.
|
To enable the Loopback setting, complete the following steps:
1. | Access the Group Policy Object Editor for the GPO.
| 2. | In the console tree, expand Computer Configuration, Administrative Templates, System, and Group Policy.
| 3. | In the Setting pane, double-click User Group Policy Loopback Processing Mode.
| 4. | In the User Group Policy Loopback Processing Mode Properties dialog box, click Enabled.
| 5. | Select one of the following modes in the Mode list:
Replace, to replace the user settings normally applied to the user with the user settings defined in the computer’s GPOs. Merge,
to combine the user settings defined in the computer’s GPOs with the
user settings normally applied to the user. If the settings conflict,
the user settings in the computer’s GPOs take precedence over the user’s
normal settings.
| 6. | Click OK.
|
Filtering GPO Scope with Security Groups
The policies in a GPO apply only to users who have the Read and Apply
Group Policy permissions for the GPO set to Allow. However, by default,
the Authenticated Users group has Allow Read and Allow Apply Group
Policy permissions. This means that by default, all
users and computers are affected by the GPOs set for their domain,
site, or OU regardless of the other groups in which they might be
members. Therefore, there are two ways of filtering GPO scope:
Clear the Apply
Group Policy permission (currently set to Allow) for the Authenticated
Users group, but do not set this permission to Deny. Then determine the
groups to which the GPO should be applied and set the Read and Apply
Group Policy permissions for these groups to Allow. Determine the groups to which the GPO should not be applied, and set the Apply Group Policy permission for these groups to Deny.
Note If
you deny permission to an object, the user will not have that
permission, even if you allow the permission for a group of which the
user is a member. |
To filter the scope of a GPO, complete the following steps:
1. | Access the Group Policy Object Editor for the GPO.
| 2. | Right-click the root node, and then click Properties.
| 3. | In the Properties dialog box for the GPO, click the Security tab, previously shown in Figure 5-14,
and then click the security group through which to filter this GPO. If
you need to change the list of security groups through which to filter
this GPO, you can add or remove security groups using Add and Remove.
| 4. | Set the permissions as shown in Table 2, and then click OK.
|
Table 2. Permissions for GPO Scopes| GPO scope | Set these permissions | Result |
|---|
| Members of this security group should have this GPO applied to them. | Set Apply Group Policy to Allow.Set Read to Allow. | This
GPO applies to members of this security group unless they are members
of at least one other security group that has Apply Group Policy set to
Deny, or Read set to Deny, or both. | | Members of this security group are exempt from this GPO. | Set Apply Group Policy to Deny. Set Read to Deny. Note: Because denied permissions take precedence over all other permissions, you should use Deny sparingly. | This
GPO never applies to members of this security group regardless of the
permissions those members have in other security groups. | | Membership in this security group is irrelevant to whether the GPO should be applied. | Set Apply Group Policy to neither Allow nor Deny.Set Read to neither Allow nor Deny. | This
GPO applies to members of this security group if and only if they have
both Apply Group Policy and Read set to Allow as members of at least one
other security group. They also must not have Apply Group Policy or
Read set to Deny as members of any other security group. |
Linking a GPO
By default, a new GPO
is linked to the site, domain, or OU in which it was created, as
described earlier in this lesson in the procedure “Creating a GPO.”
Therefore, its settings apply to that site, domain, or OU. However, if
you want to link a GPO to additional sites, domains, or OUs, you must
use the Group Policy tab in the Properties dialog box for the site,
domain, or OU.
To link a GPO to a site, domain, or OU, complete the following steps:
1. | Open
the Active Directory Users And Computers console to link a GPO to a
domain or OU, or open the Active Directory Sites And Services console to
link a GPO to a site.
| 2. | In
the console, right-click the site, domain, or OU to which the GPO
should be linked. Click Properties, and then click the Group Policy tab.
| 3. | In the Properties dialog box for the object, in the Group Policy tab, click Add.
| 4. | In the Add A Group Policy Object Link dialog box, shown in Figure 7, click the All tab, click the desired GPO, and then click OK.
| 5. | In the Properties dialog box for the site, domain, or OU, click OK. |
|
