DESKTOP

Windows Server 2003 : Implementing a GPO (part 2) - Modifying a GPO

5/24/2011 4:10:10 PM

Modifying a GPO

The tasks for modifying a GPO are

  • Removing a GPO link

  • Deleting a GPO

  • Editing a GPO and GPO settings

  • Refreshing a GPO

Removing a GPO Link

Removing a GPO link simply unlinks the GPO from the specified site, domain, or OU. The GPO remains in Active Directory until it is deleted.

To remove a GPO link, complete the following steps:

1.
Open the Active Directory Users And Computers console to unlink a GPO from a domain or OU, or open the Active Directory Sites And Services console to unlink a GPO from a site.

2.
In the console, right-click the site, domain, or OU from which the GPO should be unlinked. Click Properties, and then click the Group Policy tab.

3.
In the Properties dialog box for the object, in the Group Policy tab, select the GPO that you want to unlink and then click Delete.

4.
In the Delete dialog box, shown in Figure 8, click Remove The Link From The List and then click OK. The GPO remains in Active Directory but is no longer linked.

Figure 8. Delete dialog box when removing a GPO link


Deleting a GPO

If you delete a GPO, it is removed from Active Directory, and any sites, domains, or OUs to which it is linked are no longer affected by it. You might want to take the less drastic step of removing the GPO link, which disassociates the GPO from its OU but leaves the GPO intact in Active Directory.

To delete a GPO, complete the following steps:

1.
Open the Active Directory Users And Computers console to delete a GPO from a domain or OU, or open the Active Directory Sites And Services console to delete a GPO from a site.

2.
In the console, right-click the site, domain, or OU from which the GPO should be deleted. Click Properties, and then click the Group Policy tab.

3.
In the Properties dialog box for the object, in the Group Policy tab, select the GPO that you want to delete, and then click Delete.

4.
In the Delete dialog box, click Remove The Link And Delete The Group Policy Object Permanently and then click OK. The GPO is removed from Active Directory.

Editing a GPO and GPO Settings

To edit a GPO or its settings, follow the procedures outlined earlier in this lesson for creating a GPO and for specifying Group Policy settings.

Refreshing a GPO

Each GPO is refreshed when you restart your computer. When you modify the settings in a GPO, they are refreshed every 90 minutes on a workstation or server and every five minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes. In Windows Server 2003 operating systems, you can refresh policy immediately by using the Gpupdate.exe command-line tool. Gpupdate replaces the Secedit.exe /refreshpolicy command used for refreshing GPOs in Windows 2000.

To refresh GPOs immediately, complete the following steps:

1.
Click Start, and then click Run.

2.
In the Run dialog box, type gpupdate in the Open box and then click OK. You briefly see the message “Refreshing Policy” on the command line while the policy is being refreshed.

Gpupdate also permits certain options to be specified on the command line. You can learn more about these options by searching for “gpupdate” in Help and Support Center.

Group Policy Best Practices

The following are the best practices for implementing Group Policy:

  • Disable unused parts of a GPO. If a GPO has, under the User Configuration or Computer Configuration node of the console, only settings that are Not Configured, disable the node to expedite startup and logging on.

  • Use the Block Policy Inheritance and No Override features sparingly. Routine use of these feature makes it difficult to troubleshoot Group Policy.

  • Do not use the same name for different GPOs. Although using the same GPO name doesn’t affect GPO function, it can be confusing to administer.

  • Filter policy based on security group membership. Users who do not have permissions directing that a particular GPO be applied to them can avoid the associated logon delay, because the GPO is not applied for those users.

  • Use loopback only when necessary. Use loopback only if you need the desktop configuration to be the same regardless of who logs on.

  • Override Group Policy rather than System Policy. Use System Policy only to manage computers on an operating system earlier than Windows 2000 or if you need to manage desktops for multiple users on a stand-alone computer.

  • Avoid cross-domain GPO assignments. The processing of GPOs delays logging on and startup if Group Policy is obtained from another domain.

  • Do not link a GPO to the same OU more than once. When more than one link for the same OU is applied to a single object, the links might be interpreted differently and produce an unexpected RSoP.

Practice: Implementing and Testing a GPO

In this practice, you implement a GPO for contoso.com.

Exercise 1: Implementing a GPO

In this exercise, you implement a GPO for the West OU. You create a GPO, create an MMC for a GPO, specify Group Policy settings for the GPO, indicate a GPO processing exception, delegate administrative control of the GPO, filter the scope of the GPO, and link the GPO to an additional OU. Use the procedures provided earlier in this lesson to complete each step in the exercise.

1.
Log on to Server01 as Administrator.

2.
On Server01, create a GPO in the West OU. Name the GPO Lockdown Desktop.

3.
Create an MMC for the Lockdown Desktop GPO. Name the console Lockdown Desktop GPO.

4.
Specify the following Group Policy settings for the Lockdown Desktop GPO:

  • In the User Configuration node, in the Administrative Templates node, in the Start Menu And Taskbar node, configure the Remove Search Menu From Start Menu setting to Enabled. Then configure the Remove Run Menu From Start Menu setting (still under User Configuration) to Enabled.

  • In the User Configuration node, in the Administrative Templates node, in the System node, in the CTRL+ALT+DEL Options node, configure the Remove Lock Computer setting to Enabled.

5.
For the Lockdown Desktop GPO link, set the No Override option in the Group Policy tab in the Properties dialog box for the West OU to prevent other GPOs from overriding the policies set in the Lockdown Desktop GPO.

6.
Create a new Marketing domain local security group in the Seattle OU. Make Lorrin Smith-Bates and Danielle Tiedt members of the Marketing group.

7.
For the Lockdown Desktop GPO, clear the Apply Group Policy permission (currently set to Allow) for the Authenticated Users group. Do not set this permission to Deny.

8.
In the Lockdown Desktop GPO, add the Marketing domain local security group to the list of security groups.

9.
Ensure that the Lockdown Desktop GPO applies to the Marketing group by setting the group’s Apply Group Policy permission for the GPO to Allow.

10.
By default the Lockdown Desktop GPO is linked to the West OU, and its settings apply to the West OU and its child OUs, Seattle and Phoenix. Link the Lockdown Desktop GPO to the New York OU.

Exercise 2: Testing a GPO

In this exercise, you view the effects of the GPO you implemented in Exercise 1.

1.
Log on as Danielle Tiedt, a member of the Marketing security group.

2.
Q1:Press CTRL+ALT+DEL. The Windows Security dialog box appears. Are you able to lock the workstation? Why?
A1: No, the Lock Computer option is not available. Danielle Tiedt is unable to lock the workstation because the Lockdown Desktop GPO applies to the Marketing security group, of which Danielle Tiedt is a member.
3.
Click Cancel, and then click Start.

Q1:Does the Search command appear on the Start menu?
A1: No.
Q2:No. Does the Run command appear on the Start menu?
A2: No.
4.
Log off as Danielle Tiedt, and then log on as Administrator.

5.
Remove Danielle Tiedt from the Marketing security group.

6.
Log off as Administrator, and then log on as Danielle Tiedt.

7.
Q1:Press CTRL+ALT+DEL. Are you able to lock the workstation? Why?
A1: Yes, the Lock Computer option is available. Danielle Tiedt is able to lock the workstation because the Lockdown Desktop GPO applies only to members of the Marketing security group, of which Danielle Tiedt is no longer a member.
8.
Log off as Danielle Tiedt, and then log on as Pat Coleman.

9.
Press CTRL+ALT+DEL.

Q1:Are you able to lock the workstation? Why or why not?
A1: Yes, because the Lock Computer option is available. Pat Coleman is able to lock the workstation because the Lockdown Desktop GPO applies only to the Marketing security group, of which Pat Coleman is not a member. This is true even though the Lockdown Desktop GPO is linked to the New York OU, in which Pat Coleman is contained.
10.
Log off as Pat Coleman, and then log on as Administrator.

11.
Make Pat Coleman a member of the Marketing security group.

12.
Log off as Administrator, and then log on as Pat Coleman.

13.
Press CTRL+ALT+DEL.

Q1:Are you able to lock the workstation? Why or why not?
A1: No, because the Lock Computer option is not available. Pat Coleman is unable to lock the workstation because the Lockdown Desktop GPO is linked to the New York OU and applies only to the Marketing security group, of which Pat Coleman is now a member.
14.
Log off as Pat Coleman, and then log on as Administrator.

15.
Create a new GPO in the Seattle OU. Name the GPO Lockdown Control Panel. Create an MMC for the Lockdown Control Panel GPO. Name the console Lockdown Control Panel GPO.

16.
In the User Configuration node, in the Administrative Templates node, in the Control Panel node, configure the Prohibit Access To The Control Panel setting to Enabled.

17.
Set the Block Policy Inheritance option in the Group Policy tab in the Properties dialog box for the Seattle OU to block GPOs set in parent objects from applying to the Seattle OU.

18.
In the Lockdown Control Panel GPO, add the Marketing domain local security group to the list of security groups.

19.
Set the Apply Group Policy permission for the Marketing group to Allow. Clear the Apply Group Policy permission (currently set to Allow) for the Authenticated Users group. Do not set this permission to Deny.

20.
Q1:Log off as Administrator, and then log on as Lorrin Smith-Bates. Which GPO applies and why?
A1: The Lockdown Desktop and Lockdown Control Panel GPOs both apply to Lorrin Smith-Bates because the Lockdown Desktop GPO has the No Override option set. The No Override option ensures that none of a GPO’s settings can be overridden by any other GPO during the processing of group policies. Even though the Block Policy Inheritance option is set for the Seattle OU, the No Override option set for the Lockdown Desktop GPO link overrides the Seattle OU’s Block Inheritance setting. Therefore, both GPOs apply to Lorrin Smith-Bates.
21.
Q1:Log off as Lorrin Smith-Bates, and then log on as Pat Coleman. Which GPO applies and why?
A1: Only the Lockdown Desktop GPO applies to Pat Coleman. Because the Lockdown Control Panel GPO has not been linked to the New York OU (in which Pat Coleman is contained) or the East OU (parent OU of the New York OU), the Lockdown Control Panel GPO does not apply to Pat Coleman.
Other  
  •  Windows 7 : Using Windows Live Calendar (part 3) - Scheduling Appointments and Meetings & Viewing Agendas and Creating To-Do Lists
  •  Windows 7 : Using Windows Live Calendar (part 2) - Sharing Your Calendars with Others & Synchronizing Google Calendar with Windows Live Calendar
  •  Windows 7 : Using Windows Live Calendar (part 1)
  •  Windows 7 : Using Windows Live Contacts
  •  Windows 7: Using Windows Live Mail (part 3)
  •  Windows 7: Using Windows Live Mail (part 2) - Creating, Sending, and Receiving Email
  •  Windows 7: Using Windows Live Mail (part 1) - Setting Up Windows Live Mail and Configuring Email Accounts
  •  Windows 7 : Working with the Windows Firewall (part 3) - Configuring Advanced Firewall Security & Troubleshooting Advanced Firewall Problems
  •  Windows 7 : Working with the Windows Firewall (part 2) - Configuring Security for the Basic Windows Firewall & Troubleshooting the Basic Windows Firewall
  •  Windows 7 : Working with the Windows Firewall (part 1) - Windows Firewall Features and Improvements
  •  
    Most View
    The Jaguar F-Type Coupe – Staggeringly Pretty (Part 3)
    One More Thing: Two New Ipods
    101 Recommended Apps (Part 5)
    Sigma 18-35mm f/1.8 DC HSM A Lens Review
    Windows Server 2008 and Windows Vista : GPO Security (part 1)
    ASP.NET 4 in VB 2010 : The XML Classes (part 3) - Working with XML Documents in Memory
    Toshiba Satellite U925t Review (Part 2)
    Thermaltake Frio Extreme
    Will OS X = iOS?
    47 Ways To Speed Up Your PC for Free! (Part 2)
    Top 10
    Sharepoint 2010 : InfoPath Forms Services - InfoPath Overview (part 5) - Using InfoPath Forms in SharePoint - Creating Document Information Panels
    Sharepoint 2010 : InfoPath Forms Services - InfoPath Overview (part 4) - Using InfoPath Forms in SharePoint - Adding Formulae to Fields, Publishing a Form Template to SharePoint
    Sharepoint 2010 : InfoPath Forms Services - InfoPath Overview (part 3) - Using InfoPath Forms in SharePoint - Creating Form Templates
    Sharepoint 2010 : InfoPath Forms Services - InfoPath Overview (part 2) - BrowserForm Web Part
    Sharepoint 2010 : InfoPath Forms Services - InfoPath Overview (part 1)
    Mercedes-Benz B180 CDI Edition 1 – Bells And Whistles
    The Mercedes-Benz A180 CDI Edition 1 – Classier A
    2015 BMW M3 & 2015 BMW M4 - Return Of The King (Part 3)
    2015 BMW M3 & 2015 BMW M4 - Return Of The King (Part 2)
    2015 BMW M3 & 2015 BMW M4 - Return Of The King (Part 1)