Modifying a GPO
The tasks for modifying a GPO are
Removing a GPO Link
Removing a GPO link
simply unlinks the GPO from the specified site, domain, or OU. The GPO
remains in Active Directory until it is deleted.
To remove a GPO link, complete the following steps:
1. | Open
the Active Directory Users And Computers console to unlink a GPO from a
domain or OU, or open the Active Directory Sites And Services console
to unlink a GPO from a site.
| 2. | In
the console, right-click the site, domain, or OU from which the GPO
should be unlinked. Click Properties, and then click the Group Policy
tab.
| 3. | In
the Properties dialog box for the object, in the Group Policy tab,
select the GPO that you want to unlink and then click Delete.
| 4. | In the Delete dialog box, shown in Figure 8, click Remove The Link From The List and then click OK. The GPO remains in Active Directory but is no longer linked.
|
Deleting a GPO
If you delete a GPO, it is
removed from Active Directory, and any sites, domains, or OUs to which
it is linked are no longer affected by it. You might want to take the
less drastic step of removing the GPO link, which disassociates the GPO
from its OU but leaves the GPO intact in Active Directory.
To delete a GPO, complete the following steps:
1. | Open
the Active Directory Users And Computers console to delete a GPO from a
domain or OU, or open the Active Directory Sites And Services console
to delete a GPO from a site.
| 2. | In
the console, right-click the site, domain, or OU from which the GPO
should be deleted. Click Properties, and then click the Group Policy
tab.
| 3. | In
the Properties dialog box for the object, in the Group Policy tab,
select the GPO that you want to delete, and then click Delete.
| 4. | In
the Delete dialog box, click Remove The Link And Delete The Group
Policy Object Permanently and then click OK. The GPO is removed from
Active Directory.
|
Editing a GPO and GPO Settings
To
edit a GPO or its settings, follow the procedures outlined earlier in
this lesson for creating a GPO and for specifying Group Policy settings.
Refreshing a GPO
Each GPO is refreshed
when you restart your computer. When you modify the settings in a GPO,
they are refreshed every 90 minutes on a workstation or server and every
five minutes on a domain controller. The settings are also refreshed
every 16 hours, whether or not there are any changes. In Windows Server
2003 operating systems, you can refresh policy immediately by using the
Gpupdate.exe command-line tool. Gpupdate replaces the Secedit.exe
/refreshpolicy command used for refreshing GPOs in Windows 2000.
To refresh GPOs immediately, complete the following steps:
1. | Click Start, and then click Run.
| 2. | In the Run dialog box, type gpupdate
in the Open box and then click OK. You briefly see the message
“Refreshing Policy” on the command line while the policy is being
refreshed.
|
Gpupdate also
permits certain options to be specified on the command line. You can
learn more about these options by searching for “gpupdate” in Help and
Support Center.
Group Policy Best Practices
The following are the best practices for implementing Group Policy:
Disable unused parts of a GPO.
If a GPO has, under the User Configuration or Computer Configuration
node of the console, only settings that are Not Configured, disable the
node to expedite startup and logging on. Use the Block Policy Inheritance and No Override features sparingly. Routine use of these feature makes it difficult to troubleshoot Group Policy. Do not use the same name for different GPOs. Although using the same GPO name doesn’t affect GPO function, it can be confusing to administer. Filter policy based on security group membership.
Users who do not have permissions directing that a particular GPO be
applied to them can avoid the associated logon delay, because the GPO is
not applied for those users. Use loopback only when necessary. Use loopback only if you need the desktop configuration to be the same regardless of who logs on. Override Group Policy rather than System Policy. Use
System Policy only to manage computers on an operating system earlier
than Windows 2000 or if you need to manage desktops for multiple users
on a stand-alone computer. Avoid cross-domain GPO assignments. The processing of GPOs delays logging on and startup if Group Policy is obtained from another domain. Do not link a GPO to the same OU more than once.
When more than one link for the same OU is applied to a single object,
the links might be interpreted differently and produce an unexpected
RSoP.
Practice: Implementing and Testing a GPO
In this practice, you implement a GPO for contoso.com.
Exercise 1: Implementing a GPO
In this exercise, you
implement a GPO for the West OU. You create a GPO, create an MMC for a
GPO, specify Group Policy settings for the GPO, indicate a GPO
processing exception, delegate administrative control of the GPO, filter
the scope of the GPO, and link the GPO to an additional OU. Use the
procedures provided earlier in this lesson to complete each step in the
exercise.
1. | Log on to Server01 as Administrator.
| 2. | On Server01, create a GPO in the West OU. Name the GPO Lockdown Desktop.
| 3. | Create an MMC for the Lockdown Desktop GPO. Name the console Lockdown Desktop GPO.
| 4. | Specify the following Group Policy settings for the Lockdown Desktop GPO:
In the User
Configuration node, in the Administrative Templates node, in the Start
Menu And Taskbar node, configure the Remove Search Menu From Start Menu
setting to Enabled. Then configure the Remove Run Menu From Start Menu
setting (still under User Configuration) to Enabled. In
the User Configuration node, in the Administrative Templates node, in
the System node, in the CTRL+ALT+DEL Options node, configure the Remove
Lock Computer setting to Enabled.
| 5. | For
the Lockdown Desktop GPO link, set the No Override option in the Group
Policy tab in the Properties dialog box for the West OU to prevent other
GPOs from overriding the policies set in the Lockdown Desktop GPO.
| 6. | Create
a new Marketing domain local security group in the Seattle OU. Make
Lorrin Smith-Bates and Danielle Tiedt members of the Marketing group.
| 7. | For
the Lockdown Desktop GPO, clear the Apply Group Policy permission
(currently set to Allow) for the Authenticated Users group. Do not set
this permission to Deny.
| 8. | In the Lockdown Desktop GPO, add the Marketing domain local security group to the list of security groups.
| 9. | Ensure
that the Lockdown Desktop GPO applies to the Marketing group by setting
the group’s Apply Group Policy permission for the GPO to Allow.
| 10. | By
default the Lockdown Desktop GPO is linked to the West OU, and its
settings apply to the West OU and its child OUs, Seattle and Phoenix.
Link the Lockdown Desktop GPO to the New York OU.
|
Exercise 2: Testing a GPO
In this exercise, you view the effects of the GPO you implemented in Exercise 1.
1. | Log on as Danielle Tiedt, a member of the Marketing security group.
| 2. |
| Q1: | Press CTRL+ALT+DEL. The Windows Security dialog box appears. Are you able to lock the workstation? Why? | |
A1:
| No, the Lock
Computer option is not available. Danielle Tiedt is unable to lock the
workstation because the Lockdown Desktop GPO applies to the Marketing
security group, of which Danielle Tiedt is a member. |
| 3. | Click Cancel, and then click Start.
| Q1: | Does the Search command appear on the Start menu?
| |
A1:
| No. | | Q2: | No. Does the Run command appear on the Start menu?
| |
A2:
| No. |
| 4. | Log off as Danielle Tiedt, and then log on as Administrator.
| 5. | Remove Danielle Tiedt from the Marketing security group.
| 6. | Log off as Administrator, and then log on as Danielle Tiedt.
| 7. |
| Q1: | Press CTRL+ALT+DEL. Are you able to lock the workstation? Why? | |
A1:
| Yes, the Lock
Computer option is available. Danielle Tiedt is able to lock the
workstation because the Lockdown Desktop GPO applies only to members of
the Marketing security group, of which Danielle Tiedt is no longer a
member. |
| 8. | Log off as Danielle Tiedt, and then log on as Pat Coleman.
| 9. | Press CTRL+ALT+DEL.
| Q1: | Are you able to lock the workstation? Why or why not? | |
A1:
| Yes,
because the Lock Computer option is available. Pat Coleman is able to
lock the workstation because the Lockdown Desktop GPO applies only to
the Marketing security group, of which Pat Coleman is not a member. This
is true even though the Lockdown Desktop GPO is linked to the New York
OU, in which Pat Coleman is contained. |
| 10. | Log off as Pat Coleman, and then log on as Administrator.
| 11. | Make Pat Coleman a member of the Marketing security group.
| 12. | Log off as Administrator, and then log on as Pat Coleman.
| 13. | Press CTRL+ALT+DEL.
| Q1: | Are you able to lock the workstation? Why or why not? | |
A1:
| No,
because the Lock Computer option is not available. Pat Coleman is unable
to lock the workstation because the Lockdown Desktop GPO is linked to
the New York OU and applies only to the Marketing security group, of
which Pat Coleman is now a member. |
| 14. | Log off as Pat Coleman, and then log on as Administrator.
| 15. | Create a new GPO in the Seattle OU. Name the GPO Lockdown Control Panel. Create an MMC for the Lockdown Control Panel GPO. Name the console Lockdown Control Panel GPO.
| 16. | In
the User Configuration node, in the Administrative Templates node, in
the Control Panel node, configure the Prohibit Access To The Control
Panel setting to Enabled.
| 17. | Set
the Block Policy Inheritance option in the Group Policy tab in the
Properties dialog box for the Seattle OU to block GPOs set in parent
objects from applying to the Seattle OU.
| 18. | In the Lockdown Control Panel GPO, add the Marketing domain local security group to the list of security groups.
| 19. | Set
the Apply Group Policy permission for the Marketing group to Allow.
Clear the Apply Group Policy permission (currently set to Allow) for the
Authenticated Users group. Do not set this permission to Deny.
| 20. |
| Q1: | Log off as Administrator, and then log on as Lorrin Smith-Bates. Which GPO applies and why? | |
A1:
| The
Lockdown Desktop and Lockdown Control Panel GPOs both apply to Lorrin
Smith-Bates because the Lockdown Desktop GPO has the No Override option
set. The No Override option ensures that none of a GPO’s settings can be
overridden by any other GPO during the processing of group policies.
Even though the Block Policy Inheritance option is set for the Seattle
OU, the No Override option set for the Lockdown Desktop GPO link
overrides the Seattle OU’s Block Inheritance setting. Therefore, both
GPOs apply to Lorrin Smith-Bates. |
| 21. |
| Q1: | Log off as Lorrin Smith-Bates, and then log on as Pat Coleman. Which GPO applies and why? | |
A1:
| Only the
Lockdown Desktop GPO applies to Pat Coleman. Because the Lockdown
Control Panel GPO has not been linked to the New York OU (in which Pat
Coleman is contained) or the East OU (parent OU of the New York OU), the
Lockdown Control Panel GPO does not apply to Pat Coleman. |
|
|
