Note
It
is always ideal to separate duties for administrators. Delegation
options exist that allow administrators to create a GPO, but not link it
to a node in Active Directory. Although such administrators can do all
of the setup and creation work, they cannot implement the settings
without assistance from another administrator who has been granted the
link delegation. |
Creating GPOs Correctly
The creation of a GPO
is not especially difficult. Essentially, creating a GPO involves just
right-clicking New. However, to make sure that you do not cause damage
to the network and computers, caution should be taken when creating and
configuring new GPOs. Like anything, there is a right way and a
not-so-right way.
Initially, you must
know exactly what the GPO will do, and you should also have considered
which objects it should affect. If you have not carefully considered
what the GPO will do, you are not ready to create a GPO. However, if you
do know what you want the GPO to do, you can get started without
knowing exactly which objects the GPO should affect.
This is possible
because you can create a GPO that is not linked to any Active Directory
node. In addition, if you feel the need to be especially cautious, you
can also disable the GPO. To create a GPO that is not linked to a node,
follow these steps:
1. | In the Run dialog box, type gpmc.msc, and then click OK.
|
2. | In the GPMC, expand the Forest and Domains nodes, and then expand the <domain name> node.
|
3. | Right-click the Group Policy Objects node, and then click New.
|
4. | In the New GPO dialog box, type a new name for the GPO, such as test, and then click OK.
|
Security Alert
If
the user attempting to create the GPO does not have the necessary
privileges to do so, the New menu option will be dimmed. |
This will create a new GPO
that is not linked to any node in Active Directory. You can consider
this GPO as existing in Active Directory, but as inactive because it
does not affect any objects. If you want to disable this GPO for extra
assurance that it will not affect any object, follow these steps:
1. | Find and select the GPO that you want to disable under the Group Policy Objects node in the GPMC.
|
2. | On the Details tab, click the GPO Status list.
|
3. | Click All Settings Disabled.
|
This is now a new GPO
that is not linked to any node, has all settings disabled, and has no
configured settings at all. This is a very safe and secure GPO!
When you know which
objects you want your GPO to affect, you can link your GPO to the proper
Active Directory node. Follow these steps to link your GPO to an
Organizational Unit:
1. | Under the <domain name> node in the GPMC, right-click the organizational unit that you want to link, and then click Link An Existing GPO.
|
2. | In the Select GPO dialog box, select the GPO that will be linked from the Group Policy Objects list box.
|
Security Alert
If
the user attempting to Link the GPO to this Active Directory node does
not have the necessary privileges to do so, the Link An Existing GPO
menu option will be dimmed. |
At this point, nothing
will happen as a result of linking the GPO. However, after a setting is
made and the GPO is enabled, the GPO setting will apply to the target
objects on the next background refresh of Group Policy.
Note
You
could also combine the creation and linking of a GPO into one step.
This would be accomplished by right-clicking the appropriate Active
Directory node to create the GPO, instead of the Group Policy Objects
node. After doing this, you would see an option to “Create and Link a
GPO Here.” |
