DESKTOP

Windows Server 2008 and Windows Vista : Group Policy Processing - Scope of Management

9/12/2012 1:44:10 AM
Scope of management (SOM) is a foundational concept that can make administration of Group Policy significantly easier. Understanding how Group Policy determines which objects to apply to simplifies the management and design of the Group Policy infrastructure and settings within the GPO.

To evaluate the scope of management of a GPO, you must know not only which objects, user, and computer are in the path of the GPO, but also which of those objects have the capability of applying the settings in the GPO. To determine the list of objects that are under the scope of management, you must perform three steps:

1.
Based on the settings in the GPO, determine which objects are in the path of the GPO within the Active Directory directory service structure.
2.
Create a list of objects that have permission to apply the settings in the GPO.
3.
Determine which objects are on both lists to produce a final list of objects that fall under scope of management.

To better understand this concept, let’s look at a quick example. Figure 1 illustrates a simple Active Directory structure. We will look at three organizational units: Finance, Marketing, and Corp Groups.

Figure 1. This figure shows a sample Active Directory structure to illustrate the concept of scope of management.

The group membership matrix is as follows in Table 1.

Table 1. Example Group Matrix
Group NameGroup Members
FinanceBruno Barbara
MarketingMaria
ManagersBruno Maria

Notice in Figure 5-1 that two users and a computer account appear under the Finance organizational unit, and a single user and computer account appear under the Marketing organizational unit. The Corp Groups organizational unit contains three groups.

In this example, a GPO named GPO1 is linked to the Finance organizational unit. Within GPO1, a single setting is configured—the Remove Help Menu From Start Menu setting, which is located under User Configuration\Policies\Administrative Templates\Start Menu and Taskbar. The setting is configured as disabled, so any objects that fall under the scope of management of the GPO will not appear on the Help and Support menu accessed from the Start menu.

To determine the scope of management for our example, you must first perform step 1, which is:

Based on the settings in the GPO, determine which objects are in the path of the GPO within the Active Directory structure.

In our example, that list would contain both Bruno and Barbara. Because the user Maria is not in the Active Directory path of the linked GPO, she will not be on this list. The computers named Desktop1 and Desktop2 are not on our list, because the setting we configured is under User Configuration, and only user objects can apply these settings.

After you determine the list of objects, you must evaluate the permissions on GPO1. The permissions on GPO1 have been changed from the default, and the new permissions are shown in Figure 2.

Figure 2. With these example permissions for GPO1, the Managers group has the ability to apply the GPO and its settings.

Now that we have our list from step 1 and the permissions for the GPO, we must perform step 2, which is:

Create a list of objects that have permission to apply the settings in the GPO.

By reviewing the group matrix from Table 1, we can see that both Bruno and Maria have permission to apply the settings in the GPO.

Our final step is to do the following:

Determine which objects are on both lists, to produce a final list of objects that fall under scope of management.

Table 2 summarizes our lists from the first two steps and includes the final list of objects that are under the scope of management for our example. You can see that the settings from GPO1 will apply only to the user Bruno.

Table 2. Example Group Matrix
Step 1 List of ObjectsStep 2 List of ObjectsStep 3 Final List of Objects Under SOM
BrunoBrunoBruno
BarbaraMaria 

To give you an idea of how the scope of management could change, here are some examples that would occur if objects moved or group membership changed:

  • If Barbara were added to the Managers group, she would fall under the scope of management.

  • If Maria were moved to the Finance organizational unit, she would fall under the scope of management.

  • If the default group were put back on the permission list for GPO1, which is the Authenticated Users group, Bruno and Barbara would both fall under the scope of management, but Maria would not.
Other  
  •  Windows Server 2003 : Creating and Managing Digital Certificates - Managing Certificates
    •
  •  Windows Server 2003 : Creating and Managing Digital Certificates - Designing a Public Key Infrastructure
    •
  •  Windows Server 2003 : Creating and Managing Digital Certificates - Introducing Certificates
    •
  •  Laptop For All Budgets (Part 2) - Notebooks, Ultrabooks
    •
  •  Laptop For All Budgets (Part 1)
    •
  •  Windows Tips & Tricks (August 2012) – Part 2 - Manage Your Google Docs Offline with gExplore
    •
  •  Windows Tips & Tricks (August 2012) – Part 1 - Wake Your PC with a Smartphone or Tablet
    •
  •  Windows 8's Unexpected Features (Part 3)
  •  Windows 8's Unexpected Features (Part 2)
  •  Windows 8's Unexpected Features (Part 1)
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 3) - Installing and configuring DirectAccess and network location server
    •
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 2) - Creating a certificate revocation list (CRL) distribution point on the DirectAccess server
    •
  •  Windows Server 2008 R2 and Windows 7 : Deploying DirectAccess (part 1) - Creating a certificate template for computer autoenrollment
    •
  •  Windows Server 2008 R2 and Windows 7 : Planning to Deploy Directaccess
    •
  •  Iwork Pro : Export Strength
    •
  •  Is It Time To Ditch Windows Search? (Part 4) - Power tools,Search for files over Wi-Fi, Search your PC from your mobile phone
    •
  •  Is It Time To Ditch Windows Search? (Part 3) - Search across the LAN
    •
  •  Is It Time To Ditch Windows Search? (Part 2) - Search within files
    •
  •  Is It Time To Ditch Windows Search? (Part 1) - Simple filename searches
    •
  •  In Search Of The Perfect Mid-Tower (Part 4) - Thermaltake Level 10 GTS
    •
     
    Top 10
    Big In 2013 (Part 3)
    Big In 2013 (Part 2)
    Big In 2013 (Part 1)
    Google Nexus 4 Smartphone - Coming Of Age On The Fourth Try
    Top 10 Tablet Apps - Q1 2013
    Top 10 Tablets - Q1 2013
    Top 10 Smartphone Apps - Q1 2013
    Top 10 Smartphones - Q1 2013
    Vodafone Pocket – Mobile 3G Wi-Fi Router
    Bose SoundLink Bluetooth Mobile Speaker II - Better Than Ever
    Most View
    Multifaceted Tests : Attempting Command Injection Interactively & Attempting Command Injection Systematically
    ASUS RT-N56U
    Setting Default Internet Programs
    Track A Stolen Device (Part 1) - Set up a device, Lock your phone
    Windows Vista : Performance - Hard Disk (part 3) - Transfer Windows to Another Hard Disk
    Beginning Android 3 : The Input Method Framework - Tailored to Your Needs
    Run Software In A Protective Sandbox
    Get Started With iPhoto For iOS (Part 1)
    Microsoft Surface RT - Cleverly Designed Tablet
    Programming .NET Security : Programming Cryptographic Keys (part 2) - Using Key Persistence
    HP Envy TouchSmart 4 - Plain And Simple
    The Internet Of The Future (Part 2)
    Technology For Business (Part 2)
    Sharepoint 2010 : Business Connectivity Services Deployment Types (part 2) - Creating a Profile Page to Display BCS Results
    Huge Screen Supertest (Part 8) - Philips Brilliance 248C3LHSB & Samsung 5 Series T27A550
    Building Android Apps : Controlling the Phone with JavaScript (part 1) - Beep, Vibrate, and Alert
    The State Of Mobile... Creative Media In 2012 (Part 1)
    Huge Screen Supertest (Part 2) - In-plane Twitching
    Delete & Recover Data (Part 2) - Recovering Files Using Disk Digger
    Nikon Coolpix AW100 - Tough love