Creating GPOs
The creation of GPOs
should not occur without serious consideration of two aspects of your
enterprise. First, you should know exactly which settings you want to
create in the GPO. The creation of a GPO that has no purpose or has
settings that are not well conceived or documented could cause damage or
network downtime if incorrectly linked. Second, you should know where
the GPO will be linked and which objects it should target. Again, having
errant GPOs within your Active Directory infrastructure can cause
significant issues if not managed.
Before you start creating GPOs, you must design them into the environment. The design of GPOs consists of the following tasks:
Determine which objects will be controlled.
Determine
whether the current organizational unit structure can support default
GPO processing and inheritance, or whether filtering or targeting must
be used.
Select the settings that must be configured in each GPO required.
After your design of
the GPO is complete, implementation of the GPO starts with its creation.
The creation of a GPO is very simple and has some characteristics that
can help you manage all newly created GPOs. All new GPOs have these
characteristics:
Blank, with no settings configured (unless you use a Starter GPO)
Enabled by default
Configured to affect all user and computer accounts in the scope of management, through the Authenticated Users group
Creating a GPO
involves just a few clicks within the GPMC. To create a new GPO that you
do not link to an Active Directory node, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Group Policy Objects node, and then click New.
|
3. | In the New GPO dialog box, type the name of the new GPO.
|
4. | (Optional)
Select the Starter GPO that you want to use from the Source Starter GPO
list.
|
Another way to create a
new GPO is to have it linked to an Active Directory node upon creation.
This process helps eliminate the issue of creating test or random GPOs
that are not linked to any node and never seem to get configured.
Creating and linking a GPO in one step can
help eliminate random, empty GPOs. To create a GPO that is linked to an
Active Directory node upon creation, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Active Directory node to which you want to link the new GPO (<domainname>, organizational unit, or site), and then click Create A GPO In This Domain, And Link It Here.
|
3. | In the New GPO dialog box, type the name of the new GPO.
|
4. | (Optional) Select the Starter GPO that you want to use from the Source Starter GPO list.
|
Although these two
processes for creating a new GPO are similar, the end result is
substantially different: Any setting that you make in the GPO that is
linked to an Active Directory node will immediately be distributed to
the target objects located in that scope. For example, if you link a GPO
to the HR organizational unit, the user and computer objects in the HR
organizational unit will be affected by the settings you make in the
GPO.
Note
The
ability to create GPOs is not available to every user or administrator
by default. Only a few accounts can create GPOs by default. |
Linking GPOs
Whether you want a GPO
to affect a few objects or numerous objects, the GPO and the settings
contained within it will only do so after you link the GPO to an Active
Directory node. Linking GPOs within Active Directory is limited in scope
to the major Active Directory structural components. Within Active
Directory, you can link a GPO to the following node types:
Domain, such as Fabrikam.com
Organizational Unit, such as Domain Controllers
Site, such as Default-first-site-name
Linking a GPO to the other
object types that exist in Active Directory will not work. Linking GPOs
to individual user accounts, computer accounts, or group accounts is not
possible.
You can link a GPO to a
node either when the GPO is created or at a later time. If you want to link an existing GPO to a site, the domain, or an organizational unit, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Active Directory node to which you want to link the existing GPO (<domainname>, organizational unit, or site), and then click Link An Existing GPO.
|
3. | In
the Select GPO dialog box, select the domain from which you want to
link the GPO from the Look In This Domain list (the default domain
listed is typically the domain that you want to use).
|
4. | Select the GPO or GPOs to which you want to link from the Group Policy Objects box.
|
After you have linked
the GPO, the objects under the scope of the node will be affected by the
policy settings in the GPO. Of course, if you have configured any other
settings to alter the default processing or inheritance of processing
the GPO, you will need to consider these settings.
The GPMC provides two
ways to view GPO links to Active Directory nodes. The first option is to
view the Active Directory nodes to which a specific GPO is linked. To
view the links per GPO, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Select the GPO for which you want to see links.
|
4. | In the right pane, click the Scope tab.
|
5. | Under
“The following sites, domains, and OUs are linked to this GPO,” you
will see the full list of Active Directory nodes, as shown in Figure 1.
|
The second option is to
view all of the GPOs that are linked to a specific Active Directory
node. This will give you an excellent idea of the most directly linked
GPOs that will affect the objects in scope. To view the GPOs linked to a
specific Active Directory node, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Active Directory node for which you want to view GPO links.
|
3. | In the right pane, click the Linked Group Policy Objects tab.
|
4. | The GPO column displays the full list of GPOs that are linked to this node, as shown in Figure 2.
|
Note
The
ability to link GPOs to Active Directory nodes is not available to
every user or administrator by default. Only a few accounts can link a
GPO to an Active Directory node by default. |
Enabling and Disabling GPOs
Some believe that
disabling a portion of a GPO can increase the performance of Group
Policy processing. However, some review and log analysis shows that is
really not true. Even with a portion of a GPO disabled, the server must
still analyze it to some degree during processing. To enable or disable a
portion of the GPO, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Select the GPO that you want to enable or disable.
|
4. | Select the Details tab in the details pane.
|
5. | In the GPO Status list, select the enable or disable option that you want.
|
|
Let’s say you
disable the computer portion of a GPO. During processing, this is
basically equivalent to finding the GPO with a version of 0. The client
must still query Lightweight Directory Access Protocol (LDAP) to
determine whether that side is disabled, so performance is not increased
significantly; the effect would be the same if the portion of the GPO
were not disabled. From a performance perspective, there is little value
in this function, but it may offer user convenience. That is, this
feature allows you to “turn off” some policies without having to unlink
the GPO from the node.
|
Renaming GPOs
There
might be a time when you need to rename a GPO for some reason. You can
do so easily by using the GPMC. The system does not rely on the name of
the GPO, but rather on the GUID of the GPO; the GPO name is really just
an alias. To change the name of a GPO using the GPMC, follow these
steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Right-click the GPO that you want to rename, click Rename, and then type the new name for the GPO.
|
4. | Press Enter.
|
Enabling and Disabling a GPO Link
There might be a time when
you want to disable just one of the nodes that a GPO is linked to. For
example, you might want to disable a GPO link for a short time only; in
an instance such as this, you can disable a GPO link but keep it active.
This might seem like an insignificant configuration, but it allows you
to maintain the overall link strategy. The maintenance of the strategy
will help prevent situations in which GPOs become orphaned from any
links to nodes in Active Directory. When you want the GPO to be active
again for that link, you can easily re-enable the link.
To disable or enable a GPO link, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Active Directory node for which you want to alter the GPO link, and then click Link Enabled. |
