Windows
 

Local Group Policy objects (part 2) : Managing the Local GPOs & GPOs in Active Directory

2/6/2012 5:55:28 PM

Managing the Local GPOs

As stated earlier, only users who have membership in the local Administrators group can manage the local GPOs. This includes user from the local SAM or from Active Directory. In either case, if User Account Control (UAC) is enabled, the security dialog box from UAC will appear, forcing users with administrative privileges to agree to the privileges that opening the MMC snap-in requires.

Another new feature is the option to disable local GPOs. Through Active Directory–based GPOs, local GPOs can be disabled, and thus excluded from the evaluation of overall Resultant Set of Policy (RSoP). The policy that you would set is “Turn off Local Group Policy objects processing.” This policy setting is located under Computer Configuration\Administrative Templates\System\Group Policy, as shown in Figure 4.

Figure 4. Local GPOs can be disabled by using the “Turn off Local Group Policy objects processing” setting in an Active Directory–based GPO.




GPOs in Active Directory

Although GPOs that are created in Active Directory can total into the hundreds or even thousands, they all follow the same regimen. To go a step beyond that, all GPOs in Active Directory are created, managed, and controlled through a central console. It is this centralization that gives Group Policy such power and control over the entire network of computers.

All GPOs that are stored in Active Directory have the same structure. You must use the GPMC to access one of these GPOs. Within the GPMC, you can expand the console to see the list of GPOs that are in Active Directory. To access this list, follow these steps:

1.
In the Run dialog box, type gpmc.msc.
2.
In the GPMC, expand the Forest and Domains nodes.
3.
In the Domains node, expand the Group Policy Objects node.

Note

To run the GPMC, the computer must be a member of the domain. Also, if you are running the GPMC with Windows Server 2008, the GPMC is not installed by default and must be installed before it can be accessed.


You should see a list of GPOs, as shown in Figure 5.

Figure 5. All of the GPOs that are stored in Active Directory can be seen by expanding the Group Policy node in the GPMC.

From this list, you can edit any of the GPOs to see the policy settings that are already set, or you can configure more settings. To edit a GPO, right-click it, and then click Edit. This launches the Group Policy Management Editor with your selected GPO active in the interface, as shown in Figure 6.

Figure 6. All Active Directory–based GPOs are edited with the Group Policy Management Editor.

All of the GPOs that are stored in Active Directory are available in this list through the GPMC. Note, however, that if you have multiple Active Directory domains, you will need to ensure that you are viewing the correct domain in the GPMC to see your GPO. GPOs are stored in only one domain. There is no mechanism to synchronize the settings between two GPOs in different domains.

For example, suppose that you wanted all domain controllers in all domains to have the same set of user rights. These settings would be established in the Default Domain Controllers Policy in each domain. If you made a configuration to the User Rights in DomainA, the Default Domain Controllers Policy in DomainB would not be updated. You would need to manually make this change in the DomainB GPO if you wanted the domain controllers in that domain to be updated.

After the creation and configuration of GPOs in Active Directory, one step remains before the GPO can perform any actions on computers or users on the network: you must link the GPO to an Active Directory node. Without this final linking step, the GPO is stored in Active Directory and on domain controllers, but it does not perform any action.

GPOs in Active Directory can be linked to the following nodes:

  • Domain (for example, to the fabrikam.com node)

  • Organizational Units

  • Sites

It should be obvious that if a GPO is linked to the domain it will affect all computer and user accounts located in the domain by default. This is important to remember, because linking GPOs to the domain node or site nodes can potentially affect too many objects.

Important

Most GPOs will be linked to organizational units. GPOs linked to the domain or sites can affect too many types of computer or user accounts. Some settings can be configured in a GPO linked to the domain, such as DNS suffix, password policies, account lockout policies, screen saver settings, and various Internet Explorer settings. Any settings that are set in the GPOs linked to sites are typically “network”-related settings. This might include firewall settings, proxy settings, Distributed File System (DFS), and software installation points.

The design and implementation of your organizational units is critical to a successful GPO deployment for two reasons: because the majority of GPOs in Active Directory will be linked to Organizational Units, and because there is only one organizational unit in a default installation of Active Directory.

More Info

Windows Server 2008 Active Directory Resource Kit (Microsoft Press, 2008) covers this in great detail.
 
Others
 
- Local Group Policy objects (part 1) : Administrators and Non-Administrators Local GPOs
- Structural Overview of a Group Policy object : Computer Configuration & User Configuration
- Installing or Upgrading to Windows 7 : Interactive Setup (part 2) - Upgrading
- Installing or Upgrading to Windows 7 : Interactive Setup (part 1) - Clean Install
- Windows Server 2008 R2 : Understand Active Directory Users and Groups (part 2) - Manage Users and Groups in Active Directory
- Windows Server 2008 R2 : Understand Active Directory Users and Groups (part 1)
- Windows Server 2003 : Configuring Hardware Devices and Drivers
- Windows Server 2003 : Installing Hardware Devices and Drivers
- Windows Vista : Automating Installation - Preparing the Environment
- Windows Vista : Automating Installation - Understanding Setup
- Windows Server 2008 R2 : Understand Local Users and Groups (part 2) - Understand Local User Rights & Work with Local Account Policies
- Windows Server 2008 R2 : Understand Local Users and Groups (part 1) - Administer Local Users and Groups
- Windows 7 : Take Advantage of Program Jump Lists
- Windows 7 : Change or Repair a Program Installation
- Activate Your Copy of Windows 7
- Windows Azure : Integrating BLOB Storage and SharePoint (part 3) - Consuming BLOB Storage Data with Silverlight
- Windows Azure : Integrating BLOB Storage and SharePoint (part 2) - Deploying the Application & Integrating the Application with SharePoint
- Windows Azure : Integrating BLOB Storage and SharePoint (part 1) - Creating the Application
- Overview of Windows Azure BLOB Storage
- Windows 7 : Managing Network Access
 
 
Most View
 
- Adobe Flash Professional CS5 : Manipulating Symbols in 3D Space (part 1) - Controlling the camera view: Perspective and vanishing point
- Adobe Flash Professional CS5 : Manipulating Symbols in 3D Space (part 2) - Transforming symbols with the 3D Rotation tool
- Mobile Web Apps : Loading Pages (part 3) - Going Backwards
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 1) - Class-Level Patterns
- Introducing the iPhone SDK (part 5) - Programming Paradigms
- Beginning Android 3 : Set Up the Emulator
- Microsoft Excel 2010 : Analyzing Worksheet Data - Adding Data Validation to a Worksheet
- Microsoft Dynamic CRM 2011 : Resolving a Service Request Case
- Accessing PowerPoint on the Web and Mobile Devices (part 1) - Setting Up SkyDrive
- Microsoft Excel 2010 : Using Print Preview