You can use Group Policy to establish configuration settings for your organization. This lesson guides you through the steps of implementing a Group Policy using the Group Policy tab and the Group Policy snap-in. You also learn how to modify a Group Policy policy.
After this lesson, you will be able to
Estimated lesson time: 60 minutes
The tasks for implementing Group Policy are
The first step in implementing a Group Policy is to create a GPO. Recall that a GPO is a collection of Group Policy settings.
Follow these steps to create a GPO:
By default, the new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created and its settings apply to that site, domain, or OU.
Figure 20.1 Group Policy tab
After you create a GPO, you should add the Group Policy snap-in to an MMC and create a standalone GPO console. After saving the console, you can open it whenever necessary from the Administrative Tools menu.
After you create a GPO, it is important to determine which groups of administrators have access permissions to the GPO. The default permissions on GPOs are shown in Table 20.1.
Table 20.1 Default GPO Permissions
Security Group | Default Settings |
---|---|
Authenticated Users | Read, Apply Group Policy, Special Permissions |
CREATOR OWNER | Special Permissions |
Domain Administrators | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
Enterprise Administrators | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
SYSTEM | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
By default, the Default Domain Policy GPO cannot be deleted by any administrator. This prevents the accidental deletion of this GPO, which contains important required settings for the domain.
If you are working with a GPO from a pre-built console, such as the Active Directory Users and Computers, the Delegation Of Control wizard is not available for use in delegating administrative control of a GPO; it only controls security of an object.
Follow these steps to delegate administrative control of a GPO:
If you need to change the list of security groups for which you want to allow or deny administrative access to the GPO, you can add or remove security groups using Add and Remove.
A user or administrator who has Read access but does not have Write access to a GPO cannot use the Group Policy snap-in to see the settings that it contains. All extensions to the Group Policy snap-in require Write access to open a GPO.
Figure 20.2 GPO Properties Security tab
After you create a GPO and determine the administrators who have access permissions to the GPO, you can specify the Group Policy settings.
Follow these steps to specify Group Policy settings for a GPO:
Figure 20.3 Group Policy snap-in
For example, in Figure 20.3, User Configuration, Administrative Templates, and Control Panel were expanded, and then Display was expanded.
Figure 20.4 Hide Screen Saver Tab Properties dialog box
Not Configured indicates that no change will be made to the registry regarding this setting. Disabled indicates that the registry will indicate that the policy does not apply to users or computers that are subject to this GPO.
If, under the Computer Configuration or User Configuration node of the console, a GPO has only settings that are Not Configured, you can avoid processing those settings by disabling the node. This expedites startup and logon for those users and computers subject to the GPO.
Follow these steps to disable the Computer Configuration or User Configuration settings for a GPO:
GPOs are processed according to the Active Directory hierarchy: first the local GPO, then the site GPOs, domain GPOs, and finally the OU GPOs. However, you can change the default order of processing Group Policy settings. You do so by modifying the order of GPOs for an object, specifying the Block Policy Inheritance option, specifying the No Override option, or enabling the Loopback setting.
Follow these steps to modify the order of GPOs for an object:
Figure 20.5 Modifying the order of GPOs
Follow these steps to specify the Block Policy Inheritance option:
Follow these steps to specify the No Override option:
Figure 20.6 Options dialog box
Follow these steps to enable the Loopback setting:
The policies in a GPO apply only to users who have Read and Apply Group Policy permissions for that GPO. You can filter the scope of a GPO by creating security groups and then assigning Read and Apply Group Policy permissions to the selected groups. Thus, you can prevent a policy from applying to a specific group by denying that group Read and Apply Group Policy permissions to the GPO.
Follow these steps to filter the scope of a GPO:
Figure 20.7 Security tab of the GPO properties dialog box
If you need to change the list of security groups through which to filter this GPO, you can add or remove security groups using Add and Remove.
Set the permissions as shown in Table 20.2, and then click OK.
Table 20.2 Permissions for GPO Scopes
GPO scope | Set These Permissions | Result |
---|---|---|
Members of this security group should have this GPO applied to them. | Set Apply Group-Policy (AGP) to Allow. Set Read to Allow. | This GPO applies to members of this security group unless they are members of at least one other security group that has AGP set to Deny, or Read set to Deny, or both. |
Members of this security group are exempt from this GPO. | Set AGP to Deny. Set Read to Deny. | This GPO never applies to members of this security group regardless of the permissions those members have in other security groups. |
Membership in this security group is irrelevant to whether the GPO should be applied | Set AGP to neither Allow nor Deny. Set Read to neither Allow nor Deny. | This GPO applies to members of this security group only if they have both AGP and Read set to Allow as members of at least one other . security group. They also must not have AGP or Read set to Deny as members of any other security group. |
By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created. Therefore, its settings apply to that site, domain, or OU. Use the Group Policy tab for the site, domain, or OU properties to link a GPO to additional sites, domains, or OUs.
Follow these steps to link a GPO to a site, domain, or OU:
Figure 20.8 Add A Group Policy Object Link dialog box
The following is the sequence of tasks used to modify Group Policy :
Removing a GPO link simply unlinks the GPO from the specified site, domain, or OU. The GPO remains in Active Directory until it is deleted.
Follow these steps to remove a GPO link:
The GPO remains in Active Directory but is no longer linked.
If you delete a GPO, it is removed from Active Directory, and any sites, domains, or OUs to which it is linked will no longer be affected by it. You may wish to take the less drastic step of removing the GPO link, which disassociates the GPO from its OU but leaves the GPO intact in Active Directory.
Follow these steps to delete a GPO:
The GPO is removed from Active Directory.
To edit a GPO or its settings, follow the procedures outlined earlier in this lesson for creating a GPO and for specifying Group Policy settings.
In this practice you implement a Group Policy for your domain. In Exercises 1 through 8 you create a GPO, create a GPO console, delegate administrative control of the GPO, specify Group Policy settings for the GPO, disable unused Group Policy settings, indicate a GPO processing exception, filter the scope of the GPO, and link the GPO to an additional OU. In Exercise 9 you test the Group Policy.
In this exercise you create a GPO at the OU level.
To create a GPO for your OU
In this exercise you create a console for the DispatchPolicy GPO. After saving it, you can open it whenever necessary from the Administrative Tools menu.
To create a DispatchPolicy GPO console
The Run dialog box appears.
A new MMC appears.
The Add/Remove Snap-In dialog box appears.
The Add Standalone Snap-In dialog box appears.
The Select Group Policy Object page appears.
The Browse For A Group Policy Object dialog box appears.
The Select Group Policy Object page appears with DispatchPolicy in the Group Policy Object box.
The Save As dialog box appears.
The DispatchPolicy GPO is now available on the Administrative Tools menu.
In this exercise you delegate administrative control for the DispatchPolicy GPO to the Administrators group.
To delegate administrative control for your GPO
The DispatchPolicy [server1.microsoft.com] Policy Properties dialog box appears.
What security groups already have administrative control of the DispatchPolicy GPO?
In this exercise you specify some Group Policy settings for the DispatchPolicy GPO.
To specify Group Policy settings for your GPO
What appears in the details pane?
Answer
The Remove Search Menu From Start Menu Properties dialog box appears.
How can you tell at a glance that this setting is enabled?
Answer
The policies available for this category appear in the details pane.
In this exercise you disable the Computer Configuration node of the console, as this node contains only settings that are not configured. This expedites startup for those users and computers subject to the GPO.
To disable the Computer Configuration settings for your GPO
The DispatchPolicy [server1.microsoft.com] Policy Properties dialog box appears.
The Confirm Disable message box appears, asking you to confirm that you want to disable the Computer Configuration settings.
In this exercise you set the No Override option to prevent other GPOs from overriding the policies set in the DispatchPolicy GPO.
To set the No Override option for your GPO
The Dispatch Properties dialog box appears.
The DispatchPolicy Options dialog box appears.
In this exercise you prevent a policy from applying to the Sales security group by denying that group Read permission to the GPO. You created the Sales group and its members in Chapter 7, "Managing Security ".
To filter the scope of your GPO
The DispatchPolicy [server1.microsoft.com] Policy Properties dialog box appears.
The Security message box appears, asking you to confirm that you want to prevent the DispatchPolicy from applying to the Sales group.
By default, the DispatchPolicy GPO is linked and its settings apply to the Dispatch OU. In this exercise you link the DispatchPolicy GPO to the Security1 OU you created in Chapter 19, "Managing Active Directory Components."
To link your GPO to an additional OU
The Security1 Properties dialog box appears.
The Add A Group Policy Object Link dialog box appears.
In this exercise you view the effects of the Group Policy implemented in the previous exercises.
To test the DispatchPolicy GPO
The Windows Security dialog box appears.
Are you able to lock the workstation? Why?
Answer
Does the Search command appear on the Start menu?
Does the Run command appear on the Start menu?
Answer
Are you able to lock the workstation? Why?
Answer
In this lesson you learned the tasks involved with implementing Group Policy. The tasks are creating a GPO; creating a GPO console; delegating administrative control of the GPO; specifying Group Policy settings for the GPO; disabling unused Group Policy settings; indicating GPO processing exceptions; filtering the scope of the GPO; and linking the GPO to a site, domain, or OU.
In the practice portion of this lesson you implemented a Group Policy for your domain. You created a GPO, created a console for the GPO, delegated administrative control of the GPO, specified Group Policy settings for the GPO, disabled unused Group Policy settings, set the No Override option for the GPO, filtered the scope of the GPO, and linked the GPO to an additional OU. Finally, you tested the effects of the GPO.