Using Group Policy

In this and in the subsequent sections, you will create and link a GPO to a test organizational unit (OU), edit that GPO, test it, and then copy the GPO to a production environment and link to an OU. These sections describe configuring a GPO with a single setting and then linking it ”just keep adding new settings as you need them.

Note that this is an example only, and you should read the complete Resource Kit and white-paper documentation when you begin to build your own Group Policy infrastructure. You can find links to this documentation in the Additional Resources section at the end of this chapter.

Creating and Linking a GPO to a Test OU

In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or OUs. Typically, most GPOs are assigned at the organizational unit level, so be sure your OU structure supports your Group Policy- based management strategy. You might also apply some Group Policy settings at the domain level, particularly those such as password policies, which only effect domain accounts if applied at the domain level. In general, very few policy settings are likely to be applied at the site level.

A GPO is a virtual object “ it is stored in both Active Directory and in the Sysvol folder on each domain controller. These locations have different replication mechanisms ”using Active Directory replication and the File Replication Service (FRS), respectively. These two replication technologies ensure that the GPO is replicated to all domain controllers throughout the domain. In general, the underlying Active Directory and FRS infrastructure will handle this replication, but you should be aware of the way in which GPOs are replicated.

A well-designed OU structure, reflecting the administrative structure of your organization and taking advantage of GPO inheritance, is the first step toward the successful application of Group Policy. For example, it can prevent needing to duplicate certain settings so that the policies can be applied to different parts of the organization, or having to link the same GPO to multiple Active Directory containers to achieve your objectives. If possible, create OUs to delegate administrative authority as well as to help implement Group Policy. An OU is the lowest -level Active Directory container to which you can assign Group Policy settings.

Applying Group Policy to New User and Computer Accounts

By default, all new computer or user accounts are created in the Computer or User containers, respectively. Because these are not OUs, it is not possible to link GPOs to them. However, you can specify that all new accounts will be created in specific OUs. You do this by first creating OUs for new user and computer accounts and then running Redirusr.exe (for user accounts) and/or Redircmp.exe (for computer accounts) once for each domain. From this point, all new user and computer accounts will be placed in the targeted OUs. These tools are included with Windows Server 2003. You can run either of these tools or both of them.

For more details, see article 324949, Redirecting the Users and Computers Containers in Windows Server 2003 Domains, in the Microsoft Knowledge Base.

Important

For all procedures in this chapter, you must log on to the domain with a domain administrator account.

To create a test OU

Using the Active Directory Users and Computers MMC snap-in, create a test OU as described in the Upgrading to Windows Server 2003 Active Directory chapter of this book. Use TestGP for the new OU name .
Right-click the OU named TestGP , point to New , and then click User .
Complete the user information for a fictitious user account.
Repeat steps 2 and 3 to create additional fictitious user accounts (you should probably create about ten fictitious user accounts for test purposes).
Close the Active Directory Users and Computers snap-in.

To create and link a GPO

In GPMC, right-click a domain or OU item, and then click Create and Link a GPO here . This option is equivalent to clicking New on the Group Policy tab that was available in the Active Directory Users and Computers snap-in, prior to installing GPMC. In the New GPO dialog box, type a name for the new GPO, and then click OK . Although this operation is presented in GPMC as one action to the user, there are actually two steps taking place. First, a GPO is created in the domain, and second, the new GPO is linked to the domain or OU.

To create a GPO and link it to a site (as opposed to a domain or OU), you must first create the GPO in the domain, and then link it.

To open GPMC, click Start , point to Administrative Tools , and then click Group Policy Management .
Expand your domain, and then expand the TestGP OU.
Right-click TestGP, and then click Create and Link a GPO Here . When prompted for the New GPO name, type NoRunMenu , and then click OK .

Group Policy inheritance and precedence determine where you link GPOs. By default, options set in GPOs linked to higher levels of Active Directory containers ” sites, domains, and OUs ” are inherited by all containers at lower levels, though inheritance does not occur across domains. However, inherited policy can be overridden by a GPO that is linked at a lower level. For example, you might use a GPO linked at a high level OU for assigning standard desktop wallpaper, but want a certain OU to get different wallpaper. To do so, you can link a second GPO to that specific lower-level OU. Because lower-level GPOs apply last, the second GPO overrides the domain-level GPO and provides that specific lower-level OU with a different set of Group Policy settings. You can also modify this default inheritance behavior by using the Block Inheritance and Enforced Group Policy link configuration options.

Always fully test your GPOs in safe (non-production) environments prior to deployment in your production environment. Your tests should closely simulate your production environment. GPMC s backup, copy, and import options can be of considerable value here. The more you plan, design, and test GPOs prior to deployment, the easier it is to create, implement, and maintain an optimal Group Policy solution. The importance of testing and pilot deployments in this context cannot be overemphasized.

Consider an iterative implementation of Group Policy. That is, rather than deploying one hundred new Group Policy settings at once, stage and then initially deploy only a few settings to validate that the Group Policy infrastructure is working well.

Configuring a GPO

You configure and edit GPOs by using the Group Policy Object Editor MMC snap-in. You can open this tool from within GPMC. The following sections describe configuring a single setting in your new GPO using the Group Policy Object Editor.

Configuring the Disable the Run menu GPO Setting

A common GPO setting administrators configure is Disable the Run menu . This procedure shows you how to configure a setting in your new GPO.

To Disable the Run menu in the NoRunCmd GPO

In the GPMC console tree, right-click the GPO named NoRunMenu , and then click Edit . This starts Group Policy Object Editor.
In the Group Policy Object Editor console tree, expand User Configuration .
Under User Configuration, expand Administrative Templates .
Click Start Menu and Taskbar .
In the right pane, double-click Remove Run menu from Start menu . Click Enabled and then click OK .
Close Group Policy Object Editor.
Restart a client computer and log on as one of the fictitious users that you created in the TestGP OU. Click Start and verify that the Run command is not listed on the Start menu.

Verifying That Your GPO Works

Before deploying your Group Policy solution, it is critical that you assess it to determine the effects of applying the various policy settings that you select, individually and in combination. The primary mechanism for assessing your Group Policy deployment is to create a staging environment and log on using a test account. This is the best way to understand the impact and interaction of all the applied GPO settings.

For Active Directory networks with at least one Windows Server 2003 domain controller, you can use Group Policy Modeling in GPMC to simulate the deployment of GPOs to any destination computer running Windows 2000 Server or Professional, Windows XP Professional, or Windows Server 2003.

The primary tool for viewing the actual application of GPOs is Group Policy Results in GPMC. Note that Group Policy Results can only be retrieved from computers running Windows XP Professional or Windows Server 2003 (this feature does not exist on computers running Windows 2000 operating systems).

Using Group Policy Modeling to Simulate Resultant Set of Policy

The built-in Group Policy Modeling Wizard calculates the simulated net effect of GPOs. Group Policy Modeling can also simulate such things as security group membership, WMI filter evaluation, and the effects of moving user or computer objects to a different Active Directory container. The simulation is performed by a service that runs on domain controllers running Windows Server 2003, though you can simulate RSoP for a Windows 2000 computer, even though Windows 2000 doesn t include RSoP. These calculated settings are reported in HTML and are displayed in GPMC on the Settings tab in the details pane for the selected GPO. To expand and contract the settings under each item, click hide or show all so that you can see all the settings, or only a few. To perform a Group Policy Modeling analysis you must have the Perform Group Policy Modeling analyses permission on the domain or organizational unit that contains the objects on which you want to run the query. By default, only Domain Administrators and Enterprise Administrators have this permission.

To run a Group Policy Modeling analysis

To simulate the results, right-click Group Policy Modeling , and then click Group Policy Modeling Wizard .
On the User and Computer Selection page, click the User option button, and then click Browse .
Click Locations , type in Users , and then click OK . The Users OU will be displayed in the Locations text box.
Click Advanced , and then click OK to display all users in this group. Select a user.
Select Skip to the final page of this wizard without collecting additional data , and then click Next .

The Summary of Selections page displays the criteria that the wizard will use to process the simulation.
Click Next , and then click Finish .
To view all settings, click show all .

To run the wizard, right-click Group Policy Modeling (or an Active Directory container), and then click Group Policy Modeling Wizard. If you run it from an Active Directory container, the wizard fills in the Container fields for user and computer with the LDAP distinguished name of that container.

When you have answered all the questions in the wizard, your answers are displayed as if they were from a single GPO. They are also saved as a query represented by a new item under the Group Policy Modeling item. The display also shows which GPO is responsible for each setting, under the heading Winning GPO . You can also see more detailed precedence information (for example, which GPOs attempted to set the settings, but did not succeed). To do so, right-click the item, and then click Advanced View . This starts the traditional RSoP snap-in. Each setting has a Precedence tab.

Keep in mind that modeling does not include evaluating any local GPOs (LGPOs). Because of this, in some cases you might see a difference between the simulation and the actual results.

To save the results of the modeling, right-click the query, and then click Save Report .

Using Group Policy Results to Determine Resultant Set of Policy

Use the Group Policy Results Wizard to see what Group Policy settings are actually in effect for a user or computer by gathering RSoP data from the destination computer. In contrast to Group Policy Modeling, Group Policy Results reveals the actual Group Policy settings that were applied to the destination computer. The target must be running Windows XP Professional or Windows Server 2003 and the computer from which you run GPMC must have network connectivity to the target.

The settings are reported in HTML and are displayed in a GPMC browser window on the Summary and Settings tabs in the details pane for the selected GPO. To remotely access Group Policy Results data for a user or computer, you must have the Remotely access Group Policy Results data permission on the domain or organizational unit that contains the user or computer, or you must be a member of a local Administrator s group on the appropriate computer and must have network connectivity to the destination computer. To delegate Group Policy Results, you need the Windows Server 2003 schema in your Active Directory, which you receive by default when you create a clean Windows Server 2003 domain. If not, to update your schema, run the ADPrep /forestprep command on the domain controller that performs the schema operations master role.

To run a Group Policy Results analysis

In GPMC, right-click Group Policy Results , and then click Group Policy Results Wizard .
On the Computer Selection page, click This Computer .
On the User Selection page, select a user from the Users OU. The Group Policy Results report in the right pane displays the combined settings for this computer and the selected user.

When you have answered all the questions in the wizard, GPMC creates a report that shows the resultant set of policy for the user and computer you entered in the wizard. The display shows which GPO is responsible for each setting on the Settings tab, under the heading Winning GPO . You can save the results by right-clicking the query and choosing Save Report .

Now, by simply configuring new settings in your newly deployed GPO, testing that GPO in your test OU, and then verifying that it works as expected by running Group Policy Modeling and Group Policy Results analyses, you can expand the scope and power of your centralized management. You need not understand all the hundreds of available settings when you first deploy a GPO; build your management solution in clear and simple stages.

Linking a Complete and Tested GPO to a Production OU

To apply the settings of a GPO to the users and computers of a domain, site, or OU, you now need to add a link for that GPO to your production environment. Do this by using GPMC in a similar manner to creating and linking the GPO to your test OU. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind that creating and linking GPOs is a privilege that should be delegated only to administrators who are trusted and understand Group Policy.

Most GPOs are normally linked to the OU structure because this provides the most flexibility and manageability:

You can move users and computers into and out of OUs.
OUs can be easily rearranged if necessary.
You can work with smaller groups of users who have common administrative requirements.
You can organize users and computers based on which administrators manage them.

Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy environment easier to understand and can simplify troubleshooting.

The following procedure shows you how to move your GPO from your test OU to your production environment.

To link a GPO to your production OUs

In GPMC, right-click the Users OU.
Click Link an Existing GPO . Select the GPO named NoRunMenu , and then click OK .

This assumes that your test OUs exist in the same domain as the production OUs. Although separate test and production domains are recommended, if your GPOs are linked to OUs only, you might have adequate separation if you use a distinct set of OUs for test and production in the same domain.

Even though GPOs can be linked across domains, it is not recommended because of performance reasons. Also, many Group Policy settings, including software distribution and folder redirection, are not applied by default in slow- link situations (slower than 500 kilobits per second, by default).

If you want to use a GPO from another domain, you can use the GPMC copy/paste feature to copy a GPO across trusted domains, and then link this new GPO to the OU. The following procedure shows you how to copy a GPO.

To copy a GPO

In the GPMC console tree, right-click the GPO that you want to copy, and then click Copy .
- To place the copy of the GPO in the same domain as the source GPO, right-click the Group Policy Objects container, and then click Paste .
- To place the copy of the GPO in a different domain (either in the same or a different forest), expand the destination domain, right-click the Group Policy Objects container, and then click Paste .
If you are copying within a domain, click Use the default DACL for new GPOs or Preserve the existing DACL , and then click OK .
If you are copying to or from another domain, answer all the questions in the cross-domain copying wizard that appears, and then click Finish .

Your pre-configured GPO from another domain is now ready to use in the new domain and can be customized as needed. Then link it to the new domain as described previously. For more information about copying GPOs, see the Migrating GPOs Across Domains by Using GPMC whitepaper link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.