Linking Group Policies


If a group policy will be applied to many different locations, you should create the policy once and assign the permissions, and then link the policy to the other locations rather than creating the policy multiple times. Linking the policies achieves the following objectives:

  • Creates fewer group policies in SYSVOL. This allows for quicker domain controller promotion and less replication traffic.

  • A single point of change for the GPO. If the GPO is changed, the change is applied to all the locations where the GPO is linked.

  • A single point of change for permissions. When permissions are configured or changed in one location on a linked GPO, the permissions are applied universally to each place where the GPO is linked.

Configuring the Group Policy Snap-in

When a site administrator opens the GPMC or the group policy through ADUC, the domain controller that is used to make group policy changes and process the changes is, by default, the only one that holds the FSMO role of PDC Emulator Operations Master. Although this was configured to help eliminate replication problems, this can cause frustration and delays for remote administrators making changes to a group policy under their control by having to wait for the changes to replicate from the remote PDC Emulator DC. To force the GPMC and Group Policy snap-in to use the most available domain controller, enable the following group policy: User Configuration, Administrative Templates, System, Group Policy, Group Policy Domain Controller Selection.

Choose Use Any Available Domain Controller or Inherit From Active Directory Snap-ins to use the DC to which the open snap-in is connected. The default that points to the PDC Emulator is the choice to Use the Primary Domain Controller. Figure 21.3 shows the domain controller selection of Inherit From Active Directory Snap-ins.

Figure 21.3. Configuring the domain controller selection.


Disabling Configuration Settings

To speed up login and boot times for users, it is recommended that if the entire User Configuration or Computer Configuration section is not being used in a GPO, the unused section should be disabled for the GPO. This expedites the user login time or the computer boot time, as the disabled sections aren't parsed upon boot or login.

To disable configuration settings using Active Directory Users and Computers:

1.

Click on a group policy.

2.

Click Properties.

3.

Go to the General tab.

4.

Click on either Disable Computer Configuration Settings or Disable User Configuration Settingswhichever section is not being utilized.

To disable configuration settings using the GPMC:

1.

Click on the group policy in GPMC.

2.

Click on the Details tab.

3.

Click on the drop-down box at the bottom of the Details tab.

4.

Choose Computer Configuration Settings Disabled or User Configuration Settings Disabled, depending on which portion needs to be disabled.

Viewing Group Policy Using the Show Configured Policies Only

Searching through Administrative Templates for a particular group policy that is configured can be very time consuming. However, ADUC and the GPMC can be configured easily to show only the Administrative Templates objects that are configured. It removes from the view any policies or policy folders that don't have policies configured within them, making it much easier and faster to find a specific configured policy. Figure 21.4 shows what a GPO looks like when viewed using the Show Configured Policies Only.

Figure 21.4. Standard Group Policy Object screen.


To view only the configured policies while using ADUC or the GMPC:

1.

Open ADUC or GPMC.

2.

Edit a group policy to view.

3.

Click on Computer Configuration/Administrative Template or User Configuration/Administrative Template.

4.

Right-click on the Administrative Templates section and choose View, Filtering.

5.

Select the Only Show Configured Policy Settings option, as shown in Figure 21.5.

Figure 21.5. Selecting the Configured Policy Settings option in GPMC.


Deleting Orphaned Group Policies

When a GPO is deleted, you have two choices: Delete the link or delete the entire policy. Each option carries certain consequences.

If the Group Policy Object should be removed from being applied at that location but it is or will still be applied elsewhere, choose to remove just the link. This leaves it in the available group policy list for future use. If the GPO will not be used elsewhere or ever again, delete the object permanently. This removes the policy from SYSVOL permanently and removes it from Active Directory.

If the policy won't ever be used again and the policy isn't fully deleted, this results in the Group Policy being left unused in the SYSVOL area on each domain controller. This adds unnecessarily to the time it takes to create a new domain controller, and increases replication time and storage space on the domain controller.

If you are using ADUC to access Group Policy, Windows 2003 presents you with two choices when trying to delete a group policy: Remove the Link From the List or Remove the Link and Delete the Group Policy Object Permanently.

If you are using the GPMC, delete the link by right-clicking on the Group Policy Object under the object to which it is applied. A pop-up box appears that asks, "Do you want to delete this link? This will not delete the GPO itself," thereby leaving the GPO available for linking elsewhere. To delete the link, click OK in the box.

To fully delete the GPO, click on the folder in GPMC titled Group Policy Objects. Right-click the GPO and choose Delete. A pop-up box appears asking "Do you want to delete this GPO and all links to it in the domain? This will not delete links in other domains." To complete the deletion, click OK.

Note

Be sure to check whether the GPO is linked elsewhere in the domain before deleting the object completely. This can be done through the GPMC and ADUC.





Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net