Working with Group Policy Objects

This section provides you with a simple list of "how to" items to get you started using Group Policy. If you are already comfortable working with Windows 2000 Group Policy Objects, this section will be review.

There are a variety of ways to open the Group Policy snap-in, from which you can edit, create, and delete Group Policy Objects.

Opening the Group Policy Snap-in

You can open the Group Policy Object Editor in several ways, depending on the action that you want to perform and the object to which you want to apply Group Policy. The preferred method is to use the Group Policy snap-in as an extension to an Active Directory snap-in. This way, you can browse the Active Directory for the correct Active Directory container and then define Group Policy Objects based on the selected scope.

To open the Group Policy Object Editor from Active Directory Users and Computers, perform the following steps:

1.	Open Active Directory Users and Computers.
2.	In the console tree, right-click the domain or organizational unit for which you want to set Group Policy Objects.
3.	Click Properties and then click the Group Policy tab.
4.	Edit or create a new Group Policy Object for the domain or OU you selected.

To open the Group Policy Object Editor as a Microsoft Management Console (MMC) snap-in, follow these steps:

1.	Open the Microsoft Management Console by typing `mmc` on the Run line.
2.	From the File menu, select Add/Remove Snap-in.
3.	On the Standalone tab, click Add.
4.	In the Available Standalone Snap-ins list, click Group Policy Object Editor and then click Add.
5.	In the Select Group Policy Object properties page, click Local Computer to edit the local Group Policy Object, or click Browse to find the Group Policy Object that you want to edit.

6.	Click Finish, click Close, and then click OK. The Group Policy Object Editor opens the Group Policy Object for you to edit.

Note

If you want to save a Group Policy Object Editor console and choose which Group Policy Object opens in it from the command line, select the Allow Focus of the Group Policy Snap-In To Be Changed When Launching from the Command Line check box in the Select Group Policy Object properties page.

Editing a Group Policy Object

After you open the Group Policy Object Editor, as shown in Figure 21.16, you can edit existing Group Policy Objects. It is important to note that you must have read and write permissions on a GPO to be able to edit it.

Figure 21.16. The Group Policy Object Editor.

To edit a Group Policy Object, follow these steps:

1.	Open the Group Policy Object that you want to edit.
2.	In the console tree, double-click the folders to view the policies in the Details pane.
3.	In the Details pane, double-click a policy to open the properties page and then change the policy settings.

Note

If you want to edit the Local Group Policy Object, you can open it quickly by choosing Start, clicking Run, typing gpedit.msc, and then clicking OK.

Creating a Group Policy Object

If you want to create a new Group Policy Object, follow these steps:

1.	Open the Group Policy Object Editor from one of the ways documented in the previous sections.
2.	In the console tree, right-click the site, domain, or organizational unit to which you want the newly created Group Policy Object to be linked. The Group Policy Object will be stored in the current domainthat is, the domain that contains the domain controller being used by Active Directory Users and Computers or Active Directory Sites and Services.
3.	Click Properties and then click the Group Policy tab.
4.	Click New, type a name for the Group Policy Object, and then click Close.

Note

Use common sense naming conventions for GPOs. It is not advisable, for example, to use the same name for two different GPOs. Using the same name for different GPOs does not cause Group Policy to function incorrectly, but it might be confusing.

Deleting a Group Policy Object

The newly created Group Policy Object is linked by default to the site, domain, or organizational unit that you select when you create the Group Policy Object, and its settings apply to that site, domain, or organizational unit. If you want to delete the Group Policy Object from that site, domain, or organizational unit, do the following:

1.	Open Active Directory Users and Computers or Active Directory Sites and Services.
2.	In the console tree, right-click the site or domain, or right-click any organizational unit in the domain.
3.	Click Properties and then click the Group Policy tab.
4.	To find all the Group Policy Objects that are stored in the domain, click Add to open the Add a Group Policy Object Link properties page.
5.	Click the All tab, right-click the Group Policy Object that you want to delete, and then click Delete.
6.	Click Yes, click Cancel, and then click Close.

Unlinking a Group Policy Object

You might want to preserve a Group Policy Object that you have created but that you no longer want to affect the domain, OU, or site on which you created it. In this case, unlinking or disabling the GPO is your best practice.

To unlink a Group Policy Object from a domain, OU, or site, follow these steps:

1.	Open either Active Directory Users and Computers or Active Directory Sites and Services.
2.	In the console tree, right-click the site, domain, or organizational unit from which you want to unlink the Group Policy Object. Unlinking prevents the Group Policy Object from affecting that site, domain, or organizational unit.
3.	Click Properties and then click the Group Policy tab.
4.	Click the Group Policy Object that you want to unlink and then click Delete.
5.	In the Delete dialog box, click the Remove The Link From The List box, as shown in Figure 21.17. Next, click OK and then Close. Figure 21.17. Unlinking a GPO.

Note

If you click the Remove The Link And Delete The Group Policy Object Permanently box in the Delete dialog box, all sites, domains, and organizational units to which the Group Policy Object is linked will no longer have those Group Policy settings applied to them, and the Group Policy Object itself will be deleted.

Disabling a Group Policy Object

When you disable a Group Policy Object link, the settings in the Group Policy Object no longer apply to users or computers in the site, domain, or organizational unit to which the Group Policy Object was linked; and they no longer apply to users and computers in child containers that inherit those Group Policy settings. However, you can easily reenable the policy at a later time.

To disable a Group Policy Object, perform the following steps:

1.	Open Active Directory Users and Computers or Active Directory Sites and Services.
2.	In the console tree, right-click the site, domain, or organizational unit to which the Group Policy Object is linked.
3.	Click Properties and then click the Group Policy tab.
4.	Right-click the Group Policy Object link that you want to disable, click Disabled on the context menu, and then click Yes. This switches the Disabled state to Active, and a check appears in the Disabled column.

Note

When you are working with Group Policy Objects, it is recommended that you disable unused parts of the object. Under User Configuration or Computer Configuration in the console tree, if a GPO contains only settings that are not configured, you can avoid processing these settings by disabling User Configuration or Computer Configuration. This expedites the startup and logon process for those users and computers that are subject to the policy.

Opening the Group Policy Snap-in

Editing a Group Policy Object

Figure 21.16. The Group Policy Object Editor.

Creating a Group Policy Object

Deleting a Group Policy Object

Unlinking a Group Policy Object

Figure 21.17. Unlinking a GPO.

Disabling a Group Policy Object