The main purpose of the Group Policy Object Editor snap-in is the editing of a group policy object (GPO) stored locally on a computer or in Active Directory, and linked (in the second case) to an Active Directory container: a site, a domain, or an OU.
In Windows 2000, you should have a solid understanding of the difference between the Group Policy Object Editor snap-in and the Security Policy — Local, Domain Controller, or Domain — snap-ins. (These last three snap-ins are configured by default on every DC; the Local Security Policy snap-in is also configured on every client Windows 2000 system.)
The Group Policy Object Editor snap-in works with an entire GPO, and can be run from certain administrative snap-ins or from a custom MMC console. It contains both computer and user policies (the Computer Configuration and User Configuration nodes of GPO).
The Security Policy snap-ins deal only with the Security Setting sub-node of the corresponding GPO, and can be run from the Start menu (the Administrative Tools submenu). These snap-ins allow you to configure computer policies only.
In Windows .NET, the Security Policy snap-ins are always configured to work with entire GPOs.
Do not forget about two other important snap-ins — Security Configuration and Analysis and Security Templates — that also help an administrator to deploy Active Directory security in an enterprise. Due to space limitations and other reasons, these snap-ins are not discussed in this book.
See Chapter 8, "Common Administrative Tasks," about refreshing your computer (machine) and/or user policies after editing a GPO's parameters.
A running Group Policy Object Editor snap-in is always linked to a GPO. Therefore, you need to learn two things: how to start the snap-in itself, and how to link it to a GPO.
There are three ways to start the Group Policy Object Editor snap-in:
From the Active Directory Users and Computers snap-in — select the domain or an OU, open the Properties window, and click the Group Policy tab (Fig. 7.35).
Fig. 7.35: A sample list of GPOs linked to a domain container
From the Active Directory Sites and Services snap-in — select a site, open the Properties window, and click the Group Policy tab.
From Microsoft Management Console (MMC) — start MMC (enter mmc in the Run window) or open a custom console, and add the Group Policy Object Editor snap-in. The Select Group Policy Object window allows you to link to the local GPO (default option) on the local computer (it is also possible to select another computer). An alternative option is to open the Browse for a Group Policy Object window (by clicking Browse) (see Fig. 7.36).
Fig. 7.36: In this window, you can see the entire structure of OUs in a domain as well as the GPOs linked to them
In two first cases, you have three options:
Select an existing GPO (i.e., already linked) in the list and edit it by using the Group Policy Object Editor snap-in
Create a new GPO that will be linked to the selected container
Add (link) an existing GPO to the container
From a MMC console, you can only select an existing GPO.
Let us discuss the last case (use of MMC). If you click Add on the Group Policy tab, the Browse for a Group Policy Object window will open. An example of the default view of such a window is shown in Fig. 7.36. (You may click the circled icon and create a new GPO.)
As shown in Fig. 7.37, all GPOs that exist in a domain are listed in the All tab, so you can quickly find the necessary GPO.
Fig. 7.37: Use this tab to quickly find a GPO that you want to link to the current container
When the Group Policy Object Editor snap-in is opened or a custom MMC console is created, it is not possible to re-link the snap-in to another GPO.
You cannot change the DC with which the Group Policy Object Editor snap-in works (therefore, the default Security Policy snap-ins, too) (see later "Selecting a Domain Controller", and it is not possible to connect to a local GPO stored on another computer.
You can check which containers the selected GPO is currently linked to. In the Group Policy Object Editor snap-in's window, point to the root node in the tree pane and open the Properties window for the GPO. Click Links tab (Fig. 7.38). Select an applicable domain and click Find Now. If the GPO is linked to other containers, you will see their names on the list in addition to the name of the current container.
Fig. 7.38: You can quickly verify whether the selected GPO is linked to other containers besides the current one
Due to possible security and administrative conflicts, it is not advisable to link GPOs stored in a domain to containers from another domain.
To create a GPO, it is sufficient to click New on the Group Policy tab in a container's Properties window (see Fig. 7.35), or to click the button in the Browse for a Group Policy Object window (see Fig. 7.36). Name the new GPO, and you may then begin editing it.
When you are going to delete a GPO, you have two options:
Remove the link from the list. When selecting this option, you break only the link between the selected GPO and the current container. The GPO remains intact, and you can use it later.
Remove the link and delete the Group Policy Object permanently. As the message indicates, this is a more decisive option, since you not only break the link, but entirely delete the GPO. (Remember that this GPO can be used by other containers!)
In Windows .NET-based domains, you are able to "link" a GPO to a specific property of client computer. Let me explain this in the following example.
Suppose we want to assign some group policy setting (a GPO) to users (or computers) that work on Windows 2000 Professional systems only, and that GPO will in no way affect the other users (or computers). The following procedure will permit us to carry out this task:
Create a new GPO. (You can select an existing GPO. However, it would be better to use a new GPO and link it to a container only when all configuration operations are completed.)
Configure al necessary policies.
Open the GPO's Properties window and click the WMI Filter tab (Fig. 7.39).
Fig. 7.39: This tab allows you to select a WMI filter and link it to the GPO selected
Click This filter and Browse/Manage.
The Manage WMI Filters window will allow you to create, delete, and edit WMI filters as well as to perform other operations. To create a filter, click Advanced and New.
Fill in the Name and Description (optional) fields and enter a WMI query string in the Queries pane (Fig. 7.40). (See information on WMI in Chapter 17, "Scripting Administrative Tasks".) For our task, we shall use the following string:
Fig. 7.40: Managing WMI filters
SELECT * FROM Win32_OperationSystem WHERE caption="Microsoft Windows 2000 Professional"
Click Save and OK.
In the Properties window, click Apply and OK.
Link the GPO to a necessary container (domain, OU).
From the Manage WMI Filters window you can manipulate (edit, export, etc.) all WMI filters stored in the system. Many examples of WMI filters can be found in the Help and Support Center.
A Group Policy Object Editor snap-in is always targeted to a specific — "preferred" — domain controller. (Notice the This list obtained from … line in Fig. 7.35. By default, all Group Policy Object Editor snap-ins started on computers that belong to the sample domain net.dom will select the name DC.) There are some rules that define this behavior of the snap-in. To verify or change the default settings of a Group Policy Object Editor snap-in, point to the root node in the tree pane and click View | DC Options in the context menu. You can select one of the options shown in Fig. 7.41. (This selection may be overridden by a group policy; see later.)
Fig. 7.41: These options determine which DC the Group Policy Object Editor snap-in selects at its startup
It is necessary to comment only the second option. You can start the Group Policy Object Editor snap-in from either the Active Directory Users and Computers or the Active Directory Sites and Services snap-in, which is targeted to a DC (any DC in the forest) at that moment. If you select the second option, the Group Policy Object Editor snap-in will obtain a group policy setting from a GPO stored on that DC.
The selected option is saved and used when the snap-in runs the next time.
In Windows 2000, you cannot define the "preferred" DC for the Security Policy snap-ins.
If the selected DC is not accessible at the snap-in's startup, an error will be reported. Verify the setting (and the policy if defined), and select another option if necessary.
A window similar to shown in Fig. 7.41 will appear when you start the Group Policy Object Editor snap-in from an administrative snap-in and the PDC Emulator is not accessible at the moment. In that case, you can select any option except the first one and obtain a GPO from another DC.
Because the DNS is used for locating GPOs, the errors at the Group Policy Object Editor snap-in's startup are very often related to the malfunctioning of DNS. Therefore, always verify the DNS configuration when you encounter such errors. Remember that DNS is a dynamic system, and the registered records periodically expire.
There is a group policy that allows an administrator to define the strategy of selecting a "preferred" DC. Open the Default Domain Policy GPO (or other applicable GPO) and select the User Configuration | Administrative Templates | System | Group Policy node. Double click the Group Policy domain controller selection policy. Click Enable and select one of the following options:
Use the Primary Domain Controller
Inherit from the Active Directory Snap-ins
Use any available domain controller
If this policy is disabled or not configured, the Group Policy Object Editor snap-in will always select the PDC Operation Master (PDC Emulator) for the domain. When defined, the policy overrides the option selected in the Group Policy Object Editor snap-in.
How to run the Group Policy Object Editor snap-in from the command prompt, see the "Running GPO Editor" section in the next chapter.
In Windows .NET, the user interface of the Group Policy Object Editor snap-in has been enhanced. As you can see in Fig. 7.42, all nodes (primarily, the Administrative Templates) comprise two tabs, — Extended and Standard. If you select a policy on the Extended tab, you can view the policy of description and OS requirements. This information is a good substitute for many pages of documentation and makes learning the policy purpose and selection of a proper policy considerably simpler. In Windows 2000, the policy description is only available on the Explain tab in the policy's Properties window.
Fig. 7.42: The main window of new version of the Group Policy Object Editor snap in
There are some common recommendations and tips for using and configuring GPOs. Let us discuss them.
Disable unused settings in a GPO. This improves performance when a computer or user is logged onto the domain. Open the Properties window of the GPO (see Fig. 7.38 where the Links tab of this window is shown) and click the General tab. Check the appropriate box: Disable Computer Configuration settings or Disable User Configuration settings. When both boxes are disabled, it means that the GPO is linked to the container, but does not affect it.
In Windows 2000, for the Administrative Templates nodes, you can set the Show Configured Policies Only flag (point to a node and set the flag in the View menu). This prevents you from viewing not-configured policies. This flag is set for the Computer Configuration and User Configuration node separately.
In Windows .NET, the policy filtration feature is much more powerful (see Fig. 7.43). To open this window, point to an Administrative Templates node and select Filtering on the View menu.
Fig. 7.43: Filtering group policies in Windows .NET (default settings)
If your system was upgraded from Windows NT 4.0 and/or you use the older ADS-files, pay attention to the value of the Show Policies Only flag in the View menu for the Administrative Templates nodes. When set, this flag prevents Windows NT 4.0-style system policy settings from applying to Windows 2000/XP/.NET systems.
In Windows 2000, this snap-in is called Group Policy.