Implementing Group Policy Objects in a Domain

Although being able to configure a single machine via Group Policy is helpful, the real power comes when you're able to create a single GPO and apply the settings in it to hundreds or even thousands of machines! Just imagine the savings in time and expense because you don't have to have a human touch all those machines.

However, with all this power comes great responsibility. For example, although it would be nice to be able to give every user and computer in your organization the same settings, that's really not practical for most environments. In most situations, different users have different needsand different skill levels. Although a locked-down limited-use desktop might be fine for the mail room, that's probably not going to work for the folks in the software development lab.

When you first set up an Active Directory domain, two default GPOs are created: one that is linked to the domain itself, and therefore affects all users and computers within the domain; and one that is linked to the Domain Controllers OU, which affects all domain controllers within a domain.

Let's expand on Step by Step 9.2 and rename the Guest account, this time at the domain level.

Note: Group Policy

Perform the following exercise using both your domain controller and your member server or workstation.

To rename the Guest account using a GPO, follow the procedure in Step by Step 9.3.

Step by Step 9.3 Creating a GPO 1. On your domain controller, select Start, All Programs, Administrative Tools, Active Directory Users and Computers. 2. In the left pane, right-click the domain name and select Properties from the pop-up menu. This opens the domain Properties dialog box, as shown in Figure 9.6. Figure 9.6. The Group Policy tab, showing the available options. 3. Click the New button; this adds an entry to the dialog box. Name it Rename Guest Account. 4. Highlight the new entry and click the Edit button. This opens the Group Policy Object Editor with our GPO as the focus. 5. From the Group Policy Object Editor console, click Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. 6. The Security Options folder opens, displaying the definable security options. 7. Double-click the Rename Guest Account entry. The Properties dialog box appears. 8. Select the Define this policy setting check box, and then type in an appropriate name for the Guest account, different from the one you selected for the Local Policy exercise, and click OK. 9. Close the Group Policy Object Editor MMC. 10. Close the domain properties dialog box. 11. Go to your member server or workstation, open a command window, and enter the following command: GPUpdate. 12. Close the command window. 13. Select Start, All Programs, Administrative Tools, Computer Management. 14. In the Computer Management console, click System Tools, Local Users and Groups, Users. 15. The renamed account will be displayed in the right pane, as shown in Figure 9.7. Figure 9.7. Using a GPO to rename the Guest account for the domain.

This exercise demonstrated several things about GPOs. The first is that the procedure to create a domain GPO is similar to that of a Local Policy. However, as you may have noticed, the domain GPOs have a lot more settings available. The other point is that the Local Policy was overwritten by the domain GPO. In addition, because we added the new GPO at the domain level, every machine in the domain, and any machines that are added in the future, will have the Guest account renamed.