Although being able to configure a single machine via Group Policy is helpful, the real power comes when you're able to create a single GPO and apply the settings in it to hundreds or even thousands of machines! Just imagine the savings in time and expense because you don't have to have a human touch all those machines. However, with all this power comes great responsibility. For example, although it would be nice to be able to give every user and computer in your organization the same settings, that's really not practical for most environments. In most situations, different users have different needsand different skill levels. Although a locked-down limited-use desktop might be fine for the mail room, that's probably not going to work for the folks in the software development lab. When you first set up an Active Directory domain, two default GPOs are created: one that is linked to the domain itself, and therefore affects all users and computers within the domain; and one that is linked to the Domain Controllers OU, which affects all domain controllers within a domain. Let's expand on Step by Step 9.2 and rename the Guest account, this time at the domain level. Note: Group Policy Perform the following exercise using both your domain controller and your member server or workstation. To rename the Guest account using a GPO, follow the procedure in Step by Step 9.3.
This exercise demonstrated several things about GPOs. The first is that the procedure to create a domain GPO is similar to that of a Local Policy. However, as you may have noticed, the domain GPOs have a lot more settings available. The other point is that the Local Policy was overwritten by the domain GPO. In addition, because we added the new GPO at the domain level, every machine in the domain, and any machines that are added in the future, will have the Guest account renamed. |