Common Procedures with the GPMC | Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)

In the last chapter, we created and linked some GPOs, which we can see in the Group Policy Objects container, to see how, at each level, we were affecting our users. In this section, we'll continue by working with some of the more advanced options for applying, manipulating, and using Group Policy.

Clicking either a GPO itself, or a link, lets you get more information about what they do. For now, feel free to click around, but I suggest that you don't change anything until we get to the specific examples.

Various tabs are available to you once you click the GPO itself or a link. Let's take a look at them now.

The Scope Tab Clicking a GPO, or a GPO link, opens the Scope tab. The Scope tab gives you an at-a-glance view of where and when the GPO will apply. We'll examine the Scope tab in the sections "Deleting and Unlinking Group Policy Objects" and "Filtering Group Policy Objects" in this chapter, and "WMI Filters" in Chapter 10. For now, you can see that the "Hide Settings Tab/Restore Screen Saver Tab" GPO is linked to the Human Resources Users OU. But you already knew that.

The Details Tab The Details tab contains information describing who created the GPO (the owner) as well as the status (Enabled, Disabled, or Partially Disabled) as well as some nuts-and-bolts information about its underlying representation in Active Directory (the GUID.) We'll examine the Details tab in the sections "Disabling Half (or Both Halves ) of the Group Policy Object" and "Understanding GPMC's Link Warning" in this chapter and in Chapter 4.

Warning

Should you change the GPO status here, say, by disabling the User Configuration of the policy, you'll be affecting all other levels in Active Directory that might be using this GPO by linking to it. See the section "Understanding the GPMC's 'Link' Warning" section as well as the sidebar "On GPO Links and GPOs Themselves " a bit later in the chapter.

The Settings Tab The Settings tab gives you an at-a-glance view of what's been set inside the GPO. In our example, you can see the Enabled and Disabled status of the two policy settings we manipulated. You can click Hide (or Show) to contract and expand all the configured policy settings:

Clicking Hide at any level tightens that level. You can expose more information by clicking the inverse of Hide when available, which is Show.
Clicking the actual policy setting name , for example, Hide Settings tab displays the help text for the policy setting. This can be useful if someone set up a GPO with a kooky name, and you want to know what it's supposed to do.
If you want to change a setting, you can right-click the settings area and select Edit. The familiar Group Policy Object Editor will appear. Note, however, that the Group Policy Object Editor will not "snap to" the policy setting you want to edit. The editor always starts off at the root.
Additionally, at any time, you can right-click over this report and select "Save Report," which does just that. It creates an HTML report that you can then email to fellow administrators or the boss, etc. This is a super way of documenting your Group Policy environmentinstead of writing down everything by hand.

If you chose to load the GPMC on a Windows 2003 machine, you may run into an initial problem when clicking the Settings tab. That is, certain aspects of the GPMC, such as the Settings tab, tap into Internet Explorer. Since Windows 2003 is hardened on a Windows 2003 machine, you will have limited access to the whole picture. If you're presented with a warning box, simply add the security_mmc.exe as a trusted website. This should make your problems go away. You can also turn off "Internet Explorer Enhanced Security Configuration" in Windows 2003 in Add/Remove Programs. This is recommended in test labs, but not really recommended on production servers.

Warning

You can also edit the settings by clicking the GPO or any GPO link for that object and choosing Edit. However, you always affect all containers (sites, domains, or OUs) to which the GPO is linked. It's one and the same object, regardless of the way you edit it. See the sidebar "On GPO Links and GPOs Themselves" a bit later in the chapter to get the full gist of this.

The Delegation Tab The Delegation tab lets you set the security for who can do what with GPOs, their links, and their properties. You'll find the Delegation tab in a lot of places, and at each location, it enables you to do something different:

Clicking a GPO link or clicking a GPO in the Group Policy Objects container
Clicking a site
Clicking a domain
Clicking an OU
Clicking the "WMI Filters" node.
Clicking a WMI filter itself

I'll discuss what each instance of this tab does a bit later in the "Advanced Security and Delegation with the GPMC" section.

Note	WMI, which stands for Windows Management Instrumentation, is discussed in Chapter 10.

Minimizing the View with Policy Setting Filtering

Imagine you were just given the task to prevent all your Windows XP desktops from using the Internet Connection Firewall component. Where do you start to look for that policy setting?

Sometimes, you just don't know where to start clicking inside the Group Policy Object Editor. You could be in the editor for a variety of reasons. Perhaps you want to locate a new policy setting to enable. With more than 700 possible settings in Windows 2003 (and 1200 in Windows XP / Service Pack 2), finding the specific policy setting you want can sometimes be a challenge.

To that end, the updated Group Policy Object Editor has a new way to filter the view. The good news is that this feature is very powerful. The bad news is that this feature works only while browsing the Administrative Templates branch.

While in the Group Policy Object Editor, to examine the filtering option, choose either User Configuration ˜ Administrative Templates or Computer Configuration ˜ Administrative Templates. Then, choose View ˜ Filtering to display what's in Figure 2.1, which is described in the following sections.

Figure 2.1: The Windows 2003 Group Policy Object Editor allows for filtering of the Administrative Template branch.

Note	The Filter settings are independent on each of the User and Computer nodes.

The "Only Show Configured Policy Settings" Setting

If you want to modify an existing policy setting, you needn't click every branch in one of the Administrative Templates folder in order to hunt-and-peck. Once the "Only show configured policy settings" option, as seen in Figure 2.1, is selected, you will see only policy settings that have been enabled or disabled within either the User Configuration ˜ Administrative Templates or Computer Configuration ˜ Administrative Templates.

By default, the "Only show configured policy settings" check box is not checked, and therefore you can see policy settings that are enabled, disabled, and not configured. The "Only show configured policy settings" check box is independent for both the Computer and User node settings. Additionally, when you close the editor, the check box is always reset.

Policy Setting Filtering Based on Operating System and Service Pack

As you learned in the Introduction, policy settings are specific to the operating system. For instance, a Windows XP policy setting such as Turn off creation of System Restore Checkpoints makes no sense to a Windows 2000 machine. This is because Windows 2000 doesn't have the System Restore feature.

There are times when you want to search for policy settings specific to the computers you want to target. Simply click the "Filter by Requirements information" check box as seen in Figure 2.1, and then proceed to check the items on which you want to filter.

You have a huge variety of criteria to choose from, including operating system, service pack, and even unique items such as Internet Explorer level and Windows Media Player.

Tip	If the description of the filter is too long to read, simply hover the mouse over the description (don't click) to display the entire description in a floating Tool-Tip style window.

Using the "Only Show Policy Settings that can be Fully Managed" Option

As we'll explore in Chapter 5, you can actually use old-style "legacy" NT 4 ADM templates inside the Group Policy Object Editor. Normally, they are "bad" because they don't modify the "correct" portion of the Registry. In general, this is highly undesirable because most NT 4 templates don't act like Group Policy. NT 4-style ADM preferences usually permanently "tattoo" the target machine until the settings are explicitly removed. For more on the distinction between policies and preferences with respect to Group Policy settings, see the "Policies vs. Preferences" section in Chapter 5, "Windows ADM Templates."

This check box is checked by default, as seen in Figure 2.1. This gives a gentle persuasion to avoid the importation of old NT 4 ADM templates.

Tip	You can wisely keep this check box permanently checked by using the "Enforce Show Policies Only" policy setting as described Chapter 3, in the "Using Group Policy to Affect Group Policy" section.

Locating Specific Policy Settings

I get tons of emails that ask the following question: "Jeremy, do you know if there's a policy setting that does <insert crazy thing here>?" My typical answer is, "I don't know. I'll have to look it up." Then I do. That's because there are more than 1600 policy settings, each contained within some nook or cranny.

To that end, you can (hopefully) hunt down your own policy setting that does what you want in several ways.

GP.CHM GP.CHM is part of the Windows 2000 Resource Kit. It's a .CHM file, which means it's a compiled HTML file, and that basically means it's a help file like other help files. The good news is that it mirrors the hierarchy of the Windows 2000 Group Policy Object Editor. That is, it has both user and computer nodes and then all the levels of Group Policy nooks and crannies underneath in a beautiful hierarchical manner. Best of all, you can search within the text file for the policy setting's help text and get what you want. The bad news is that it's getting kind of old. Many policy settings have been renamed since Windows 2000, but GP.CHM is still useful.

hh <admtemplate>.chm This one is most easily explained if you just go ahead and try it. Open a command prompt on your Windows 2003 machine and type hh system.chm or hh inetres .chm or hh <name_of_any_other_adm_temp1ate>.chm , and out pops a searchable help file with the stuff contained within the corresponding ADM file. Keen!

hh SPOLSCONCEPTS.CHM This .CHM file is built into Windows XP and Windows 2003 Server. To open it, choose Start ˜ Run to open the Run dialog box and then enter hh spolsconcepts.chm in the Open box. You'll then see another help file that discusses only the security- related settings, such as the meaning of each of the User Rights Assignments, what each of the Audit Policies is, and all the Security Options. This is truly a nice built-in resource.

PolicySettings.XLS If you want a definitive list of all policy settings that can affect both Windows 2000 and Windows 2003 Server machines, you can download a spreadsheet from Microsoft at from my web site at www.GPanswers.com . Note, however, that Microsoft's spread sheet doesn't go into much detail beyond the "Explain Text" setting for each policy setting. But they're all there and searchable, and you can sort by which operating systems will embrace which policy settings. It's quite good. Also, if you've got an older version, you should note that these are always updated whenever a service pack comes out. And, starting with Windows XP/SP2, they've started to document some of the "Security Settings" as well, which is a nice touch.

Raising or Lowering the Precedence of Multiple Group Policy Objects

You already know the "flow" of Group Policy is inherited from the site level, the domain level, and then from each nested OU level. But, additionally, within each level, say at the Temporary Office Help OU, multiple GPOs are processed in a ranking precedence order. Lower-ranking GPOs are processed first, and then the higher GPOs are processed .

In Figure 2.2, you can see that some administrator has linked two GPOs to the Temporary Office Help OU. One GPO is named "Enforce 50MB Disk Quotas," and another is named "Enforce 40MB Disk Quotas."

If the policy settings inside these GPOs both adjust the disk quota settings, which one will "win"? Client computers will process these two GPOs from lowest -link order to highest-link order. Therefore, the "Enforce 40MB Disk Quotas" GPO (with link order 2) is processed before "Enforce 50MB Disk Quotas" (link order 1). Hence, the GPO with the policy settings to dictate 50MB disk quotas will "win."

So, if two (or more) GPOs within the same level contain values for the same policy setting (or policy settings), the GPOs will be processed from lowest-link order to highest-link order. Each consecutively processed GPO overlays (and perhaps overwrites) overlapping policy settings. This could happen where one GPO had a specific policy setting enabled and another GPO at the same level had the same policy setting disabled.

Figure 2.2: You can link multiple GPOs at the same level.

Changing the order of the processing of multiple GPOs at a specific level is an easy task. For instance, suppose you want to change the order of the processing such that the "Enforce 40MB Disk Quotas" GPO is processed after the "Enforce 50MB Disk Quotas" GPO. Simply click the policy setting you want to process last, and click the down arrow icon. Similarly, if you have additional GPOs that you want to process first, click the GPO and click the up arrow icon. The multiple arrow icons will put the highlighted GPO either first or last in the link orderdepending on the icon you click.

Againthe last applied GPO "wins." So the GPO with a link order of 1 is always applied last and, hence, has the "final" say at that level. This is always true unless the "Enforced" flag is used (as discussed later).

Understanding GPMC's Link Warning

In the previous chapter, I pointed out that any time you click a GPO link, you get the informational (or perhaps it's more of a warning) message shown in Figure 2.3.

Figure 2.3: You get this message any time you click the icon for a link.

This message is trying to convey an important sentiment: no man is an island, and neither is a Group Policy Object. Just because you created a GPO and it is seen swimming in the Group Policy Objects container doesn't mean you're the only one who is using it.

As we work through examples in this chapter, we'll manipulate various characteristics of GPOs and links to GPOs. If we manipulate any characteristics of a GPO we're about to play with, such as the following:

The underlying policy settings themselves
The security filtering (on the Scope tab)
The WMI filtering (on the Scope tab)
The GPO status (on the Details) tab
The delegation (on the Delegation tab)

all other levels in Active Directory that also link to this GPO will be affected by our changes.

This is sometimes a tough concept to remember, so it's good to see it here again. You can choose to squelch the tip if you like. Just don't forget its advice.

Tip	The difference between the GPO itself and the links you can create can be confusing. Be sure to check out the sidebar "On GPO Links and GPOs Themselves," a bit later in the chapter.

You can see principle in action if you like by locating the "Prohibit new Tasks in Task Scheduler" GPO. In either the link upon the Human Resources Computers OU or the object itself with "GPOs," go to the Details tab and change the GPO status to some other setting. Then, go to the link or the actual GPO, and see that your changes are reflected. You can even create a new OU, link the GPO, and see that the change is still there. This is because you're manipulating the actual GPO, not the link. If you choose to squelch the message, you can get it back by choosing View ˜ Options ˜ General and selecting "Show confirmation dialog to distinguish between GPOs and GPO links."

Stopping Group Policy Objects from Applying

After you create your hierarchy of Group Policy that applies to your users and computers, you might occasionally want to temporarily halt the processing of a GPOusually because some user is complaining that something is wrong. You can prevent a specific GPO from processing at a level in Active Directory via several methods , as explained in the following sections.

Disabling the "Link Enabled" Status

Remember that all GPOs are contained in the Group Policy Objects container. To use them at a level in Active Directory (site, domain, or OU), you link back to the GPO. So, the quickest way to prevent a GPO's contents from applying is to remove its "Link Enabled" status. If you right-click a GPO link at a level, you can immediately see its "Link Enabled" status, as shown in Figure 2.4.

Figure 2.4: You can choose to enable or disable a GPO link.

To prevent this GPO from applying to the Human Resources Users OU, simply click "Link Enabled" to remove the check mark. This will leave the link within the OU back to the GPO, but disable the link, rendering it innocuous . The icon to the left of the name of the GPO will change to a scroll with the link arrow dimmed. You'll see a zoomed-in picture of this later in the "GPMC At-a-Glance Icon View" section.

Disabling "Half" (or Both Halves) of the Group Policy Object

The second way to disable a specific GPO is by disabling just one-half of a Group Policy Object. You can disable either the user half or the computer half. Or, you can optionally disable the entire GPO.

You might be wondering why you might want to disable only half of a GPO. On the one hand, disabling a GPO (or half of a GPO) actually makes startup and logon times a teeny-weeny bit faster for the computer or user, because each GPO you add to the system adds a smidgen of extra processingeither for the user or the computer. Once you disable the unused portion of the GPO, you've shaved that processing time off the startup or logon time. Microsoft calls this "modifying Group Policy for performance."

Don't go bananas disabling your unused half of GPO just to save a few cycles of processing time. Trust me, it's just not worth the headaches figuring out later where you did and did not disable a half of a policy.

So, disabling half of the GPO makes troubleshooting and usage quite a bit harder, as you might just plumb forget you've disabled half the GPO. Then, down the road, when you modify the disabled half of the policy for some future setting, it won't take effect on your clients ! You'll end up pulling your hair out wondering why, once things should change, they just don't!

Why Totally Disable a Group Policy Object?

One good reason to disable a specific GPO is if you want to manually "join" several GPOs together into one larger GPO. In the previous example, we might want to make sure each policy is working as expected. Then, once we're comfortable with the reaction, we can re-create the policy settings from multiple GPOs into another new GPO and disable the old individual GPOs. If there are signs of trouble with the new policy, you can always just disable (or delete) the large GPO and reenable the individual GPOs to get right back to where you started.

You might also want to immediately disable a new GPO even before you start to edit it. Imagine that you've chosen "Create and link a new GPO here" for, say, an OU. Then, imagine you have lots of policy settings you want to make in this new GPO. Remember that each setting is immediately written inside the Group Policy Object Editor, and computers are continually requesting changes when their background refresh interval triggers. The affected users or computers might hit their background refresh cycle and start accepting the changes before you've finished writing all your changes to the GPO! Therefore, if you disable the GPO before you edit and reenable the GPO after you edit, you can ensure that your users are getting all the newly changed settings at once.

This tip works best only when creating new GPOs; if you disable the GPO after creation, there's an equally likely chance that critical settings will be removed while the GPO is disabled when clients request a Background Refresh. We'll discuss the ins and outs of Background Refresh in Chapter 3.

To disable an unused half of a GPO, follow these steps:

Select the GPO you want to modify. In this case, select "Prohibit new Tasks in Task Scheduler," and select the Details tab in the right pane of the GPMC.
Since the policy settings within the "Prohibit new Tasks in Task Scheduler" GPO modify only the Computer node, it is safe to disable the User node. Select the "User configuration settings disabled" drop-down box, as shown in Figure 2.5.
You will be prompted to confirm the status change. Choose to do so.

Figure 2.5: You can disable half the GPO to make Group Policy process a weeee bit faster.

Here are some additional items to remember regarding disabling portions of a GPO:

It is possible to disable the entire GPO (both halves) by selecting the GPO, clicking the Options button, and selecting the "All Settings Disabled" option. If you select "All Settings Disabled," the scroll icon next to the name of the GPO "dims" a bit to show that there is no way it can affect any targets. You'll see a zoomed-in picture of this later in the "GPMC At-a-Glance Icon View" section.
As I stated in the "Understanding the GPMCs Link Warning" section, changing the "GPO Status" entry (found on the Details tab) will affect all GPOs linked to any level, anywhere in Active Directory!! You cannot just change the GPO status for the instance of this linkthis affects all links to this GPO! The only good news here is that only the person who created the GPO itself can manipulate this setting. To get the full thrust of this, be sure to read the "On GPO Links and GPOs Themselves" sidebar a bit later in this chapter.
The GPMC does not have any indication, other than this "GPO status," that the link has been fully or half-disabled. However, the old-school interface in Windows 2003 will alert you to a GPO that is "half disabled." You'll see a yellow triangle warning icon next to the name of the GPO.

Deleting and Unlinking Group Policy Objects

As you just saw, you can prevent a GPO from processing at a level by merely removing its "Link Enabled" status. However, you can also choose to remove the link entirely. For instance, you might want to return the normal behavior of the Task Scheduler to the affected client computers. You have two options:

Delete the link to the GPO
Delete the GPO itself

Deleting the Link to the Group Policy Object

When you right-click the GPO link of "Prohibit new Tasks in Task Scheduler" in the Human Resources Computers OU, you can choose Delete. When you do, the GPMC will confirm your request and remind you of an important fact, as shown in Figure 2.6.

Figure 2.6: You can delete a link (as opposed to deleting the GPO itself).

Recall that the GPO itself doesn't "live" at a level in Active Directory; it really lives in a special container in Active Directory (and can be seen via the Group Policy Objects Container in the GPMC). We're just working with a link to the real GPO. And, in Chapter 4, you'll see where this folder relates directly within Active Directory itself.

When you choose to delete a GPO link, you are simply choosing to stop using it at the level it was created, but keep the GPO itself alive in the representation of the swimming poolthe Group Policy Objects container. This leaves other administrators at other levels to continue to link to that GPO if they want.

Truly Deleting the Group Policy Object Itself

You can choose to delete the GPO altogetherlock, stock, and barrel. The only way to delete the GPO itself is to drill down through Group Policy Management ˜ Domains ˜ Corp.com, locate the Group Policy Objects container, and delete it. It's like plucking a child directly from the swimming pool. Before you do, you'll get a warning message as shown in Figure 2.7.

Figure 2.7: Here, you're actually deleting the GPO itself.

This will actually remove the bits on the Domain Controller and obliterate it from the system. No other administrators can then link to this GPO.

Warning

Once it's gone, it's gone (unless you have a backup).

If you delete the GPO altogether, there's only one problem. There is no indication sent to the folks who are linking to this GPO that you've just deleted it. The idea is simple: you might be done with the "Prohibit new Tasks in Task Scheduler" GPO and don't need it anymore to link to your locations in Active Directory. But what about other administrators? In this case, while I was out to lunch , Freddie, the administrator for the Temporary Office Help OU, has already chosen to link the "Prohibit new Tasks in Task Scheduler" GPO to his OU, as shown in Figure 2.8.

Figure 2.8: The "Prohibit Tasks in Task Scheduler" GPO (lowest circle) is linked at both the Temporary Office Help OU (Middle circle) and this Human Resources Computers OU (topmost circle).

What if I had deleted the "Prohibit new Tasks in Task Scheduler" GPO? I'm pretty sure I would have received an angry phone call from Freddie. Or, maybe notif Freddie didn't know who created (and owned) the GPO.

Since we only have a handful of OUs, this link back to the GPO was easy to find. However, once you start getting lots of OUs, locating additional links back to a GPO will become much harder. Thankfully, the GPMC shows you if anyone else is linked to a GPO you're about to delete. I call this ability "Look before you leap." You can just look in the Scope tab under the Links heading as indicated in Figure 2.8 by the mouse pointer. There you can see that both the Temporary Office Help OU and the Human Resources Computers OU are utilizing the GPO named "Prohibit new Tasks in Task Scheduler."

If you're confident that you can still continue, you can delete the GPO contained within the Group Policy Objects container. However, for now, let's leave this GPO in place for use in future examples in the book.

Warning

The Scope tab shows you the links to the GPOs from your own domain. It is possible for other domains to choose to use your GPOs and link to them. When you delete a GPO forever, you're deleting the ability for other domains to use that GPO as well. So, before you really delete the GPO forever, click "Display links in this location" to select other domains to see where else the GPO is linked.

For now, don't delete the GPO. We'll use it again in later chapters. If you want to play with deleting a GPO, create a new one and delete it.

Block Inheritance

As you've already seen, the normal course of Group Policy inheritance applies all policies settings within GPOs in a cumulative fashion from the site to the domain and then to each nested OU. A setting at any level automatically affects all levels beneath it. But perhaps this is not always the behavior you want. For instance, we know that an edict from the Domain Administrator states there will be no Desktop tab in the Display Properties dialog box.

This edict is fine for most of the OU administrators and their subjects who are affected. But Frank Rizzo, the administrator for the Human Resources OU structure, believes that the folks contained within his little fiefdom can handle the responsibility of the Desktop tab and the Screen Saver tab, and he wants to bring them back to his users. (But he's not ready to give back the Settings tab.)

In this case, Frank Rizzo can prevent GPOs (and the policy settings within them) defined at higher levels (domain and site) from affecting his users, as shown in Figure 2.9. If Frank chooses to select "Block Inheritance," Frank is choosing to block the flow of all GPOs (with all their policy settings) from all higher levels.

Figure 2.9: Use the "Block Inheritance" feature to prevent all GPOs (and the policy settings within them) from all higher levels from affecting your users and computers.

When Frank does this, the Human Resources OU icon changes to include a blue exclamation point (!) as seen in Figure 2.9. Once the check is present and the GPOs are reprocessed on the client, only those settings that Frank dictates within his Human Resources OU structure will be applied.

If you want to see the effect of "Block Inheritance," ensure the check is seen as shown in Figure 2.9. Then, log on as any user affected by the Human Resources OUsay, Frank Rizzo. You'll notice that the Desktop tab has reappeared in the Display Properties dialog box, but that the Settings tab is still absent because that GPO is explicitly defined at the Human Resources Users OU level, which contains Frank's user account.

The Enforced Function

Frank Rizzo and his Human Resources folks are happy that the Screen Saver and Desktop tabs have made a triumphant return. There's only one problem: the Domain Administrator has found out about this transgression and wants to ensure that the Desktop tab is permanently revoked .

Because the normal flow of inheritance is site, domain, and then OU, policy settings inside GPOs linked to the domain can trump the "Block Inheritance" definition of the Human Resources OU (or any OU). Likewise policy settings inside GPOs linked to the site can trump domain policies. To trump a lower level's "Block Inheritance," a higher-level administrator will use the "Enforced" function.

Note	Enforced was previously known as "No Override" in old-school parlance.

The idea behind the Enforced function is simple: it guarantees that policies and settings within a specific GPO at a higher level are always inherited by lower levels. It doesn't matter if the lower administrator has blocked inheritance or has a GPO that tries to disable or modify the same policy setting or settings.

In this example, you'll log on as the Domain Administrator and set an edict to force the removal of the Desktop tab from Display settings.

To use Enforced to force the settings within a specific Group Policy Object setting, right-click the "Hide Desktop Tab" GPO link and select Enforced, as shown in Figure 2.10.

Figure 2.10: Use the Enforced check box to guarantee settings contained within a specific GPO affect all users downward via inheritance.

Notice that the GPO link now has a little "lock" icon, demonstrating it cannot be trumped. You can see this in the "Hide Desktop Tab" GPO link icon in Figure 2.10. You'll see a zoomed-in picture of this later in the "GPMC At-a-Glance Icon View" section.

To test your Enforced edict, log on as a user affected by the Human Resources OUFrank Rizzo. In the Display Properties dialog box, the Desktop tab should be absent because it is being forced from the Enforced edict at the domain level even though "Block Inheritance" is used at the OU level.

On Group Policy Object Links and Group Policy Objects Themselves

The GPMC is a cool tool, but, in my opinion, it actually shows you a bit too much. Sometimes, it can be confusing what can be performed on the GPO's link and what can be performed on the GPO itself. Remember that GPOs themselves are displayed in the GPMC via the Group Policy Objects container. The links back to them are shown at the site, domain, and OU levels. So here's a list of what you can "do" to a GPO link and what you can "do" to a GPO itself .

You can only do three things on a GPO link that applies to a site, a domain, or an OU:

Link Enable (that is, enable or disable the settings to apply at this level).
Enforce the link (and force the policy settings).
Delete the link.

Everything else is always done on the actual GPO itself:

Change the policy settings inside the GPO (found on the Settings tab).
Apply security filters, rights (such as the "Apply Group Policy" privilege and delegation (such as the "Edit this GPO" privilege) discussed in the "Advanced Security and Delegation with the GPMC" section.
Enable/disable the computer and/or user half of the GPO via the GPO status (found on the Details tab).
Place a WMI filter upon the GPO (discussed in Chapter 10).

If this seems clear as mud, consider this scenario:

Fred and Ginger are the two Domain Administrators. By definition, they are members of the "Group Policy Creator Owners group" and, hence, can create GPOs.
Imagine that Fred designs the "Desktop Settings" GPO, which contains policy settings that affect both users and computers. Perhaps one user policy setting is Remove Run off Start Menu. Perhaps one computer policy setting is Enforce disk quota limit. And Fred sets the quota limit to 50MB.
Fred links the "Desktop Settings" GPO to the Dancers OU as well as the Audition Halls OU.
Ginger gets a phone call from the folks in the Audition Halls OU. The users in the Audition Halls OU report that the 50MB disk quotas are too restrictive . "Can they just turn off the computer-side settings for us Audition Halls folks?" one of them cries.
Ginger goes to the "Desktop Settings" GPO link (which is linked to the Audition Halls OU), clicks the Details tab, and disables the computer settings using the "GPO Status" setting drop-down box.
Fred then gets a phone call that the Dancers OU no longer has disk quotas being applied.

Why did this happen?

Because the Group Policy engine has certain controls on the GPO itself and has other controls on the Group Policy link . Because Fred and Ginger are both Domain Administrators, theyjointly have ownership of the ability to change the GPO and the GPO link.

Whenever Ginger modifies any characteristic in the previous bulleted list, she's changing it "globally" for any place in Active Directory that might be using it. That's what the warning in Figure 2.3, earlier in this chapter, is all about.

If you'll allow me to get on my soap box for the next 10 seconds the level of finite control over what Ginger can and cannot do to the GPO itself is fairly limited. In the future, I'd love to see the Group Policy engine extended so that we can delegate more aspects of control about the GPO link, not just about the GPO itself.

In any event, delegating what we can control over the GPO itself is precisely what the next section is about, specifically the "Granting User Permissions on a GPO" section.