لطفا منتظر باشید ...
Publisher| Group PolicyNotes |
General Notes
Design your domain and OU structure to use as few GPOs as possible.
The more GPOs you use, the:
- Slower logons may become
- More network traffic is generated
- Greater the chance of conflict between settings in different GPOs,
causing unpredictable results - More difficult it is to troubleshoot problems associated with GPOs
Keep the number of GPOs that are applied to a given user account
small (two or three, usually). It is generally better to merge policy
settings from several GPOs into a single GPO whenever possible to
speed up the process by which GPOs are applied and refreshed.Link each GPO you create to only a single site, domain, or OU. GPOs
linked to several domains or sites can significantly slow logons, and
linked GPOs generally make it difficult to troubleshoot GPO problems
when they occur.Use blocking when you have a special group of users or computers that
needs unique Group Policy settings in your site, domain, or OU.Use forcing sparingly, and then only for containers high up in the
Active Directory hierarchy and for GPO settings that are critical
throughout the enterprise, such as security settings.Try not to use GPO filtering since this makes troubleshooting Group
Policy problems complex. Create an additional GPO instead of
filtering an existing one.Disable the User or Computer Configuration portion of a GPO if it is
not needed. This speeds up processing.Use the default security templates included in WS2003 as a starting
point for configuring security settings in domain GPOs.Test your Group Policy settings by logging on to workstations using
ordinary user accounts and see if the settings work as you expected.Document your GPOs, where they are linked, and which settings have
been configured.Use the gpresult command-line tool in WS2003 to
determine which Group Policy settings have been applied to a specific
computer and to the user currently logged on to the computer. This is
a useful tool for troubleshooting Group Policy problems on your
network.You can't link a GPO to any of the default
containers in Active Directory (i.e., Builtin, Computers, and Users).
This is because these containers aren't OUs but
special containers that behave differently from OUs. This is a good
reason to create your own custom OUs, even in a single-domain
environment, so that you can place your users and computers in these
custom OUs and apply Group Policy to them.Only Domain Admins and Enterprise Admins can delegate administrative
control over a GPO to another user.Administrative template settings offer a feature called loopback,
which ensures that the User settings of a GPO are always applied to
any machines that the Computer settings of the GPO are applied to,
regardless of which user logs on to the computer. (Computer settings
are always applied after User settings, which means that Computer
settings always take precedence when there is a conflict.) You can
use this on a computer that is set up to perform a dedicated function
for all users who access it. To configure loopback:Right-click on a container
Properties Group Policy Edit Computer Configuration Administrative Templates System Group Policy double-click User Group Policy loopback processing mode Enabled {Merge | Replace}Use Replace to replace the user settings that are typically appliedwhen users log on to the computer; use Merge if you want to combine
them (User settings prevail if there is a conflict).For example, if you create a GPO to manage only User (or only
Computer) setting,l you should disable it for Computer (or User)
settings. To do this, open the GPO in a Group Policy console and
then:Right-click on the GPO's root node in the console tree
Properties General Disable {User | Computer} Configuration settingsTo do this, you can also open the GPO in a Group Policy console andthen:Right-click on the GPO's root node in the console tree
Properties General continue as earlierThe advantage of performing this action is that your GPO is processedmore quickly if the unnecessary part of it (User or Computer) is
disabled.Once you create, configure, or delete a GPO, the GPO must be
replicated to the domain controllers in your domain before it takes
effect for all users and computers in your enterprise. This typically
takes five minutes, unless your domain is partitioned into sites
connected by slow WAN links with site replication scheduled to occur
at intervals you specify.You can't configure a Scripts setting using
secondary logon.Administrators can delegate control to a trusted user over existing
GPOs linked to a container. This step is not necessary, however, if
the user has already delegated administrative authority over the
container itself, as this automatically gives the user the privilege
to create and modify GPOs as desired for the container. See
Delegation earlier in this chapter for general
information on the subject.Only Enterprise Admins can create GPOs at the site level.
Notes on the GPMC
By default, the GPMC obtains all GPO and GPO link information from
the PDC Emulator in the domain in which the tool is run, but you can
also connect to any other available domain controller if required.You can't restore a backed-up GPO to a different
domain.GPO backups can't be restored once a domain has been
renamed.For more information on the GPMC, see the white papers at http://www.microsoft.com/windowsserver2003/gpmc/
on Microsoft's web site.
See Also
Active Directory , dcgpofix,
gpresult, gpupdate
