لطفا منتظر باشید ...
Lesson 3: Implementing Group Policy
You can use group policy to establish configuration settings for your organization. This lesson guides you through the steps of implementing a group policy using the Group Policy tab and the Group Policy snap-in. You also learn how to modify a group policy.
After this lesson, you will be able to
Implement a group policy Modify a group policy
Estimated lesson time: 60 minutes
Implementing Group Policy
The tasks for implementing group policy are
Creating a GPO Creating a console for the GPO Delegating administrative control of the GPO Specifying group policy settings for the GPO Disabling unused group policy settings Indicating any GPO processing exceptions Filtering the scope of the GPO Linking the GPO to a site, domain, or OU
Creating a GPO
The first step in implementing a group policy is to create a GPO. Recall that a GPO is a collection of group policy settings.To create a GPO
Determine the type of GPO you want to create.
To create a GPO linked to a domain or an OU, open Active Directory Users and Computers. To create a GPO linked to a site, open Active Directory Sites and Services.
Right-click the site, domain, or OU for which you want to create a GPO, click Properties, and select the Group Policy tab (see Figure 12.10). Click New, then type the name you would like to use for this GPO.By default, the new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created and its settings apply to that site, domain, or OU. Click Close.
Figure 12.10 Group Policy tab
Creating a GPO Console
After you create a GPO, you should add the Group Policy snap-in to an MMC and create a stand-alone GPO console. After saving the console, you can open it whenever necessary from the Administrative Tools menu.To create a GPO console
Click Start, then point to Run. In the Run dialog box, type mmc in the Open box and click OK. In the new MMC console, from the Console menu, click Add/Remove Snap-In. In the Add/Remove Snap-In dialog box, click Add. In the Add Standalone Snap-In dialog box, select Group Policy, then click Add. In the Select Group Policy Object page, click Browse to find the GPO for which you want to create a snap-in. In the Browse For A Group Policy Object dialog box, click the All tab, click the GPO name, then click OK. In the Select Group Policy Object page, click Finish, then click Close in the Add Standalone Snap-In dialog box. Click OK in the Add/Remove Snap-In dialog box. On the Console menu, click Save As. In the Save As dialog box, type the GPO name in the File Name box and click Save. The GPO is now available on the Administrative Tools menu.
Delegating Administrative Control of a GPO
After you create a GPO, it is important to determine which groups of administrators have access permissions to the GPO. The default permissions on GPOs are shown in Table 12.2.Table 12.2 Default GPO Permissions
| Security Group | Default Settings |
|---|---|
| Authenticated Users | Read, Apply Group Policy, Special Permissions |
| CREATOR OWNER | Special Permissions |
| Domain Administrators | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
| Enterprise Administrators | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
| SYSTEM | Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions |
Directory Users and Computers, the Delegation Of Control Wizard is not
available for use in delegating administrative control of a GPO; it only controls security of an object.To delegate administrative control of a GPO
Access the Group Policy snap-in for the GPO. Right-click the root node of the console and click Properties Click the Security tab (see Figure 12.11), then click the security group for which you want to allow or deny administrative access to the GPO.If you need to change the list of security groups for which you want to allow or deny administrative access to the GPO, you can add or remove security groups using Add and Remove. To provide administrative control of all aspects of the GPO, set the Read permission to Allow and set the Write permission to Allow.A user or administrator who has Read access but does not have Write access to a GPO cannot use the Group Policy snap-in to see the settings that it contains. All extensions to the Group Policy snap-in require Write access to open a GPO. Click OK.
Figure 12.11 GPO Properties Security tab
Specifying Group Policy Settings
After you create a GPO and determine the administrators who have access
permissions to the GPO, you can specify the group policy settings.To specify group policy settings for a GPO
Access the Group Policy snap-in for the GPO (see Figure 12.12).
Figure 12.12 Group Policy snap-in
In the console tree, expand the item that represents the particular policy you want to set.For example, in Figure 12.12, User Configuration, Administrative Templates, and Control Panel were expanded, and then Display was expanded. In the details pane, right-click the policy that you want to set, then click Properties. In Figure 12.13, the Hide Screen Saver Tab policy was selected in the details pane.
Figure 12.13 Hide Screen Saver Tab Properties dialog box
Click Enabled to apply the policy to users or computers that are subject to this GPO, then click OK.Not Configured indicates that no change will be made to the registry regarding this setting. Disabled indicates that the registry will indicate that the policy does not apply to users or computers that are subject to this GPO.
Disabling Unused Group Policy Settings
If a GPO has, under the Computer Configuration or User Configuration node of the console, only settings that are Not Configured, then you can avoid processing those settings by disabling the node. This action expedites startup and logon for those users and computers subject to the GPO.To disable the Computer Configuration or User Configuration settings for a GPO
Access the Group Policy snap-in for the GPO. Right-click the root node of the console and click Properties. In the General tab in the Properties dialog box:
To disable the Computer Configuration settings, click the Disable Computer Configuration Settings check box. To disable the User Configuration settings, click the Disable User Configuration Settings check box.
Click OK.
Indicating GPO Processing Exceptions
GPOs are processed according to the Active Directory hierarchy: local GPO, site GPOs, domain GPOs, and OU GPOs. However, the default order of processing group policy settings may be changed by modifying the order of GPOs for
an object, specifying the Block Policy Inheritance option, specifying the No Override option, or by enabling the Loopback setting.To modify the order of GPOs for an object
Open Active Directory Users and Computers to set the order of GPOs for a domain or OU, or open Active Directory Sites and Services to modify the order of GPOs for a site. In the console tree, right-click the site, domain, or OU for which you want to modify the GPO order, click Properties, then click the Group Policy tab. In the Group Policy Object Links list, select the GPO and click the Up button (as shown in Figure 12.14) or the Down button to change the priority for a GPO for this site, domain, or OU. Windows 2000 processes GPOs from the top of the list to the bottom of the list.
Figure 12.14 Modifying the order of GPOs
To specify the Block Policy Inheritance option
Open Active Directory Users and Computers to specify the Block Policy Inheritance option for a domain or OU, or open Active Directory Sites and Services to specify the Block Policy Inheritance option for a site. In the console tree, right-click the site, domain, or OU for which you want to specify the Block Policy Inheritance option, click Properties, then click the Group Policy tab. Select the Block Policy Inheritance check box to specify that all GPOs linked to higher level sites, domains, or OUs should be blocked from linking to this site, domain, or OU. You cannot block GPOs that use the No Override option (see later).
To specify the No Override option
Open Active Directory Users and Computers to specify the No Override option for a domain or OU, or open Active Directory Sites and Services to specify the No Override option for a site. In the console, right-click the site, domain, or OU to which the GPO is linked, click Properties, then click the Group Policy tab. Select the GPO, click Options, select the No Override check box in the Options dialog box (see Figure 12.15) to specify that other GPOs should be prevented from overriding settings in this GPO, then click OK.
Figure 12.15 Options dialog box
To enable the Loopback setting
Access the Group Policy snap-in for the GPO. In the console tree, expand Computer Configuration, Administrative Templates, System, and Group Policy. In the details pane, double-click User Group Policy Loopback Processing Mode. In the User Group Policy Loopback Processing Mode Properties dialog box, click Enabled. Select one of the following modes in the Mode list:
Replace to replace the GPO list for the user with the GPO list already obtained for the computer at computer startup. Merge to append the GPO list obtained for the user at logon with the GPO list already obtained for the computer at computer startup.
Click OK.
Filtering GPO Scope
The policies in a GPO apply only to users who have Read permission for that GPO. You can filter the scope of a GPO by creating security groups and then assigning Read permission to the selected groups. Thus, you can prevent a policy from applying to a specific group by denying that group Read permission to the GPO.To filter the scope of a GPO
Access the Group Policy snap-in for the GPO. Right-click the root node of the console, then click Properties. Click the Security tab (see Figure 12.11), and then click the security group through which to filter this GPO.If you need to change the list of security groups through which to filter this GPO, you can add or remove security groups using Add and Remove. Set the permissions as shown in Table 12.3, then click OK.Table 12.3 Permissions for GPO Scopes
| GPO Scope | Set These Permissions | Result |
|---|---|---|
| Members of this security group should have this GPO applied to them. | Set Apply Group-Policy (AGP) to Allow. Set Read to Allow. | This GPO applies to members of this security group unless they are members of at least one other security group that has AGP set to Deny, or Read set to Deny, or both. |
| Members of this security group are exempt from this GPO. | Set AGP to Deny. Set Read to Deny. | This GPO never applies to members of this security group regardless of the permissions those members have in other security groups. |
| Membership in this security group is irrelevant to whether the GPO should be applied. | Set AGP to neither Allow nor Deny. Set Read to neither Allow nor Deny. | This GPO applies to members of this security group only if they have both AGP and Read set to Allow as members of at least one other security group. They also must not have AGP or Read set to Deny as members of any other security group. |
Linking a GPO
By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created. Therefore, its settings apply to that site, domain, or OU. Use the Group Policy tab for the site, domain, or OU properties to link a GPO to additional sites, domains, or OUs.To link a GPO to a site, domain, or OU
Open Active Directory Users and Computers to link a GPO to a domain or OU, or open Active Directory Sites and Services to link a GPO to a site. In the console, right-click the site, domain, or OU to which the GPO should be linked. Click Properties, then click the Group Policy tab. If the GPO already appears in the Group Policy Object Links list, then click Cancel. If the GPO does not appear in the Group Policy Object Links list, then click Add. In the Add A Group Policy Object Link dialog box (see Figure 12.16), click the All tab, click the desired GPO, then click OK.
Figure 12.16 Add A Group Policy Object Link dialog box
In the Properties dialog box for the site, domain, or OU, click OK.
Modifying Group Policy
The tasks for modifying group policy are
Removing a GPO link Deleting a GPO Editing a GPO and GPO settings
Removing a GPO Link
Removing a GPO link simply unlinks the GPO from the specified site, domain, or OU. The GPO remains in Active Directory until it is deleted.To remove a GPO link
Open Active Directory Users and Computers to unlink a GPO from a domain or OU, or open Active Directory Sites and Services to unlink a GPO from a site. In the console, right-click the site, domain, or OU from which the GPO should be unlinked. Click Properties, then click the Group Policy tab. In the Group Policy tab, select the GPO that you want to unlink, then click Delete. In the Delete dialog box, click Remove The Link From The List.The GPO remains in Active Directory but is no longer linked.
Deleting a GPO
If you delete a GPO, it is removed from Active Directory, and any sites, domains, or OUs to which it is linked will no longer be affected by it. You may wish to take the less drastic step of removing the GPO link, which disassociates the GPO from its OU but leaves the GPO intact in Active Directory.To delete a GPO
Open Active Directory Users and Computers to delete a GPO from a domain or OU, or open Active Directory Sites and Services to delete a GPO from a site. In the console, right-click the site, domain, or OU from which the GPO should be deleted. Click Properties, then click the Group Policy tab. In the Group Policy tab, select the GPO that you want to delete, then click Delete. In the Delete dialog box, click Remove The Link And Delete The Group Policy Object Permanently, then click OK.The GPO is removed from Active Directory.
Editing a GPO and GPO Settings
To edit a GPO or its settings, follow the procedures outlined earlier in this lesson for creating a GPO and for specifying group policy settings.
Practice: Implementing a Group Policy
In this practice you implement a group policy for your domain. In Exercises 1 through 8 you create a GPO, create a GPO console, delegate administrative control of the GPO, specify group policy settings for the GPO, disable unused group policy settings, indicate a GPO processing exception, filter the scope of the GPO, and link the GPO to an additional OU. In Exercise 9 you test the group policy.
Exercise 1: Creating a GPO
In this exercise you create a GPO at the OU level.To create a GPO for your OU
Log on to the domain as Administrator. Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers. Double-click microsoft.com (or the name of the domain you have created). Create a new OU called Dispatch. Right-click the Dispatch OU, click Properties, then select the Group Policy tab. Click New, then type DispatchPolicy to name this GPO. Click Close.
Exercise 2: Creating a GPO Console
In this exercise you create a console for the DispatchPolicy GPO. After saving it, you can open it whenever necessary from the Administrative Tools menu.To create a DispatchPolicy GPO console
Click Start, then point to Run.The Run dialog box appears. Type mmc in the Open box, then click OK.A new MMC appears. From the Console menu, click Add/Remove Snap-In.The Add/Remove Snap-In dialog box appears. Click Add.The Add Standalone Snap-In dialog box appears. Select Group Policy, then click Add.The Select Group Policy Object page appears. Click Browse to find the DispatchPolicy GPO.The Browse For A Group Policy Object dialog box appears. Click the All tab, click the DispatchPolicy GPO, then click OK.The Select Group Policy Object page appears with DispatchPolicy in the Group Policy Object box. Click Finish, then click Close on the Add Standalone Snap-In dialog box. Click OK on the Add/Remove Snap-In dialog box. On the Console menu, click Save As.The Save As dialog box appears. Type DispatchPolicy GPO in the File Name box, then click Save.The DispatchPolicy GPO is now available on the Administrative Tools menu.
Exercise 3: Delegating Administrative Control of a GPO
In this exercise you delegate administrative control for the DispatchPolicy GPO to the Administrators group.To delegate administrative control for your GPO
Access the DispatchPolicy GPO console. Right-click the root node of the console, DispatchPolicy [server1.microsoft.com] Policy, click Properties, then click the Security tab.The DispatchPolicy [server1.microsoft.com] Policy Properties dialog
box appears.What security groups already have administrative control of the DispatchPolicy GPO? Add the Administrators group using the Add button. To provide administrative control of all aspects of the GPO to the Administrators group, set Read, Write, Create All Child Objects, and Delete All Child Objects to Allow for the group. Click OK.
Answers
Exercise 4: Specifying Group Policy Settings
In this exercise you specify some group policy settings for the Dispatch
Policy GPO.To specify group policy settings for your GPO
In the DispatchPolicy GPO console, in the console tree, expand the root node of the console.Expand User Configuration, then expand Administrative Templates. In the console tree, click Start Menu & Task Bar.What appears in the details pane? In the details pane, double-click Remove Search Menu From Start Menu.The Remove Search Menu From Start Menu Properties dialog box appears. Click Enabled, then click OK.How can you tell at a glance that this setting is enabled? Repeat Steps 4 and 5 to enable the Remove Run Menu From Start Menu policy (still under User Configuration). In the console tree, double-click System, then click Logon/Logoff.The policies available for this category appear in the details pane. In the details pane, enable the Disable Lock Computer policy and click OK.
Answers
Exercise 5: Disabling Unused Group Policy Settings
In this exercise you disable the Computer Configuration node of the console, as this node contains only settings that are not configured. This action expedites startup for those users and computers subject to the GPO.To disable the Computer Configuration settings for your GPO
On the DispatchPolicy GPO console, right-click the root node of the console, then click Properties.The DispatchPolicy [server1.microsoft.com] Policy Properties dialog
box appears. In the General tab, click Disable Computer Configuration Settings.The Confirm Disable message box appears, asking you to confirm that you want to disable the Computer Configuration settings. Click Yes, then click OK.
Exercise 6: Indicating GPO Processing Exceptions
In this exercise you set the No Override option to prevent other GPOs from
overriding the policies set in the DispatchPolicy GPO.To set the No Override option for your GPO
Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers. Right-click the Dispatch OU, then click Properties.The Dispatch Properties dialog box appears. Click the Group Policy tab, click the DispatchPolicy GPO, then click Options.The DispatchPolicy Options dialog box appears. Select the No Override check box, then click OK. In the Dispatch Properties dialog box, click OK.
Exercise 7: Filtering GPO Scope
In this exercise you prevent a policy from applying to the Sales security group by denying that group Read permission to the GPO. You created the Sales group and its members in Chapter 8.To filter the scope of your GPO
In the DispatchPolicy GPO console, right-click the root node of the console, then click Properties.The DispatchPolicy [server1.microsoft.com] Policy Properties dialog
box appears. Click the Security tab, then click the Sales security group. You will need to add the Sales group using the Add button. For the Sales group, set Apply Group Policy to Deny and set Read to Deny, then click OK.The Security message box appears, asking you to confirm that you want to prevent the DispatchPolicy from applying to the Sales group. Click Yes.
Exercise 8: Linking a GPO
By default, the DispatchPolicy GPO is linked and its settings apply to the
Dispatch OU. In this exercise you will link the DispatchPolicy GPO to the
Security1 OU you created in Chapter 11.To link your GPO to an additional OU
Click Start, point to Programs, point to Administrative Tools, then click Active Directory Users And Computers. Right-click the Security1 OU, then click Properties.The Security1 Properties dialog box appears. Click the Group Policy tab, then click Add.The Add A Group Policy Object Link dialog box appears. Click the All tab, click the DispatchPolicy GPO, then click OK. In the Security1 Properties dialog box, click OK.
Exercise 9: Testing a GPO
In this exercise you view the effects of the group policy implemented in the
previous exercises.To test the DispatchPolicy GPO
Log off Windows 2000. If a Microsoft Management Console message box appears, prompting you to save console settings to DispatchPolicy GPO.msc, click Yes. Log on as Assistant1, a member of the Security1 OU. Press Ctrl+Alt+Delete.The Windows Security dialog box appears.Are you able to lock the workstation? Why? Click Cancel, then click Start.Does the Search command appear on the Start menu?Does the Run command appear on the Start menu? Log off as Assistant1, then log on as Administrator. Make Assistant1 a member of the Sales security group. Log off as Administrator, then log on as Assistant1. Press Ctrl+Alt+Delete.Are you able to lock the workstation? Why? Log off the computer.
Answers
Lesson Summary
In this lesson you learned the tasks involved with implementing group policy. The tasks are: create a GPO, create a GPO console, delegate administrative control of the GPO, specify group policy settings for the GPO, disable unused group policy settings, indicate GPO processing exceptions, filter the scope of the GPO, and link the GPO to a site, domain, or OU.In the practice portion of this lesson you implemented a group policy for your domain. You created a GPO, created a console for the GPO, delegated administrative control of the GPO, specified group policy settings for the GPO, disabled unused group policy settings, set the No Override option for the GPO, filtered the scope of the GPO, and linked the GPO to an additional OU. Finally, you tested the effects of the GPO.
