| Group PolicyTasks |
We'll look at general tasks for managing GPOs first. I'll then describe how to configure different types of GPO settings. After that, we'll examine the RSoP tool and I'll explain how to use it. Finally, we'll look at how to use the new Group Policy Management Console (GPMC) that can be downloaded from Microsoft's web site.
The procedures described here use different consoles in different situations:
To work with GPOs in a domain or OU
Open the Active Directory Users and Computers console
To work with GPOs in a site
Open the Active Directory Sites and Services console
If the context described is not clear in the procedures that follow, the console to be used is explicitly stated; otherwise, the appropriate console is assumed to be already open at the start of the procedure. You typically work with GPOs by creating and linking them to a specific container (site, domain, or OU) in Active Directory using the consoles, but you can also open GPOs directly using the Group Policy Object Editor (GPOE).
To create a GPO, you must first decide which container you want it to be linked to in Active Directory. This can be either a site, domain, or OU. By default, a GPO is automatically linked to the container on which it is created. To create a new GPO, access the properties sheet for the desired container using the appropriate MMC console and:
Right-click on a container
Once a GPO has been created, it must be configured (see
Configure a GPO later in this section).
|
Open a GPO using an MMC console that has the Group Policy snap-in installed. You can do this in different ways:
Open the Active Directory Users and Computers (or Sites and Services) console, right-click a domain or OU (or site) to which the GPO is linked, and then select:
Properties
This opens the GPOE console and displays the different configurable settings of your selected GPO.
Add the Group Policy Object Editor snap-in to a new or existing MMC console, and then open the GPO in it. For example:
Start
When you create a new GPO, it is automatically linked to the site, domain, or OU that you selected for creating it (see
Create a GPO earlier in this section). You can also link a selected container (Site, Domain, or OU) to a GPO as follows:
Right-click on a container
The Group Policy Object Links listbox displays all the GPOs that are currently linked to your container. To unlink a GPO from a container, do the following:
Right-click on the container
You can view the containers your GPO is linked to in Active Directory as follows:
Right-click on a container
Alternatively, you can find links by opening the GPO in a Group Policy console (see
Open a GPO earlier in this section) and then:
Right-click on the GPO's root node in the console tree
Right-click on a container
Alternatively, you can filter a GPO in the Group Policy console (see
Open a GPO earlier in this section) and then:
Right-click on the GPO's root node in the console tree
Right-click on a container
Any settings in this GPO are now applied to the entire subtree of the Active Directory hierarchy beneath the selected container, regardless of any other GPOs linked to containers in the subtree.
Right-click on a container
Blocking GPO inheritance prevents settings from GPOs linked to parent containers from being inherited by the selected child container. The exception is if parent GPO settings are forced (see
Force a GPO earlier in this section).
Administrators can give trusted users administrative control over a GPO linked to a container. These users can manage the GPO settings even if they don't have administrative privileges over the container itself. Management is limited to modifying GPO settings and not creating new GPOs linked to the container. To do this:
Right-click on a container
Or you can open the GPO in a Group Policy console and then:
Right-click on the GPO's root node in the console tree
|
Right-click on the container
Disabling a GPO lets you modify its settings without worrying about having these modifications applied until you are ready.
Right-click on the container
Deleting a GPO deletes all the links between that GPO and different containers.
To configure the settings of a GPO, first open it for editing and then configure settings by double-clicking on them. The kind of configuration you can perform on a setting depends on the type of setting involved.
|
These settings usually have three states you can choose from:
Enabled
The setting is applied when Group Policy is applied.
Disabled
The setting is removed when Group Policy is applied.
Not configured
The setting is ignored when Group Policy is applied.
Of course, the actual results of configuring an administrative template setting depend on the number of different GPOs applied, the containers they are linked to, whether GPO inheritance is blocked or forced, and so on. In addition to specifying the state, many administrative template settings require further information as well, depending on the type of operating-system function being controlled.
Before you can configure the settings on a redirected folder, you need to redirect it as described in the following procedures. To configure a redirected folder:
User Configuration
If you want a user to have exclusive rights to her redirected folder, select "Grant the user exclusive rights." If multiple users will be sharing the same redirected folder, clear this setting. If you later unlink the GPO containing the folder-redirection policies from the OU where the users reside in Active Directory, you can specify whether to leave folders in their present (redirected) location or restore them to the local user profile for each user.
User Configuration
For example, you could redirect the Start menu folder to \\<server>\<share> for all users and set the NTFS permission to Read for the Users group on the <share> folder. In this way, all your users will have a common, standard Start menu that they can use but not modify.
User Configuration
Using the %<username>% replaceable variable in this case causes a separate subfolder named %<username>% to be created for each user within <share>.
User Configuration
The option "Move the contents of Application Data to the new location" should be selected on the Settings tab; otherwise, redirection will not occur!
Use these three steps to implement a startup/shutdown/logon/logoff script using Group Policy:
Create the script file using Notepad or some other editor.
Copy the script file to the GPT for the GPO in the SYSVOL share. This is necessary because the script file must be stored in the GPT so the GPO can run it when Group Policy is applied to the client. A simple way to copy the script file to the correct GPT folder is to do the following:
Right-click on the script file in Windows Explorer or My Computer
Open the GPO that will run the script (see
Open a GPO earlier in this section) and:
For startup/shutdown scripts
Computer Configuration
For logon/logoff scripts
User Configuration
Double-click on the appropriate policy in the details pane to open its properties sheet, and click Show Files to open a window for the script folder in the GPT. Then paste the script into the GPT window.
Finally, add the script to the GPO by opening the properties sheet of the scripts setting and:
Add
If a startup or logon script fails to terminate properly, it must time out before another startup script can execute. The default timeout value is 10 minutes, which means that if your startup script has a problem, users are going to be pretty frustrated. You can configure the timeout value using the following GPO setting which applies globally to all scripts:
Computer Configuration
If multiple startup scripts are configured, they execute in the order in which they are listed on the Script tab of Startup Properties.
|
You can configure security settings at the local, domain, or domain-controller level. The settings you configure may be overridden by Group Policy, however, depending on how Group Policy has been configured.
Open the Local Security Policy console
The changes you make to a Local Security Policy are applied immediately to the local machine.
Start
A better method is to create custom GPOs linked to the domain and selected OUs using Active Directory Users and Computers. You then configure the security settings in each GPO as desired by opening the GPO and:
Computer Configuration
Prior to configuring your method of software deployment, you need to perform the following preparatory steps:
Create or obtain a Windows Installer package
A Windows Installer package (an
.msi file) must first be created or obtained for the application you want to remotely deploy on your client computers. You may obtain a package from Microsoft or a third-party vendor, or you may create your own package using a third-party packaging tool.
|
Create a software distribution point
Share a folder on a file server on your network, and assign users Read and Execute permissions on the contents of the share. Create a subfolder that has the same name as the application you want to deploy, and store the
.msi package file and any other files required for the application in the subfolder.
Create or edit a GPO
If you want to deploy software for all user or computer objects within a container (a site, domain, or OU), you need to create a new GPO and link it to the container or edit an existing GPO that is linked to the container.
The remaining procedures assume that you have already opened the GPO for editing unless otherwise specified.
Select {Computer | User} Configuration
At this point you have three options:
Assigned
This causes the application to be automatically deployed the next time the user logs on (if User Configuration was chosen) or the client computer boots up (if Computer Configuration was chosen). You can further configure the package for deployment by right-clicking the package in the details pane to open its properties sheet.
Published
This causes the application to appear as available for installation in Add/Remove Programs in the Control Panel, as well as automatically installed if the user double-clicks on a file whose file association matches the application. You can further configure the package for deployment by right-clicking the package in the details pane to open its properties sheet.
Advanced published or assigned
This simply opens the properties sheet for the new package and lets you configure the deployment method (assigned or published) and other options.
After you add a new package, you can further configure the deployment method, add software modifications, or create software categories. See the relevant headings in this section for more details.
You can add and remove software modifications only when you are preparing to deploy the package. You can't add software modifications to the application once it has been installed on the client machines. Transform files (
.mst files) are typically supplied by the vendor that created the package:
Select {Computer | User} Configuration
mst file
If you have multiple software modifications added, they are applied in the order displayed.
Select {Computer | User} Configuration
If your package is assigned, you can change it to published. If it is published, you can either change it to assigned or leave it as published but enable or disable automatic installation by users double-clicking on the appropriate file association for the application.
Select {Computer | User} Configuration
The key options to configure on these tabs are:
General
You can change the location where your packages are assumed to be stored. The default location is on domain controllers in the relevant GPT within the SYSVOL share:
sysvol\<domain>\Policies\<GPT_GUID>\Machine\Scripts\Startup
You can configure deployment options so that new packages are automatically published or assigned by default, so that a dialog box prompts whether you want to assign or publish the packages, or so that the properties sheet for the package lets you configure its deployment options in detail.
The Basic installation, user-interface option enables automatic installation using the default, Windows Installer, package settings. Maximum allows users to manually specify the installation options instead. Most
.msi packages support both of these options.
If you want the application to be uninstalled automatically when the GPO containing the software-installation policy no longer applies to the users and computers for which it was configured (either by unlinking the GPO from the OU or by moving users and computers to a different OU), select "Uninstall the applications when they fall out of the scope of management."
File extensions
See
Modify File-Extension Priorities later in this section.
Categories
See
Create and Assign Software Categories later in this section.
Select {Computer | User} Configuration
Here are the key options on the Deployment tab:
Deployment type
Lets you change how your software is deployed (either Assigned or Published). If you choose Published, you can enable or disable either or both of the two installation methods used to install published software (by document activation or by using Add/Remove Programs).
Deployment options
Lets you choose to have the application installed automatically when the GPO used to deploy software is unlinked from the OU or when the user or computer objects are moved to a different OU where the GPO doesn't apply.
Installation user-interface options
Basic installation provides automatic installation using the default Windows Installer package settings, while Maximum lets you specify installation options.
Advanced
Displays the product code for the application and advanced diagnostic information.
To create a new category for software you are publishing:
Select {Computer | User} Configuration
Once the category is created, you can assign it to a package:
Select {Computer | User} Configuration
If you are deploying two different versions of an application that creates files with the same file extension, you can specify which extension's priority will be used to deploy published software using document activation (i.e., double-clicking on a document). To do this:
Select {Computer | User} Configuration
The application at the top of the list is installed. This affects all users or computers that have the currently selected GPO applied to them.
Use this procedure to apply a fix (service pack or patch) to a deployed application. This works only if the fix comes as a Windows Installer package file (an
.msi file). First, place the fix in the appropriate location (where the original package file was placed). To apply the fix, open the GPO that was used to deploy the application and:
Select {Computer | User} Configuration
To remove deployed software:
Select {Computer | User} Configuration
You can either choose to have the application removed immediately (i.e., when users' client computers next reboot or users next log on), or you can leave existing deployments as they are and prevent any new deployments from occurring. Either action removes the policy for the package from the Software Installation container in the GPO but doesn't delete the package itself from its distribution point. If you choose to leave existing deployments intact, users may be able to delete them manually using Add/Remove Programs in the Control Panel, depending on Group Policy settings for their domain or OU.
To deploy a newer version of software you have already deployed using Group Policy, add a new package for the upgraded version of the software (see
Add a New Package for Deployment earlier in this section). Then do the following:
Select {Computer | User} Configuration
The previous version may have been selected automatically with the right uninstallation/upgrade option. At this point, if you select the option "Required upgrade for existing packages," then a mandatory upgrade will be performed, replacing the previous version with the new version when the client computers boot up next or the user logs on next. If you deselect this option, the upgrade is optional and users can choose whether to continue working with the previous version or upgrade to the new version.
Note that upgrading a deployed application to a new version is different from applying a service pack or a fix to the application. To apply a service pack or fix to a deployed application, see
Redeploy Software earlier in this section.
If you are deploying software on client computers using Windows Installer technologies, Windows Installer packages are published automatically in Active Directory when you add a new package to the Software installation container in a GPO. Some packages, howeverparticularly those you create using
.msi filesmust be published manually or assigned in Active Directory, as follows:
Right-click on the OU to which the GPO for deploying the application is linked
Assigning the application results in its appearance in Add/Remove Programs in the Control Panel for users or computers in the OU where the GPO is configured to deploy the application.
RSoP queries can be run various ways to simulate the effect of Group Policy on a domain, OU, or site. For example, to run an RSoP query on a domain or OU:
Active Directory Users and Computers
This starts the RSoP Wizard that can be used to view simulated policy settings for a selected user and computer. You can either skip to the end of the wizard immediately to see the result of your policies or click Next to simulate slow WAN links or loopback processing, specify a site, simulate the groups to which the user and computer might belong, and specify WMI filters linked to the GPO. When the wizard completes, the results of the RSoP query are displayed in a new console.
Next, you can run an RSoP query on a user or computer:
Active Directory Users and Computers
Logging mode reviews the settings currently applied to a user or computer, while planning mode simulates the application of a Group Policy you are considering:
Logging mode
Planning mode
You can also run an RSoP query on a site:
Active Directory Sites and Services
RSoP in planning mode lets you simulate the effect of Group Policy without actually applying it, allowing you to see what would happen if you selected the policy you are examining. You can also run RSoP in logging mode, which displays the settings that result from applying the current Group Policy to a specified user or computer. To do this, you first create a custom MMC console containing the RSoP snap-in:
Start
Now do the following:
Right-click on Resultant Set of Policy node
You can save RSoP queries for later analysis:
RSoP query
If you want to rerun RSoP with a different user or computer, do this:
Right-click on RSoP query
Finally, try this:
Start
You can print this!
This section provides a brief overview of Group Policy management tasks performed using Version 1.0 of the GPMC, an optional add-on for WS2003 that can be downloaded from Microsoft's web site. To open the GPMC console, do one of the following:
Administrative Tools
Administrative Tools
Administrative Tools
Start
You can also add the Group Policy Management snap-in to a new or existing MMC console to create your own custom tool for managing Group Policy (see the "Microsoft Management Console" sections later in this chapter for more information).
|
These tasks assume you have the GPMC console open.
There are several ways to create new GPOs using the GPMC. For example, to create a GPO and link it automatically to a domain or OU, do this:
Right-click on domain or OU
To create an unlinked GPO, do this:
Select a domain
Don't forget that the new GPO must first be linked to a domain, OU, or site before it can be used.
To open a GPO in the GPOE from the GPMC, do this:
Right-click on GPO
You can also right-click on a GPO link to do thisnote that GPO links have shortcut icons to distinguish them from GPOs. A dialog box appears when you click on a GPO link to remind you that actions you perform affect the GPO and all links for that GPO.
Here is a new way of displaying GPO settings in HTML format:
Select a GPO or GPO link
Note that this displays only
defined GPO settings, together with other information about the GPO itself. If the new Internet Explorer Enhanced Security Configuration component is enabled, the first time you follow this procedure, a dialog box appears prompting you to add the HTML page displayed to the Trusted Sites zone. To save the HTML file for later viewing, do this:
Right-click on a GPO or GPO link
To link an existing GPO to a domain, OU, or site, do this:
Right-click on domain, OU, or site
You can also drag and drop a GPO onto a domain, OU, or site to link it. Once a GPO is linked, the link can be enabled or disabled anytime using this toggle:
Right-click on GPO link
To view which domains, OUs, or sites a GPO is linked to, do this:
Select a GPO
To modify the order in which multiple GPOs linked to a domain, OU, or site are applied, do this:
Select domain, OU, or site
The GPO with a link order of 1 has the highest precedence for that domain, OU, or site.
To
scope a linked GPO (specify which users and computers will receive the settings in the GPO), do this:
Right-click on GPO
To force a GPO to apply to the entire subtree of Active Directory beneath a domain, OU, or site, do this:
Right-click on a GPO link
To undo this, repeat. A GPO link that is enforced displays with a gray padlock on its icon. This procedure of enforcing a GPO link corresponds to the No Override option in the standard Group Policy interface that the GPMC replaces when it is installed.
To prevent a domain, OU, or site from inheriting GPOs from any parent container, do this:
Right-click on domain, OU, or site
To undo this, repeat. When this is enabled, the domain, OU, or site displays a blue exclamation point on its icon.
By default, the ability to create GPOs is a right of the Group Policy Creator Owners (GPCO) group, but an administrator can also delegate this right to any other user or group by adding the user or group to the GPCO group. Another way of granting this right is by:
Select Group Policy Objects
To delegate limited ability to manage specify aspects of GPOs, do this:
Select a GPO
Possible permissions are:
Read
Edit Settings
Edit Settings, Delete, Modify Security
You can also assign custom permissions by clicking the Advanced button, which corresponds to the Security tab on the standard Group Policy interface.
To delegate the ability to manage certain aspects of GPOs and GPO links using the GPMC, do this:
Select a domain, OU, or site
This procedure can assign only one permission at a time, but you can repeat it to assign multiple permissions to the same user or group.
You can disable all or part (user or computer configuration) of a GPO by:
Right-click on a GPO
You can also do this by:
Select a GPO
Right-click on GPO
By default, the GPMC displays only the forest to which the user account running the console belongs. To use this tool to manage another forest with which a two-way, cross-forest trust has already been established, do the following:
Right-click on root node
You can also remove a forest from the GPMC by right-clicking on the forest node and selecting Remove.
New to the GPMC is the ability to back up (or export) a GPO to a file:
Right-click on a GPO
To view the defined settings of a backed-up GPO, do this:
Right-click on Group Policy Objects
You can also back up GPOs from the command line using the
BackupGPO.wsf and
BackupAllGPOs.wsf scripts installed with the GPMC.
Restoring a backed-up GPO resets the GPO to the state it had before it was backed-up:
Right-click on Group Policy Objects
You can also do this by:
Right-click on the GPO
You can also restore GPOs from the command line using the
RestoreGPO.wsf and
RestoreAllGPOs.wsf scripts installed with the GPMC.
You can import a GPO that was previously exported (backed up) to transfer GPO settings from a backed-up GPO to a different existing GPO. This operation can be performed within a domain, between domains, or between forests. To do this:
Right-click on a GPO
You can also import GPOs from the command line using the
ImportGPO.wsf and
ImportAllGPOs.wsf scripts installed with the GPMC.
Copying a GPO is like backing it up or exporting it, except that the GPO is not saved as a file but instead is used to create a new (identical) GPO:
Right-click on a GPO
If you copy a GPO to the same container in which it resides, its resulting name will begin with "Copy of." You can also copy GPOs between forests that have two-way trusts established between them. You can also copy GPOs from the command line using the
CopyGPO.wsf script installed with the GPMC.
|
New to the GPMC is the ability to search a forest for a GPO:
Right-click on a forest
Group Policy Modeling corresponds to RSoP planning mode and allows you to simulate how Group Policy will be applied to a user or computer before you actually try applying it. Group Policy Modeling uses a wizard as follows:
Right-click on Group Policy Modeling
The advanced options include:
Slow WAN link simulation
Loopback processing (replace or merge)
Select a site
Modify alternate Active Directory paths for user and/or computer containers
Modify user's and computer's security group membership
Specify WMI filters for users and computers
The result of running the wizard is a saved query in the Group Policy Modeling container. By right-clicking on this query, you can:
Display the applied GPO settings in detail in RSoP console
Rerun the query
Create a new query based on the original one
Save the results displayed in the details pane as an HTML report
Group Policy results correspond to RSoP logging mode and let you obtain the actual resultant Group Policy settings that have been applied to a user or computer (unlike Group Policy Modeling, which is only a simulation). You obtain Group Policy results using a wizard:
Right-click on Group Policy Results
The results node is placed in the Group Policy Results container, and by right-clicking on it, you can:
Display the applied GPO settings in detail in the RSoP console
Rerun the query
Save the results displayed in the details pane as an HTML report