PlayUKlottery.com - win up to 42 million Pounds
Lesson 2: Applying Group Policy

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 2: Applying Group Policy

The first step in applying group policy is creating GPOs. Once you create or link a GPO, you should verify that the appropriate permissions are set. To successfully apply group policy you also must understand how GPOs are applied as well as the order of inheritance for GPOs, and be able to modify how they are applied and inherited.

After this lesson, you will be able to

  • Apply group policy by creating a GPO, managing the access permissions of GPOs, and managing the inheritance of GPOs through the structure of Active Directory directory services.

Estimated lesson time: 20 minutes

Creating a GPO

The steps for creating a GPO or linking an existing GPO to an Active Directory container are shown in Figure 6.1; these steps are explained below.

Click to view at full size.

Figure 6.1 Creating a GPO

  1. Open the Active Directory Users and Computers tool.

  2. Right-click the Active Directory container (domain or OU) for which you want to create a GPO, and then click Properties.

  3. On the Group Policy tab, choose New to create a new GPO, or choose Add to link an existing GPO.

The GPO that you create or link is displayed in the list of GPOs that are linked to the Active Directory container.

NOTE
To create a GPO that is linked to a site, open the Active Directory Sites And Services snap-in and follow the previous procedure. By default, the site GPO is stored in the domain to which the creator of the GPO belongs. You can set another domain for the storage location when you create the site GPO. To change the storage location, click the Add button on the Group Policy tab, click the All tab in the Add A Group Policy Object Link dialog box, change the domain in the Look In box, and then create the GPO. You must be a member of the Enterprise Admins group to create a site GPO.

Managing GPO Permissions

After you create or link a GPO, you should verify that the appropriate permissions are set. The group policy settings in a GPO affect only users or computers that have the Apply Group Policy and Read permissions for that GPO. The default permissions are shown in Table 6.1.

Table 6.1 Default Permissions for a GPO

Group or account Default permissions
Authenticated Users Read
Apply Group Policy
Creator/Owner None
Domain Admins Read
Write
Create All Child Objects
Delete All Child Objects
Enterprise Admins Read
Write
Create All Child Objects
Delete All Child Objects
System Read
Write
Create All Child Objects
Delete All Child Objects

Modifying Permissions

To modify permissions for a GPO, you would do the following:

  1. Open the Properties dialog box for the Active Directory container that is associated with the GPO.

  2. On the Group Policy tab, select a GPO link and click Properties.

  3. On the Security tab of the GPO's Properties dialog box, add or remove the Apply Group Policy permission for the desired objects by selecting or clearing the Allow check box (see Figure 6.2).

Figure 6.2 Modifying permissions for a GPO

NOTE
When you set permissions on a GPO, select or clear the check boxes in the Allow column, rather than using the Deny column. Denying a permission always takes precedence over allowing a permission, and you might have inconsistent results if you use the Deny column.

Filtering the Scope of a GPO

You can filter the scope of a GPO by creating security groups and then assigning the Apply Group Policy and Read permissions to selected groups or removing the permissions from selected groups.

Delegating Control with Permissions

Members of the Domain Admins group can use permissions to identify which groups of administrators can modify policies in GPOs. To do this, the network administrator creates groups of administrators (for example, the Marketing Administrators group) and then assigns Read and Write permissions to selected GPOs for these groups. This allows the member of the Domain Admins group to delegate control of the GPO. Administrators with Read and Write permissions to a GPO can control all aspects of the GPO.

Managing Group Policy Inheritance

In addition to controlling the Read and Apply Group Policy permissions of a GPO, you can manage group policy by modifying inheritance options, disabling all or part of a GPO, and deleting a GPO.

Modifying Inheritance Options

You can modify the inheritance of a GPO by setting No Override, by changing the processing order of multiple GPOs, and by blocking Policy Inheritance.

  • No Override. Use this option to prevent child containers from overriding a GPO that is set in a higher level GPO. This option is useful for enforcing group policy that represents companywide rules. The No Override option is set on a per-GPO basis. You may set this option on one or more GPOs as required. When more than one GPO is set as No Override, the GPO that is highest in the Active Directory hierarchy with a No Override option always takes precedence over the Block Policy Inheritance option. To set this option, on the Group Policy tab, click Options, and then select the No Override check box.

  • Changing the processing order of multiple GPOs. The Group Policy tab lists the GPOs that are linked to the site, domain, or OU, and these GPOs are processed in order from bottom to top as listed on this tab. If incompatible group policy settings exist in different GPOs in the same site, domain, or OU, the group policy setting that is contained in the GPO that is higher in the list overrides the group policy settings that are contained in any other GPO. To change the order, select a GPO in the list and then use the Up button or the Down button to move the GPO within the list.

  • Block Policy Inheritance. Use this option to allow a child container to block policy inheritance from parent containers. This option is useful when an OU requires unique group policy settings. The Block Policy Inheritance option applies to all GPOs from parent containers. In the case of a conflict, the No Override option always takes precedence over the Block Policy Inheritance option. To set this option, on the Group Policy tab, select the Block Policy Inheritance check box.

Disabling GPOs

You can disable the user settings of a GPO, the computer settings of a GPO, or the entire GPO.

When you create a GPO that only contains group policy settings for users, you should disable the computer settings to speed up the processing of the GPO. Conversely, when you create a GPO that only contains group policy settings for computers, you should disable the user settings. To disable the user or computer settings of a GPO, on the Group Policy tab, click Properties; click the General tab; and then click the Disable User Configuration Settings check box or the Disable Computer Configuration Settings check box (see Figure 6.3).

Figure 6.3 Disabling user or computer configuration settings

You can disable an entire GPO, which prevents it from being applied to the selected container. Disabling the GPO only affects its application to that container and any containers that inherit it. The GPO can still be linked to other containers and continues to apply to any containers to which it is linked, unless it is disabled in those containers as well. To disable the GPO, on the Group Policy tab, click Options and then click Disabled (see Figure 6.4).

Deleting GPOs

You can use Delete on the Group Policy tab to delete a GPO from a container. If the GPO is also associated with another Active Directory container, Delete removes the link from the selected container. If the GPO is only associated with the selected container, Delete permanently deletes the GPO.

NOTE
Before you delete a GPO, you can verify which containers a GPO is linked to on the Links tab of the Properties dialog box for that GPO.

Figure 6.4 Disabling a GPO

Lesson Summary

The first step in applying group policy is creating GPOs. Use Active Directory Users And Computers to create a GPO, or to create a GPO that is linked to a site, use Active Directory Sites And Services. After you create or link a GPO, you should verify that the appropriate permissions are set. The group policy settings in a GPO affect only users or computers that have the Apply Group Policy and Read permissions for that GPO. In addition to controlling the Read and Apply Group Policy permissions of a GPO, you can manage group policy by modifying inheritance options, disabling all or part of a GPO, and deleting a GPO.