Logo
Lose Weight
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Administer Group Policy (part 1) - Use the Group Policy Management Console

8/13/2011 4:31:04 PM
Now that you have seen how group policies are processed, it is time to take a look at how to work with Group Policy. Managing Group Policy is straightforward after you have deployed your AD environment. To work with Group Policy, you will use primarily two tools: the Group Policy Management Console (GPMC) and the Group Policy Management Editor (GPME). In this section, you will get to take a look at both tools and see how to use them.

1. Use the Group Policy Management Console

The Group Policy Management Console is the main tool where you manage the deployment of Group Policy. This includes creating and linking your GPOs to the appropriate site, domain, or organizational unit. You also can manage security filtering, WMI filtering, administration delegation of Group Policy, and various other tasks with the GPMC. In addition, you can also use it to gain access to the GPME to edit the settings for your GPOs (you will learn about the GPME in the next section). You can also view the settings for your various Group Policy objects. You can find the GPMC in the administrative tools on your Windows Server 2008 R2 server. Select Start Administrative Tools => Group Policy Management to load the GPMC; your screen will resemble Figure 1.

Figure 1. Group Policy Management Console

When you first open the GPMC, expand the management tree; you will see two GPOs that are configured by default: the Default Domain Policy and the Default Domain Controllers Policy. These two policies contain the default security policies for the domains. To view the settings of the default policies, follow these steps:

  1. Open GPMC.

  2. Click the + sign to expand the Forest container.

  3. Click the + sign to expand the Domains container.

  4. Click the + sign to expand the appropriate domain to view the Default Domain Policy. If you want to view the Default Domain Controllers Policy, continue in the domain you expanded, and expand the Domain Controllers container by clicking the + sign.

  5. Click either Default Domain Policy or Default Domain Controllers Policy, depending on which you want to view.

  6. In the details pane to the right, click the Settings tab, and you will see a screen similar to Figure 2, which shows the Default Domain Policy.

Figure 2. Default Domain Policy

The Default Domain Policy sets the basis for security in your domain. Specifically, the Default Domain Policy sets the default domain password policy, Kerberos, and public key policies. These provide protection for your users' passwords, and the Kerberos and public key policies help provide secure authentication mechanisms for your domain.

The Default Domain Controllers Policy sets the local security rights for the domain controllers. The rights govern the administrative access to the domain controllers in your domain. These rights help harden the server and keep it secure for the right people in your organization.

You should seriously consider any changes to the Default Domain Policy before you make them. Whether the change is an addition or a deletion, you should consider making separate policies for your preferences. The default policies are designed to provide you with a solid, secure network, and you should never really change them.
1.1. Work with Group Policies

Creating, linking, and setting security for group policies starts with knowing what scope you want to apply the policy to. Additionally, you want to know what users in the scope you want to apply the policies to.

  1. Select the scope where you want to create your GPO.

  2. Right-click the scope, and you will see a screen similar to Figure 3.

  3. Select Create A GPO In This Domain And Link It Here.

  4. Enter the name of the GPO, and select a starter GPO, if any exists. Click OK to finish creating your GPO.

Figure 3. Creating a GPO

You can also create a GPO without having the policy linked directly to a scope initially, and you can create a policy via the GPO container. After you create the GPO, you can easily link the GPO to a scope by simply dragging and dropping the GPO on the scope you want the policy to apply to.

  1. Click the Group Policy Objects container.

  2. Right-click the container, and select New.

  3. Enter the name of the GPO, and select a starter GPO, if any exists. Click OK to finish creating your GPO.

1.2. Work with Starter GPOs

Starter GPOs allow you to create a template for quickly creating new GPOs, with a predefined list of settings. They can save you a lot of time because part of the challenge of working with GPOs is the number of settings you can modify. There are literally thousands of settings you can manipulate with Group Policy. Learning which settings work best in your environment is key to using Group Policy effectively. By using starter GPOs, you can reuse a list of frequent settings when you create new GPOs, which will save you time. It is important to note that starter GPOs contain settings only from the Administrative Templates section of Group Policy. You edit the settings in the GPOs just like any other GPO.

To create a starter GPO, click Starter GPOs in the GPMC tree. If this is the first time you have clicked Starter GPOs, you will see a screen similar to Figure 4.

Figure 4. Creating a starter GPO

You need to create a folder to store the starter GPOs, so click the Create Starter GPOs Folder button to create the folder. Once you create the folder, you will see a few starter GPOs provided by Microsoft by default. There are two acronyms you'll see with all the built-in starter GPOs, and these provide the key to what type of settings are in the policies. EC stands for "enterprise client" and provides basic security and power settings, among others, for your infrastructure. SSLF stands for "specialized security limited functionality," which provides robust security-enabled clients. Note this starter may cause compatibility issues with applications. To view the settings for any of these starter GPOs, select one, and click the Settings tab.

1.3. Work with Group Policy Object Links

After you create the GPO, you will see the link of the object associated with your container. You should take note that is this the link for the GPO, not the GPO itself. This is an important distinction to make, because there are different administrative tasks that you can perform for either the GPO link or the GPO itself. To see a list of all the GPOs in your domain, click the Group Policy Objects container located in your management tree.

Working with GPO links provides you with the ability to set the enforced setting, as mentioned earlier. You can also enable or disable the link on the scope. You also control all the filtering of the GPO by working with the link. To access and see the tasks you can perform on links, you can either right-click the link and select the appropriate option (link enabled or enforced). You can also select the link and click the Action menu and you will see same options (link enabled or enforced) to control the link.

Working with the GPOs provides you with the ability to back up and recover them. You can also import settings from previously backed up items. To access these tasks, as with GPO links, you can simply right-click the object and you will see the various actions you can perform (backup, import and so on), or you can highlight the object and then click the Action menu. Remember, you can link GPOs to more than one scope of management. While viewing the objects, you can also link the GPO to other sites, domains, or OUs. To link a GPO to a scope, you can either drag and drop the object on the scope you want to target or right-click the scope and select Link An Existing GPO. When you edit the GPO, you are modifying the object, and all the changes you make will apply to all the scopes linked to the GPO.

There are a few common tasks that you can perform on both the links and the GPOs. You can access the Group Policy Management Editor by selecting Edit, and you can save all the settings into an HTML file by selecting the Save Report Action item, as shown in Figure 5.

Figure 5. Settings report

GPO Status

One of the special tasks you can perform on the GPOs is to control which sections of the GPO are applied. When you right-click the GPO (or select the GPO and click the Action menu), one of the items you can select is GPO Status, as shown here.

The GPO has four status options:

Enabled: Both user and computer settings are enabled.

User Configuration Settings Disabled: User settings are disabled, and computer settings are enabled.

Computer Configuration Settings Disabled: User settings are enabled, and computer settings are disabled.

All Settings Disabled: Both user and computer settings are disabled.

The purpose of these settings is for GPO processing efficiency. When you create a GPO, you can have both user and computer settings in the GPO. However, you may create a GPO without one of the two settings; if you do this, it is recommended that you disable the portion that has no settings. This will improve how the targeted systems process group policies.
1.4. Filter Group Policies with GPMC

When working with Group Policy links, you have additional control over the objects targeted by your GPO. Typically, when you link a GPO to an OU, for example, you want all the objects in the OU impacted by the GPO. However, there may be some scenarios where you want only some of the objects to have the group policy applied to them. In Group Policy, you have two main mechanisms for filtering GPOs. Two of the filters you can work with are Windows Management Instrumentation (WMI) filters and security filters.

WMI filtering provides a very powerful filtering tool that allows you to leverage WMI scripting to filter which objects are targeted by your GPOs. WMI scripting leverages an industry standard for how to work with systems across network infrastructures. In a nutshell, WMI scripting will allow you find out various inventory types of information about computers—from what OS they are running to what applications are installed to what type of hardware, and so on. What this provides for GPOs is the ability to target systems meeting very specific criteria. For example, you could use Group Policy to install a software application and then use WMI filtering to make sure only systems having the required amount of free hard drive space to support the application have the application installed on them. To see what WMI filters are currently installed on the system, look in the WMI Filters container in the GPMC.

Security filtering is another great way to filter objects. To access the security filter for a GPO link, click the link you want to view, and make sure you are on the Scope tab for the GPO link. You can see the list of users and groups in the Security Filtering section. By default, the group Authenticated Users is added to the security for all GPOs. When you work with security permissions, there are two permissions required for your users to process a Group Policy object targeted on the OU:

  • Read

  • Apply Group Policy

You can use security filtering to prevent applying a GPO to security groups or users. For example, say you have an OU containing a group of people including Harold, the manager, of the group, and you want the policy to apply to everyone in the OU except Harold. You could simply add Deny access to either Read or Apply Group Policy for Harold. You can see an example of this in Figure 6.

Figure 6. Denying a user a group policy

You can view the security filtering for a GPO by clicking the GPO link for the targeted scope. On the Scope tab, you will see the current security filtering for the GPO in the Security Filtering section of the details pane inside the GPMC. To modify the security filtering for a GPO, follow these steps:

  1. Click the GPO you want to apply filtering to.

  2. Click the Delegation tab.

  3. Click the Add button to open the user/group selection dialog box.

  4. Find or enter the group or user you want to work with, and click OK, which will bring up the Add Group Or User dialog box, as shown in Figure 7. This dialog box allows you to choose the base security level for the user or group you have selected.

    Figure 7. GPO base security filter

  5. Choose the appropriate level from the three choices, and click OK. Read will give the ability to read and apply the GPO, "Edit settings" grants the ability for modifying the GPO settings themselves, and the last choice of "Edit settings, delete, modify security" allows basic administration over the GPO link.

  6. To further modify the security, click Advanced on the Delegation tab, which will bring up an advanced view of the security settings, as shown in Figure 8.

  7. Click the user you want to modify, and choose the appropriate security settings for the user. It is important to note that Deny permissions supersede any Allow permissions. In other words, if you have selected the user to have Allow for Read and Deny for Read, the user would have Deny permissions for that setting. In the example you saw earlier, if you did not want Keith to be able to have the GPO applied, simply select Deny for Read, and deselect Allow for Read, as shown in Figure 9. When you are finished modifying permissions, click OK.

Figure 8. GPO advanced security filtering
Figure 9. Denying Read for a GPO

Advanced Group Policy Management Tool

Another tool you may be able to take advantage of is the Advanced Group Policy Management (AGPM) tool. You can find this tool in the Microsoft Desktop Optimization Pack (MDOP); it's available only to volume license customers with Software Assurance as part of the licensing agreement. You can also download the evaluation version if you are an MSDN or TechNet subscriber. The tool does provide some nice benefits to working with Group Policy, including change management, auditing, reporting, and offline editing of GPOs. 
Other -----------------
- Microsoft Dynamics AX 2009 : The MorphX Tools - Table Browser Tool & Find Tool
- Microsoft Dynamics AX 2009 : The MorphX Tools - Visio Reverse Engineering Tool
- Windows Server 2003 : Planning Fault Tolerance and Avoidance (part 2) - Disk Arrays
- Windows Server 2003 : Planning Fault Tolerance and Avoidance (part 1) - Protecting the Power Supply
- Windows Server 2008 Server Core : Creating System Connections - Communicating with Telnet
- Windows Server 2008 Server Core : Creating System Connections - Working with Remote Access Server
- SQL Server 2005 : Testing Database Routines - Introducing the SQLQueryStress Performance Testing Tool
- SQL Server 2005 : Performance Testing and Profiling Database Systems
- SharePoint 2010 Search : Relevancy and Reporting - Custom Ranking
- SharePoint 2010 Search : Relevancy and Reporting - Managed Metadata Service
- Automating Dynamics GP 2010 : Automating reporting with Report Groups
- Automating Dynamics GP 2010 : Controlling reporting dates with Beginning and Ending Periods
- Microsoft Lync Server 2010 Front End : Installation (part 2) - Enterprise Edition Installation
- Microsoft Lync Server 2010 Front End : Installation (part 1) - Lync Server Topology Builder & Standard Edition Installation
- Microsoft Lync Server 2010 Front End : Active Directory Preparation
- Microsoft Dynamic NAV : Setting up Periodic Activities, Stylesheets, and Rapid Implementation Methodology - Job Queue
- Microsoft Dynamic NAV : Performance Tuning - Investigating the performance of the database
- Implementing Exchange Server 2010 Security : Configuring Compliance and Messaging Retention
- Implementing Exchange Server 2010 Security : Auditing Exchange Server Usage
- Configuring Small Business Server 2011 in Hyper-V : Creating a Virtual Machine (part 2) - Machine Settings
 
 
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Top 10
- Windows Phone 8 Apps : Camera (part 4) - Adjusting Video Settings, Using the Video Light
- Windows Phone 8 Apps : Camera (part 3) - Using the Front Camera, Activating Video Mode
- Windows Phone 8 Apps : Camera (part 2) - Controlling the Camera’s Flash, Changing the Camera’s Behavior with Lenses
- Windows Phone 8 Apps : Camera (part 1) - Adjusting Photo Settings
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
- MDT's Client Wizard : Application Properties
- MDT's Client Wizard : Operating System Properties
- MDT's Client Wizard : Customizing the Deployment Share
- Windows Server 2012 : Software and User Account Control Administration (part 5) - Maintaining application integrity - Configuring run levels
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro