Skip to main content

Implementing and Managing Group Policy Objects (GPOs)


On Overview on Group Policy Object (GPO) Implementation and the Group Policy Object Editor

Group Policy settings are stored in a Group Policy Object (GPO). The types of Group Policy settings which can be stored in a GPO are listed below:
  • Computer configuration settings are located in the Computer Configuration node.
  • User configuration settings are located in the User Configuration node.
A Windows 2000 and Windows Server 2003 computer has a local GPO. A local GPO exists only on that particular computer, and therefore only affects the computer on which it is located.
Nonlocal GPOs, also known as Active Directory based GPOs, are created in Active Directory and stored on domain controllers. This means that Group Policy settings in Active Directory are symbolized by Group Policy objects (GPOs). Nonlocal GPOs are used to manage and control the configuration settings of users and computers in Active Directory. Before you can create any nonlocal GPOs, you must have Windows 2000 or Windows Server 2003 domain controllers installed and running within your environment. For a nonlocal GPO to be applied to a user object or computer object in Active Directory, the GPO has to be linked to a site, domain, or organizational unit (OU) to which the user or computer belongs.implementing and managing group policy objects gpos Implementing and Managing Group Policy Objects (GPOs)
The tool which is used to select the Group Policy settings located in a GPO, and to organize and manage these policies, is the Group Policy Object Editor. The manner in which you need to access the Group Policy Object Editor is based on the location at which the particular GPO has to be linked and applied. This concept is illustrated below:
  • To link a GPO to the local computer, you have to open the locally stored GPO using a MMC. To open the MMC for the local computer, use the steps below: 
    1. Open the Microsoft Management Console. To do this, click Start, Run, and enter mmc in the Run dialog box. Click OK.
    2. In the File menu, click Add/Remove Snap-In.
    3. When the Add/Remove Snap-In dialog box opens, click Add in the Standalone tab.
    4. When the Add Standalone Snap-In dialog box opens, click Group Policy Object Editor. Click Add.
    5. Verify that Local Computer is displayed under Group Policy Object, on the Select Group Policy Object dialog box.
    6. Click Finish.
    7. On the Add Standalone Snap-In dialog box, click Close.
    8. On the Add/Remove Snap-In dialog box, click OK.
    9. You can now access the local GPO using the MMC.
  • To link a GPO to a different local computer, open the local GPO on the computer running Windows 2000 or Windows Server 2003 using a MMC, and locate the other computer.
  • To link a GPO to a site, you have to open the Group Policy Object Editor from the Active Directory Sites And Services console. To open the Group Policy Object Editor by using the Active Directory Sites And Services console, use the steps below: 
    1. Click Start, Administrative Tools, and click Active Directory Sites And Services.
    2. In the console tree, locate and right-click the site to which you want to link a GPO, and click Properties on the shortcut menu.
    3. When the Properties dialog box for the site opens, click the Group Policy tab.
    4. In the Group Policy Object Links list, click New and then click Edit to create a new GPO, or choose an existing GPO in the Group Policy Object Links list, and then click Edit.
    5. The Group Policy Object Editor opens for the site GPO.
  • To link a GPO to a domain, you have to open the Group Policy Object Editor from the Active Directory Users And Computers console. To open the Group Policy Object Editor using the Active Directory Users And Computers console, follow the steps below: 
    1. Click Start, Administrative Tools, and click Active Directory Users And Computer.
    2. In the console tree, locate and right-click the domain (or OU) to which you want to link a GPO, and click Properties on the shortcut menu.
    3. When the Properties dialog box for the domain opens, click the Group Policy tab.
    4. In the Group Policy Object Links list, click New and then click Edit to create a new GPO, or choose an existing GPO in the Group Policy Object Links list, and then click Edit.
    5. The Group Policy Object Editor opens for the domain GPO.
  • To link a GPO to an organization unit (OU), you have to open the Group Policy Object Editor from the Active Directory Users And Computers console.
The remainder of this Article focuses on the implementing and managing GPOs. The main management tool used for this is the Group Policy Object Editor.

How to create a GPO

Creating a GPO is the initial step in ultimately applying Group Policy settings to user objects, and computer objects in Active Directory. When you create a new GPO, it is by default linked to the site, domain, or OU which was selected, when the GPO was created. The Group Policy settings stored in the GPO are applied to that particular site, domain or OU. You can though, at a later stage, link the GPO to other sites, domains, or OUs.
To create a GPO,
  1. You need to open the Active Directory Sites And Services console if you want to create a GPO for a site. To open the console, click Start, Administrative Tools, and click Active Directory Sites And Services. You have to use the Active Directory Users And Computers console if you want to create a GPO for a domain or OU. To open the console, click Start, Administrative Tools, and click Active Directory Users And Computers.
  2. In the console which you opened, locate and right-click the site, domain or OU that you want to create a GPO for, and then click Properties on the shortcut menu.
  3. When the Properties dialog box for the site, domain or OU opens, click the Group Policy tab.
  4. Click New.
  5. Provide a name for the GPO.
  6. Click Close.
  7. The new GPO is linked to the site, domain, or OU which you chose in the MMC, by default. The Group Policy settings contained in the GPO are applied for objects in that particular site, domain, or OU.

How to create a MMC (Group Policy Object Editor) for a newly created GPO

It is recommended to create a MMC for a GPO so that you can open it from the Administrative Tools menu whenever you need to access the GPO.
  1. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
  2. In the File menu, click Add/Remove Snap-In.
  3. When the Add/Remove Snap-In dialog box opens, click Add in the Standalone tab.
  4. When the Add Standalone Snap-In dialog box opens, click Group Policy Object Editor. Click Add.
  5. In the Select Group Policy Object dialog box, click the Browse button to find the GPO which you want to create a MMC for.
  6. When the Browse For A Group Policy Object dialog box opens, select the All tab. Select the GPO, and Click OK
  7. On the Add Standalone Snap-In dialog box, click Close.
  8. On the Add/Remove Snap-In dialog box, click OK.
  9. To save the MMC so that it is displayed under the Administrative Tools menu, click Save As on the File menu.
  10. Provide a name for the GPO MMC in File Name text box, and select Save.

How to configure Group Policy settings for a GPO

After you have created a MMC (Group Policy Object Editor) for a new GPO, you can access it to configure Group Policy settings for the GPO.
  1. Open the Group Policy Object Editor for the GPO on the Administrative Tools menu.
  2. Proceed to expand the node which contains the Group Policy setting which you want to configure.
  3. Right-click the Group Policy setting which you want to configure, and click Properties on the shortcut menu.
  4. When the Properties dialog box for the Group Policy setting opens, the options available on the Settings tab are listed below. 
    • Not Configured, no changes are made to the Registry for the Group Policy setting.
    • Enabled, activates the processing of the Group Policy setting.
    • Disabled, the Registry reflects that the Group Policy setting is not applicable for users and computers.
  5. Click the Enabled option to have this particular Group Policy setting applied to users and computers that are within the scope of the GPO.
  6. Click OK.

How to disable Group Policy settings which are not being used in a GPO

You can speed up computer startup time and user logon time by disabling Group Policy settings in the GPO that are not being used. For instance, if the User Configuration node for the GPO only contains Group Policy settings that are set to Not Configured, it is recommended to disable the actual User Configuration node. This in turn prevents the unnecessary processing of these Group Policy settings.
  1. Open the Group Policy Object Editor for the particular GPO.
  2. Right-click the root node and click Properties on the shortcut menu.
  3. When the Properties dialog box for the GPO opens, you can do one of the following: 
    • Click the Disable User Configuration Settings checkbox, to disable the processing of user configuration settings.
    • Click the Disable Computer Configuration Settings checkbox, to disable the processing of computer configuration settings.
  4. Click OK.

How to change the default processing order of GPOs

The default processing order in which Group Policy settings stored in GPOs are applied to a user object or computer object is listed below:
  1. Local GPO.
  2. Site GPO.
  3. Domain GPO.
  4. OU GPO.
When multiple site GPOs, domain GPOs and OU GPOs exist, the order in which they are processed can be specified. You can change the processing order of GPOs for a site, domain, or OU by using the steps listed below:
  1. To change the processing order of GPOs for a site, click Start, Administrative Tool, and click Active Directory Sites And Services. To change the processing order of GPOs for a domain or OU, click Start, Administrative Tool, and click Active Directory Users And Computers.
  2. Right-click the particular site, domain, or OU whose GPO processing order you want to change, and click Properties on the shortcut menu.
  3. When the Properties dialog box for the site, domain, or OU opens, click the Group Policy tab.
  4. Click the GPO in the Group Policy Object Links list, and use the Up button or the Down button to change the processing order of the GPO.
  5. The GPO located at the top of the list has the highest priority. GPO processing of the GPOs in the list starts at the bottom of the list, and moves up the list.

How to configure the No Override option

The No Override option allows you to set that for a particular GPO, no other GPOs are able to override its Group Policy settings.
  1. To configure the No Override option for a site, click Start, Administrative Tool, and click Active Directory Sites And Services. To configure the No Override option for a domain or OU, click Start, Administrative Tool, and click Active Directory Users And Computers.
  2. Right-click the particular site, domain, or OU to which the GPO is linked, for which you want to configure the No Override option, and click Properties on the shortcut menu.
  3. Click the Group Policy tab.
  4. Choose the GPO, and click Options.
  5. When the Options dialog box for the GPO opens, click the No Override checkbox.
  6. Click OK.

How to configure the Block Policy Inheritance option

The Block Policy Inheritance option makes it possible you to override Group Policy setting inheritance for a specific OU. When enabled, the Block Policy Inheritance option enables you to stop the specific OU from receiving Group Policy settings from OUs located higher up in the tree.
  1. To configure the Block Policy Inheritance option for a site, click Start, Administrative Tool, and click Active Directory Sites And Services. To configure the Block Policy Inheritance option for a domain or OU, click Start, Administrative Tool, and click Active Directory Users And Computers.
  2. Right-click the particular site, domain, or OU for which you want to configure the Block Policy Inheritance option, and click Properties on the shortcut menu.
  3. Click the Group Policy tab.
  4. Click the Block Policy Inheritance checkbox
  5. Click OK.
  6. The site, domain, or OU which you chose will not obtain Group Policy settings from sites, domains, or OUs higher in the tree. However, if a GPO has the No Override option enabled, the GPO will not be blocked.

How to filter the scope of a GPO

For the Group Policy settings stored in a GPO to apply to users, the users must have the Read (Allow) permission and Apply Group Policy (Allow) permission for the GPO. Users, who are members of the Authenticated Users group, have these permissions by default. Therefore, all these users are included in the scope of GPOs linked to the sites, domains, or OUs to which they belong. Because of this, it might be necessary to filter the scope of the GPO so that it applies only to the appropriate security groups. The ways you can do this it by:
  • For the Authenticated Users group, uncheck the Apply Group Policy – Allow permission. Next, for each security group to which the particular GPO should apply, configure the Read (Allow) permission and Apply Group Policy (Allow) permission.
  • For each security group to which the particular GPO should not apply, configure the Apply Group Policy (Deny) permission.
You can use the method outlined below to filter the scope of a GPO:
  1. Open the Group Policy Object Editor for the particular GPO.
  2. Right-click the root node and click Properties on the shortcut menu.
  3. When the Properties dialog box for the GPO opens, click the Security tab.
  4. In Group Or User Names, select the security group.
  5. Set the appropriate permissions.

How to configure the Loopback setting

  1. Open the Group Policy Object Editor for the particular GPO.
  2. Proceed to expand Computer Configuration, Administrative Templates, System, and then expand Group Policy.
  3. Double-click User Group Policy Loopback Processing Mode in the Setting pane.
  4. When the User Group Policy Loopback Processing Mode Properties dialog box opens, select Enabled.
  5. Select either Replace mode, or Merge mode.
  6. Click OK.

How to link an existing GPO to other sites, domains, or OUs

  1. To link an existing GPO to a site, click Start, Administrative Tool, and click Active Directory Sites And Services. To link an existing GPO to a domain or OU, click Start, Administrative Tool, and click Active Directory Users And Computers.
  2. Right-click the particular site, domain, or OU that the GPO should be linked to, and select Properties on the shortcut menu.
  3. When the Properties dialog box for the site, domain, or OU opens, click the Group Policy tab.
  4. Click Add.
  5. When the Add A Group Policy Object Link dialog box opens, click the All tab.
  6. Select the GPO that should be linked to the particular site, domain, or OU.
  7. Click OK.

How to delegate administrative control of a GPO

Before looking at the manner in which to configure delegation of control of a GPO, lets first look at the default GPOs permissions assigned to the ifferent security groups. This information is useful when you need to determine to which user(s) you want to delegate administrative control to, and the permissions which the user would need.
  • Enterprise Administrators group: Read, Write, Special Permissions, Create All Child Objects, and Delete All Child Objects.
  • Domain Administrators group: Read, Write, Special Permissions, Create All Child Objects, and Delete All Child Objects.
  • System group: Read, Write, Special Permissions, Create All Child Objects, and Delete All Child Objects.
  • Enterprise Domain Controllers group: Read, and Special Permissions.
  • Authenticated Users group: Read, Special Permissions, Apply Group Policy.
  • Group Policy Creator Owner group: Special Permissions.
From this, it is clear that only members of the following groups can by default create new GPOs:
  • Enterprise Administrators, Domain Administrators, System, and Group Policy Creator Owner.
However, by delegating administrative control of a GPO, you can specify that a user or group of users be allowed to perform the following GPO administrative tasks:
  • Create GPOs.
  • Link GPOs.
  • Edit GPOs.
Use the steps below to delegate administrative control of creating GPOs:
  1. Click Start, Administrative Tools, and click Active Directory Users And Computers.
  2. In the console tree, proceed to click Users.
  3. In the details pane, double-click Group Policy Creator Owners.
  4. When the Group Policy Creator Owners dialog box opens, click the Members tab.
  5. Click Add.
  6. In the Enter The Object Names To Select box, specify the name of the user(s) or group that should be allowed to create GPOs. Click OK.
  7. Click OK on the Group Policy Creator Owners dialog box.
Use the steps below to delegate administrative control of linking GPOs:
  1. Click Start, Administrative Tools, and click Active Directory Users And Computers.
  2. In the console tree, proceed to right-click the OU for which you want to delegate authority for a user to link GPOs, and click Delegate Control.
  3. The Delegation Of Control Wizard launches.
  4. Click Next on the Welcome To The Delegation Of Control Wizard page.
  5. Click Add on the Users Or Groups page.
  6. Enter the name of user or group that should be able to link GPOs for the OU in the Enter The Object Names To Select box on the Select Users, Computers, Or Groups dialog box. Click OK. Click Next.
  7. When the Tasks To Delegate page appears, click Delegate The Following Common Tasks.
  8. Enable the Manage Group Policy Links checkbox. Click Next.
  9. Click Finish on the Completing The Delegation Of Control Wizard page.
Use the steps below to delegate administrative control of editing GPOs:
  1. Open the Group Policy Object Editor for the particular GPO.
  2. Right-click the root node and click Properties on the shortcut menu.
  3. When the Properties dialog box for the GPO opens, click the Security tab.
  4. In Group Or User Names, select the security group which should be allowed to edit GPOs.
  5. Set the Read permission to Allow, and set the Write permission to Allow.
  6. Click OK.

How to refresh a GPO immediately

While GPO changes are immediate, they are not immediately propagated to client computers. Propagation takes place when the following events occur:
  • At computer startup.
  • At user logon.
  • When an application or a user requests a refresh.
  • When the Group Policy refresh interval is enabled and has since passed.
Use the steps below to set a Group Policy refresh interval.
  1. Open the Group Policy Object Edtor for the GPO.
  2. Expand Computer Configuration, Administrative Templates, System, and then expand Group Policy.
  3. Double-click Group Policy Refresh Interval For Users in the details pane.
  4. Select the Enabled option.
  5. Set the appropriate refresh interval.
  6. Click OK.
When Group Policy settings in a GPO are changed, they are refreshed at five minute intervals on domain controllers, and at 90 minute intervals on servers and workstation, by default. Windows Server 2003 provides the Gpupdate command-line utility which can be used to immediately refresh a GPO.
Use the steps below to refresh a GPO immediately.
  1. Click Start, Run, and enter gpupdate in the Run dialog box. Click OK.
  2. A message is displayed stating that policy is being refreshed.

How to remove a GPO link

When you remove a GPO link from a site, domain, or OU; only that particular GPO link is removed. The associated GPO is not deleted. This means that the GPO is still stored in Active Directory.
Use the steps below to remove a GPO link from a site, domain, or OU, and not delete the GPO from Active Directory.
  1. To remove an existing GPO link from a site, click Start, Administrative Tool, and click Active Directory Sites And Services. To remove an existing GPO link from a domain or OU, click Start, Administrative Tool, and click Active Directory Users And Computers.
  2. Right-click the particular site, domain, or OU that you want to remove a GPO link from, and select Properties on the shortcut menu.
  3. When the Properties dialog box for the site, domain, or OU opens, click the Group Policy tab.
  4. Click the GPO that should be unlinked from the site, domain, or OU, and then click Delete.
  5. When the Delete dialog box opens, click Remove The Link From The List.
  6. Click OK.

How to permanently delete a GPO

When you delete a GPO, that particular GPO is permanently removed from Active Directory.
  1. To delete a GPO from a site, click Start, Administrative Tool, and click Active Directory Sites And Services. To delete a GPO from a domain or OU, click Start, Administrative Tool, and click Active Directory Users And Computers.
  2. Right-click the particular site, domain, or OU that you want to delete the GPO from, and select Properties on the shortcut menu.
  3. When the Properties dialog box for the site, domain, or OU opens, click the Group Policy tab.
  4. Click the GPO that should be deleted from the site, domain, or OU, and then click Delete.
  5. When the Delete dialog box opens, click Remove The Link And Delete The Group Policy Object Permanently.
  6. Click OK.

Best Practices for Implementing GPOs

A few best practices to consider when implementing GPOs are listed below:
  • To keep GPO administration simple, use unique names for each GPO.
  • You should not link a GPO to the same OU multiple times, link it only once.
  • While it is possible to link an OU to a GPO that is located in a different domain, you should steer clear of this situation. The processing of GPOs is delayed if Group Policy has to be acquired from a different domain.
  • Disable the Computer Configuration node or the User Configuration node when it only contains Group Policy settings set to the Not Configured option. This tends to speed up computer startup and user logon processing times.
  • Steer clear of conflicting policies. While a lower OU GPO can override an OU GPO higher in the tree, to keep things simple, try to steer clear of configuring conflicting policies.
  • You should also avoid setting the No Override option, and the Block Policy Inheritance option as far as possible. Having these settings enabled can complicate matters when you need to troubleshoot Group Policy.
  • You should only use the loopback processing option if he desktop configuration has to remain constant, irrespective of the user logging on. Enabling the loopback processing option can also cause confusion when you need to troubleshoot Group Policy settings problems.
  • You should also utilize WMI filters only when necessary. Having numerous WMI filters, increases user logon processing time.
  • You should filter the scope of a GPO according to security group membership. This prevents other users, who do not need the GPO applied, from experiencing a logon delay.

Popular posts from this blog

HOW TO EDIT THE BCD REGISTRY FILE

The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N