Group policies form the backbone of your Windows Server 2003 network security. Working with group policy can be difficult. In this article, Diana Huggins walks you through the basics of how group policies work and how to get them set up.
Group policies form the basis of central administration in a Windows Server 2003 network. Using them you can exercise a large amount of control over what your users can on the network and on their own machine. This Daily Drill Down covers the nuts and bolts of group policy object (GPO) creation and application to help you start to build and assign GPO objects and apply them across the enterprise.
Creating group policy objects
As a quick review, recall that a GPO is a named collection of group policy settings that you link to specific containers in Active Directory (AD). You can link GPOs to sites, domains, or Organizational Units (OUs). Each computer also has a local GPO.
A given GPO in the AD can link to multiple objects at various levels in the AD. For example, a particular GPO might link to several domains in a site or to several OUs in a domain. Windows Server 2003 applies group policy using a hierarchical structure, applying the local GPO first, followed by the GPOs at the site, domain, and OU levels.
We'll take a look shortly at the group policy (GP) snap-in. First, however, let's create a few GPOs—one at the site level, one at the domain level, and another at an OU level. If you don't have an OU in the domain in which you're going to create your test GPOs, create one now. For this example, assume that you have an OU named Support in your domain.
To create the domain OU, open the Active Directory Users And Computers console. Right-click the domain in the left pane and choose Properties. Click the Group Policy tab. You should see one existing policy, the Default Domain Policy, as shown in Figure A. We'll leave that one alone and create a test GPO. Click New to create the GPO, type the name Test Domain Policy, and press [Enter]. Click Close.
|The Default Domain Policy is created automatically.|
Next, create a test OU GPO in the Support OU. Still in the AD Users And Groups console, right-click the Support OU and choose Properties, then click the Group Policy tab. Click New, type Test Support GPO, press [Enter], and click Close.
Finally, let's create a GPO at the site level. Open the Active Directory Sites And Services console. Right-click the site in the left pane and choose Properties. Click the Group Policy tab, click New, type Test Site Policy, press [Enter], and click Close.
Now you have three GPOs created and linked to three objects: a site, a domain, and an OU. You could bounce back and forth between the AD Users And Groups console and the AD Sites And Services console to manage them, but why not save yourself a little work and combine them all into a single console? Read on.
Viewing, modifying, and managing GPOs
You modify GPOs through the Group Policy editor, an MMC snap-in. You can open the Group Policy snap-in directly through the MMC or access it through the properties for the AD container to which you want to link the GPO or whose existing GPO you want to modify. For example, open the Active Directory Sites And Services console, right-click a site, choose Properties, and click the Group Policy tab. You'll see all the existing GPOs linked to that site. Or, open the Active Directory Users And Computers console, right-click a domain, choose Properties, and click the Group Policy tab to work with the GPOs linked to the selected domain. Select a GPO and click Edit, and the Group Policy editor opens focused on the selected GPO, as you can see in Figure B.
|The Group Policy Editor is focused on the Test Support GPO.|
If you open the GP console from the properties for an object, such as a domain or OU, the console is automatically focused on that object. You can configure the console to allow the focus to be changed when the console is opened from the command prompt, but it's easiest to simply add a GP snap-in for each GPO you want to manage. For example, assume you need to manage a GPO that is linked to a domain, one site GPO, and two OU GPOs. The easiest way to get to all of those is to combine all of them into a single, custom MMC.
To create the custom MMC, select Run from the Start menu. In the Run dialog box, type MMC and click OK. When the MMC starts, select Add/Remove Snap-In from the File menu and click Add. Select Group Policy and click Add. In the Select Group Policy Object dialog box, click Browse and choose the level at which you want to select the GPO or click the All tab to view all GPOs. Select the GPO you want to add to the console and click OK. Click Finish. Finally, close the Add/Remove Snap-In dialog box and save the console.
For the purpose of this Daily Drill Down, we'll create three test policies. Use the previous steps to add the Test Site Policy, Test Domain Policy, and Test Support GPO to your console. Figure C shows the console with the three snap-ins added for each of the test GPOs.
|Use a custom console to integrate several GPOs in one console.|
Modifying a GPO
Simply creating a GPO doesn't modify any policy settings. If you don't modify any settings, the GPO won't have any effect. So now it's time to set some policies in each of the test GPOs you just created. As mentioned before, you can get to the GPO through the properties for the object where the GPO is linked. Just right-click the object, choose Properties, click the Group Policy tab, select the GPO, and click Edit. In this example, however, we'll use the custom console instead.
Open the branch containing the policy you want to edit. In this example, we'll focus on the Test Support GPO. Expand the Test Support GPO branch, and you should see two items under it: Computer Configuration and User Configuration, each of which has several branches of its own.
Knowing where all the policy settings are is a pretty tall order at first. Actually defining the policies is pretty easy. Just expand the branch where the policy is located, double-click the policy, and select Define This Policy Setting. The GP console enables the associated policy setting, which varies from one to another. In some cases, you simply select either Enabled or Disabled. Other policy settings require other data that varies according to the policy's function.
For example, you can configure policies that define how services start, setting a particular service to Manual, Automatic, or Disabled. Or, you can define policies that determine the startup, shutdown, logon, and logoff scripts that apply within the selected GPO.
Another example of policies that require much more than a simple Enable/Disable toggle is the IP Security (IPSec) policies. You can define IPSec policies to force implementation of desired IPSec filters. Another good example is the User Configuration/Software Settings/Software Installation node, which enables you to define application installation packages for the Windows Installer that install automatically or are available for installation by users who fall under the influence of the selected GPO.
Explaining every branch in the GP editor, much less each policy setting, is well outside the scope of this Daily Drill Down and would take a book in itself to present adequately. For now, just understand that the GP editor lets you define group policies and that you can access the GP console through the properties for the container where a given GPO is linked or through a custom MMC to which you've added the group policy snap-in focused on a specific site, domain, or OU (or the local GPO).
Creating links to existing GPOs
Assume that you've just spent several days creating a GPO to link to a particular OU and have tested and verified that the policies it contains are correct. Also assume that you have two other OUs that need to use the same policies. You don't really want to re-create those policies twice more, do you? Fortunately, you don't have to. You can link a given GPO to multiple objects, so once you've created the GPO, you can easily use it in other objects simply by linking the GPO to the object.
In this example, assume you have an OU named Help Desk and want to apply the GPO previously created for the Support OU to the Help Desk OU. You link the GPO to the Help Desk OU from the OU. To do so, open the Active Directory Users And Computers console, right-click the Help Desk OU, and choose Properties. Click the Group Policy tab, then click Add. In the Add A Group Policy Object Link dialog box, shown in Figure D, select the GPO you want to link to the OU and click OK. In this case, click the All tab, select the Test Support GPO, and click OK. Then, click OK to close the Help Desk Properties sheet.
|Link GPOs to a selected object through the Add A Group Policy Object Link dialog box.|
Deleting links and GPOs
There will no doubt come a time when you need to either delete a link to a GPO or delete the GPO itself, and it's important to understand that the two actions are quite different. I'll use a desktop shortcut as an analogy. Say that you create a shortcut on your desktop to an application. When you delete the shortcut, the application is unaffected. Go to the application's folder and delete its executable, and the program is gone. Its remnants, however, are still floating around the registry because you didn't remove it properly.
The same is true for GPOs and links. When you delete a link, the associated GPO is unaffected. Delete the GPO itself, however, and it's gone.
As with other GP processes, you can delete links and GPOs through the properties for the object to which the GPO is linked. For example, assume you now need to remove the link between the Test Support GPO and the Help Desk OU because you need to apply a different set of policies. In that case, open the Active Directory Users And Computers console, right-click the Help Desk OU, and choose Properties. On the Group Policy tab, select the GPO link from the list and click Delete. Windows displays a dialog box that gives you two options:
- Remove the link from the list
- Remove the link and delete the Group Policy Object permanently
Select the desired action and click OK.
Exercise some care when you delete GPOs. Windows provides no warning if a GPO you're deleting is linked to other objects. Delete the Test Support GPO from the Help Desk OU, for example, and it's gone from the Support OU as well.
Configuring local group policy
You've read previously that Windows Server 2003 applies the local group policy first and then applies GPOs at the site, domain, and OU levels. So in addition to modifying GPOs for the upper levels, you might also want to modify the local GPO. Each computer has only one local GPO.
As with other GPOs, you get to the local GPO through the group policy snap-in. Open the MMC and add the group policy snap-in, and when prompted for the location of the GPO, retain the default Local Computer focus and click Finish.
You also can open the local GPO of other computers across the network. Rather than accept the Local Computer default, click Browse, then click the Computers tab. Select the Another Computer option, then type the computer name in the field provided or click Browse to locate it.