Information Technology Reference
In-Depth Information
12.
Highlight the PolicyDisabled group and select Deny for the Read and Apply Group Policy
permissions. This ensures that users in the PolicyDisabled group will not be affected by
this policy.
13.
Click OK. You will see a message stating that you are choosing to use the Deny permis-
sion and that the Deny permission takes precedence over the Allow entries. Click the
Yes button to continue.
14.
When you have finished, close the GPMC tool.
Delegating Administrative Control of GPOs
So far, you have learned about how to use Group Policy to manage user and computer set-
tings. What you haven't done yet is to determine who can modify GPOs. It's important to
establish the appropriate security on GPOs themselves for two reasons.
■
If the security settings aren't set properly, users and system administrators can easily
override them. This defeats the purpose of having the GPOs in the first place.
■
Having many different system administrators creating and modifying GPOs can
become extremely difficult to manage. When problems arise, the hierarchical nature of
GPO inheritance can make it difficult to pinpoint the problem.
Fortunately, through the use of delegation, determining security permissions for GPOs
is a simple task. Exercise 6.4 walks you through the steps that you must take to grant the
appropriate permissions to a user account. Specifically, the process involves delegating the
ability to manage Group Policy links on an Active Directory object (such as an OU). To
complete this exercise, you must have completed Exercises 6.1 and 6.2.
exercise 6.4
delegating administrative control of Group Policy
1.
Open the Active Directory Users and Computers tool.
2.
Expand the local domain and create a user named
Policy admin
within the Group
Policy Test OU.
3.
Exit Active Directory Users and Computers and open the GPMC.
4.
Click the Group Policy Test OU and select the Delegation tab.
5.
Click the Add button. In the field Enter The Object Name To Select, type
Policy admin
and click the Check Names button.
6.
The Add Group Or User dialog box appears. In the Permissions drop-down list, make
sure that the item labeled Edit Settings, Delete, Modify Security is chosen. Click OK.
Search WWH ::
Custom Search