Information Technology Reference
In-Depth Information
several account policies, such as password and account lockout settings, but no user rights
assignment policies; the Default Domain Controllers Policy defines user rights assignment poli-
cies but no account policies. In addition, many policies are left undefined or not configured
because GPOs, like Active Directory, work in a hierarchical structure.
GPOs can be applied in four places: local computer, site, domain, and OU. Policies are
applied in this order, too. Policies that aren't defined or configured are not applied at all, and
the last policy to be applied is the one that takes precedence. For example, a GPO linked to
a domain affects all computers and users in the domain, but a GPO linked to an OU over-
rides the domain policies if there are conflicting settings. You learn more about using GPOs
in Chapter 7.
You can remember the order in which GPOs are applied with the acronym
LSDOU: local computer, site, domain, and OU.
Activity 3-10: Working with Group Policies
Time Required:
30 minutes
Objective:
Create a GPO and see how policies you configure affect user objects in the OU
to which the GPO is linked.
Description:
You want to see how some group policy settings affect users in your domain. You
know that you want to restrict some users' access to Control Panel, so you decide to start with
that policy. Because you want the policy to affect individual users, you configure it in the User
Configuration node.
1. If necessary, log on to your server as Administrator, and open the Group Policy Management
MMC by clicking
Start
, pointing to
Administrative Tools
, and clicking
Group Policy
Management
.
2. Click to expand the
Forest
and
Domains
nodes and then your domain node.
3. Right-click
TestOU
(created earlier) and click
Create a GPO in this domain, and Link it here
.
4. In the New GPO dialog box, type
TestOUGPO
in the Name text box, and then click
OK
.
5. In the left pane, click the
TestOUGPO
you just created. In the right pane, right-click
TestOUGPO
and click
Edit
to open the Group Policy Management Editor.
6. Under User Configuration, click to expand
Policies
and then
Administrative Templates
.
7. Click the
Control Panel
node. In the right pane, double-click the
Prohibit access to the
Control Panel
policy to open its Properties dialog box.
8. Click the
Explain
tab, and read the description of this policy.
9. Click the
Setting
tab. Click the
Enabled
option button, and then click
OK
. Note that the
State column for the policy you changed now shows Enabled.
10. Close the Group Policy Management Editor and Group Policy Management MMC.
11. Log off your server by clicking
Start
, clicking the arrow next to the padlock icon, and click-
ing
Log Off
.
12. Log on to your server as
testuser1
. After you press
Ctrl+Alt+Delete
, click the
Switch User
button, and then click
Other User
. Type
testuser1
in the User name text box and
Password01
in the Password text box.
13. In the message box stating that the user's password must be changed before logging on the
first time, click
OK
.
14. In the New Password text box, type
Password02
, and then type it again in the Confirm pass-
word text box. Click the arrow to log on. Click
OK
when you get the message that the pass-
word has been changed.
Search WWH ::
Custom Search