Information Technology Reference
In-Depth Information
multiple sites are involved. Replication problems can be diagnosed with Gpotool.exe, which ver-
ifies the version and status of GPOs on all DCs and reports any discrepancies. This tool is part
of the Windows Resource Kit and can be downloaded from the Microsoft Download Center.
Chapter 3 introduced you to the Default Domain Policy and Default Domain Controllers
Policy, but undoubtedly you'll need to create your own GPOs and link them to Active Directory
containers. In fact, if changes are necessary for domain policies or domain controller policies,
creating new GPOs and linking them to containers is recommended instead of editing the
default GPOs.
The primary tools for managing, creating, and editing GPOs are Group Policy Management
Console (GPMC, also called the Group Policy Management MMC) and Group Policy
Management Editor (GPME), both of which you used in Chapter 3. The purpose of using these
tools is to carry out changes to the security and/or working environment for users or computers.
There are several ways to go about this task:
• Edit an existing GPO that's linked to an Active Directory container.
• Link an existing GPO to an Active Directory container.
• Create a new GPO for an Active Directory container.
• Create a new GPO in the Group Policy Objects folder, which isn't linked to an Active
Directory object.
• Create a new GPO by using a Starter GPO.
7
If you edit an existing GPO that's already linked to an Active Directory container, keep in
mind that changes in policy settings take effect as soon as clients download them. In other words,
there's no Save option in the GPME; changes are saved automatically. Client computers down-
load GPOs at restart, and user policies are downloaded at the next logon. Therefore, the best
practice is usually creating GPOs in the Group Policy Objects folder, and then linking them to
the target Active Directory container after all changes have been made. When you're changing
several policy settings at once or are unsure of the effect policy changes will have, you should
test policies before enabling them by using the following method:
1. Set up at least one test computer per OS used in the organization.
2. Join test computers to the domain and place their accounts in a test OU.
3. Create one or more test user accounts in the test OU.
4. Create the new GPO in the Group Policy Objects folder and set the policies you want.
5. Link the GPO to the test OU.
6. Restart and log on to the test computers with the test user accounts to observe the policy
effects.
7. Make changes to the GPO, if necessary, and repeat Step 6 until the policy has the desired
effect.
8. Unlink the policy from the test OU, and link it to the target Active Directory container.
Editing an Existing GPO
To edit an existing GPO, right-click it in the GPMC and click
Edit, which opens the GPO in the GPME. In the GPMC, all GPOs are stored in the Group
Policy Objects folder, and you can also find GPOs linked to an Active Directory container dis-
played as shortcut objects in the container to which they're linked. Checking whether and
where a GPO is linked is a good idea before editing. To do this, select the GPO in the left pane
of the GPMC and view the Scope tab in the right pane (see Figure 7-7). All Active Directory
objects the GPO is linked to are listed for the selected location. In this figure, the domain is
selected as the location, and you can also select Entire forest or All sites in the Display links in
this location list box.
Search WWH ::
Custom Search