Information Technology Reference
In-Depth Information
Figure 7-7
The Scope tab in GPMC
As mentioned, editing the two default GPOs is not advisable. One reason is that you can't
test the GPO adequately because it's already linked to the domain or the Domain Controllers
OU. Another reason is that you might want to revert to the default settings, and you could have
difficulty remembering what was changed. The recommended method for making changes to
domain policies is creating a new GPO and linking it to the domain. Remember: You can have
multiple GPOs linked to the same container. The steps for making policy changes that affect the
whole domain are as follows, assuming you already have the test computers, users, and OU set
up as described previously:
1. Create the new GPO in the Group Policy Objects folder and set the policies you want.
2. Link the GPO to the test OU, making sure to unlink any GPOs that are linked there from
previous tests.
3. Test your policies by following Steps 6 to 8 in the previous list.
4. Make changes to the GPO, if necessary, and repeat testing until the policy has the effect you
want.
5. Unlink the policy from the test OU, and link it to the domain.
You might wonder how this procedure tests domainwide settings. Because a GPO can be
linked to multiple containers, you could have linked the Default Domain Policy to the test OU
as well. However, by default, policy settings are inherited by child objects, so settings in the
Default Domain Policy affect objects in all Active Directory containers in the domain, including
containers with another GPO linked. If you have two or more GPOs linked to the domain, as in
Figure 7-8, GPOs are applied to objects in reverse of the specified link order. In this example, the
NewGPO policy is applied, and then the Default Domain Policy is applied. If any settings con-
flict, the last setting applied takes precedence. GPO processing and inheritance are discussed
later in the chapter in “Group Policy Scope and Inheritance.”
Search WWH ::
Custom Search