Information Technology Reference
In-Depth Information
•
Link GPOs
—This permission can be set on sites, domains, and OUs and determines who
can link or unlink a GPO to or from the container. Administrators, Domain Admins,
Enterprise Admins, and the System special identity are granted this permission by default.
•
Perform Group Policy Modeling analyses
—Set on domains and OUs and determines who
can run the GPO Modeling Wizard (discussed in “Group Policy Results and Modeling”
later in this chapter) on the specified container. The default users are the same as for the
Link GPOs permission.
•
Read Group Policy Results data
—Set on domains and OUs and determines who can run
the Group Policy Results Wizard (discussed in “Group Policy Results and Modeling” later
in this chapter) on users and/or computers. The default users are the same as for the Link
GPOs permission.
•
Read
—Set on GPOs, users with this permission can view settings and back up a GPO. By
default, the Enterprise Domain Controllers universal group has this permission for all GPOs.
•
Read (from Security Filtering)
—Used in group policy filtering. By default, Authenticated
Users has this permission for all GPOs. It includes both the Read and Apply Group Policy
permission and is generally set in the Scope tab of a GPO's Properties dialog box.
•
Edit settings, delete, modify security
—Set on GPOs and determines who can edit, change
status on, back up, delete, and change security on a GPO. By default, Domain Admins,
Enterprise Admins, and the System special identity are granted this permission.
•
Edit Settings
—Security principals can change existing settings, import settings, and enable
or disable a GPO. No users are granted this permission by default.
7
Managing GPO Status and Link Status
After a GPO is created, it can be in one of
the following states:
•
Link status: unlinked
—The GPO is in the Group Policy Objects folder but has not been
linked to any container objects.
•
Link status: enabled
—The GPO is listed under the container object and the link is
enabled. This status is achieved by right-clicking a container, clicking Link an Existing
GPO, and choosing a GPO from the Group Policy Objects folder or by right-clicking a
container and clicking “Create a GPO in this domain, and Link it here.”
•
Link status: disabled
—The GPO is listed under the container object and the link is dis-
abled. Link status can be toggled between enabled and disabled by right-clicking a GPO
linked to a container and clicking Link Enabled.
•
GPO status: Enabled
—The GPO is fully functional. In the Group Policy Objects folder,
right-click a GPO, point to GPO Status, and click Enabled.
•
GPO status: User Configuration Settings Disabled
—The User Configuration node is not
processed by the group policy client. In the Group Policy Objects folder, right-click a
GPO, point to GPO Status, and click User Configuration Settings Disabled.
•
GPO status: Computer Configuration Settings Disabled
—The Computer Configuration
node is not processed by the group policy client. In the Group Policy Objects folder, right-
click a GPO, point to GPO Status, and click Computer Configuration Settings Disabled.
•
GPO status: All Settings Disabled
—The GPO is disabled. In the Group Policy Objects
folder, right-click a GPO, point to GPO Status, and click All Settings Disabled.
In a large, complex network, with many different policy needs for users, servers, and worksta-
tions, configuring and testing GPOs often take many hours. Thankfully, Windows provides a
solution for backing up, restoring, and migrating GPOs in case disaster strikes. GPO backups
are also useful if you need to revert to an older version of a GPO, and with GPO migration, you
can use your carefully thought-out GPO settings on other systems.
Search WWH ::
Custom Search