Information Technology Reference
In-Depth Information
Activity 7-26: Cleaning up GPO Links
Time Required: 5 minutes
Objective: Unlink GPOs from the domain and OUs.
Description: After considerable testing of group policies, you check your domain and OU and
unlink any unnecessary GPOs from them.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC. Check each OU and verify that the only GPOs linked to objects are the ones
shown in the following list. Any other GPOs linked to the domain or OUs should be unlinked.
• Domain: Default Domain Policy, IEGPO
• Domain Controllers: Default Domain Controllers Policy
3. Close GPMC, and log off your server.
As you can see, group policy preferences are a powerful feature for fine-tuning the working
environment of domain users and computers. Administrators should spend some time exploring
the capabilities available in the Preferences folder and testing item-level targeting situations.
7
Chapter Summary
Group policy architecture and function involves these components: GPOs, replication,
scope and inheritance, and creating and linking GPOs. GPOs can be local or domain.
Windows Vista and Server 2008 have three new local GPOs (stored on the local com-
puter). A domain GPO consists of a Group Policy Template (GPT), stored in the Sysvol
share, and a Group Policy Container (GPC), stored in Active Directory.
GPO replication is handled by Active Directory replication for GPCs and by FRS or DFSR
for GPTs. DFSR is used only when all DCs are running Windows Server 2008.
You use the GPMC to create, link, and manage GPOs and the GPME to edit GPOs.
Changes to linked GPOs take effect as soon as the user logs on or the computer restarts,
or at the time of the next policy refresh, whichever comes first. GPO changes should be
made when the GPO is not linked to a container object.
Starter GPOs are like template files for GPOs. You can create a new GPO by using a
Starter GPO as a baseline. Starter GPOs contain only the Administrative Templates folder
in the Computer Configuration and User Configuration nodes.
GPOs can be linked to sites, domains, and OUs. Policies are applied in this order, and the last
policy setting applied takes precedence when conflicts exist. Local policies are applied before
domain policies, so when conflicts exist, domain policies take precedence over local policies.
Default GPO inheritance can be changed by using inheritance blocking, enforcement, GPO
filtering, and loopback policy processing.
The Computer Configuration and User Configuration nodes contain three subnodes:
Software Settings, Windows Settings, and Administrative Templates. If settings in these
two nodes conflict, computer settings take precedence. Software Settings can be used to
assign or publish software packages remotely to users and assign software packages
remotely to computers.
The Security Settings node in Computer Configuration contains the Account Policies sub-
node with settings that affect all domain users. The Account Policies subnode contains
Password Policy, Account Lockout Policy, and Kerberos Policy subnodes.
The Local Policies subnode in the Security Settings node contains Audit Policy, User Rights
Assignment, and Security Options. To audit object access, you must enable the object
access audit policy and then enable auditing on the target object.
Fine-grained password policies, new in Windows Server 2008, make it possible for admin-
istrators to define different password policies for select groups of users. ADSI Edit and
LDIFDE are the two tools for creating fine-grained password policies.
 
Search WWH ::




Custom Search