Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


November 2000

Controlling Group Policy, Part 2


From the November 2000 Edition
of Windows IT Pro
Randy Franklin Smith
Feature
InstantDoc #15886
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Windows 2000 Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Fine-tune Group Policy

In "Controlling Group Policy, Part 1," November 2000, I explained how Windows 2000 uses Group Policy Objects (GPOs) and the sequence in which Win2K applies them. But you can't truly control Group Policy until you understand the processing options that let you fine-tune your policies. Because you can link a GPO to sites, domains, or organizational units (OUs), you can control how Win2K applies Group Policy at several levels. You can use GPO-level processing options to control how Win2K applies a GPO regardless of the sites, domains, or OUs to which the GPO is linked. You can use link-level processing options to control how Win2K applies a GPO within a particular site, domain, or OU to which the GPO is linked. Other settings let you tailor how Win2K applies Group Policy at the computer or user level.

GPO-Level Processing Options
As I explained in "Controlling Group Policy, Part 1," a GPO has settings that affect a Win2K computer's configuration and a user's profile. The GPO stores computer settings in a Computer Configuration subfolder and stores user settings in a User Configuration subfolder. If you create a GPO that contains only computer settings, you can disable the GPO's User Configuration portion to reduce users' logon time. Likewise, if you define only user settings, you can disable the GPO's Computer Configuration portion to reduce system boot-up time. To disable either portion of a GPO, go to Administrative Tools, Active Directory Users and Computers. Right-click the domain or OU to which the GPO is linked, click Properties, and select the Group Policy tab. Select the appropriate GPO, and click Properties. Go to the General tab, which Figure 1 shows, and select either the Disable Computer Configuration settings check box or the Disable User Configuration settings check box. These settings are both GPO-level settings.

When you disable a GPO's Computer Configuration or User Configuration portion, Win2K disables that portion in every site, domain, or OU to which the GPO is linked. Therefore, before you make this type of GPO-level change, you need to determine how the change will affect those sites, domains, and OUs. To see a complete list of these linked elements, open the GPO's Properties dialog box and go to the Links tab, which Figure 2 shows. Select a domain from the Domain drop-down list and click Find Now. Win2K will search the specified domain and display each site and OU to which the GPO links. (The domain link will also show up on the list if the GPO is linked at the domain level.) Because you can link a GPO to multiple domains, you need to search all the domains that appear in the drop-down list.

One way to fine-tune a GPO's application is through a GPO's ACL, which defines both who has permission to maintain the GPO and which computers and users Win2K applies the GPO to. To access the ACL, open the GPO's Properties dialog box and go to the Security tab, which Figure 3 shows. When a Win2K computer that is a member of a Win2K domain boots up, the computer logs on to Active Directory (AD) and uses its corresponding computer account in AD to look through its domain, sites, and OUs and determine which GPOs it needs to apply. When applying Group Policy to a computer, Win2K determines whether the computer account has permissions to read and to apply Group Policy for each GPO. If not, Win2K ignores the GPO for that computer. User accounts also require both Read and Apply Group Policy access; Win2K goes through the same determination process each time a user logs on and whenever Win2K reapplies Group Policy.

As Figure 3 shows, Authenticated Users (i.e., all computer and user accounts) have both permissions by default. When you want to disable a GPO's application to specific computers or users in an OU, you can open the GPO's ACL and add an access-control entry that denies Apply Group Policy access for the groups or accounts that you want to exempt. To view a GPO, you need Read access; to edit a GPO, you need Write access.

Link-Level Processing Options
An important difference exists between a GPO-level processing option and a GPO-link-level processing option. Whereas GPO-level processing options apply to all sites, domains, or OUs to which the GPO is linked, link-level processing options apply to only the immediate site, domain, or OU to which the GPO is linked. (A difference also exists between deleting a GPO and deleting a link to the GPO. When you select a GPO from the Group Policy tab and click Delete, Win2K asks whether you want to delete the entire GPO or only the link. When you delete the GPO, it disappears from every site, domain, or OU to which it is linked. When you delete the link, the other sites, domains, or OUs to which the GPO is linked remain unaffected.) You can choose among three link-level processing options.

Block Policy inheritance. Administrators use this option to isolate domains or OUs from group policies defined for a site or higher-level OU. When you select the Block Policy inheritance check box on the Group Policy tab, you effectively erect a gate above that domain or OU that blocks GPOs from trickling down. When you block policy inheritance at the domain level, Win2K won't apply any site-linked GPOs. When you block policy inheritance at the OU level, Win2K won't apply domain- or higher-OU-linked GPOs for computers or users in that OU. However, remember that Win2K always applies the computer's local GPO regardless of the Block Policy inheritance setting.

No Override. Administrators typically enable this setting at a domain level to enforce corporate password and account policies. The No Override setting overrides all lower-level Block Policy inheritance settings. For example, when you enable No Override for a site-level GPO link, Win2K applies that GPO to all computers in the site, regardless of the domain's or OU's Block Policy inheritance setting. When you enable No Override for a domain- or OU-level GPO link, Win2K applies that GPO to all computers and users, regardless of any lower OUs' Block Policy inheritance settings. To enable or disable the No Override setting, select the appropriate GPO from the Group Policy tab and click Options. Select the No Override check box, which Figure 4 shows.

Disabled. Disabling a GPO link is useful when you need to temporarily eliminate the GPO's effect on configuration (e.g., while debugging policy or temporarily suspending a restriction). When you disable a GPO link to a site, domain, or OU, Win2K won't apply the GPO to that site, domain, or OU. By disabling rather than deleting the link, you can more easily reinstate the GPO. To change the Disabled setting for a GPO link, select the appropriate GPO from the Group Policy tab and click Options. Select the Disabled check box, which Figure 4 shows.

System- and User-Level Processing Options
Another set of processing options exists as settings within each GPO; you define these settings at the system or user level. As I explained in "Controlling Group Policy, Part 1," each GPO contains a Computer Configuration subfolder and a User Configuration subfolder; in other words, each GPO has a Group Policy folder under \computer configuration\administrative templates\system and another folder under \user configuration\administrative templates\system, as Figure 5 shows. These folders contain settings that control how Win2K applies Group Policy to every computer and user that links to that GPO.

Changing the Computer Configuration settings for one GPO can affect a system's application of all GPOs. For example, suppose you go to the Marketing OU, create a new GPO, and select the Disable background refresh of Group Policy system-level setting. The next time a computer in that OU boots up or refreshes, the system will encounter the new GPO and change the setting in the local system configuration. After making the change, the system will disable background refresh of every GPO, not only of the GPO for which you enabled the setting.

Disable background refresh of Group Policy. Win2K periodically reapplies Group Policy after the initial system boot-up or user logon. The Disable background refresh of Group Policy setting disables this reapplication while a user is logged on to the system. The setting applies to policies under both the Computer Configuration and User Configuration portions of a GPO.

   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Accessing Database Data with ADO

...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management

Are You Satisfied?

A Preliminary Look at Deployment Plans for Microsoft Windows Vista
Related Events Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



Increase Application Performance
Free White Paper by Editor's Best winner, Texas Memory Systems.

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing