A02LX1106980.fm Page iv Tuesday, April 5, 2005 11:10 AM PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2005 by Darren Mar-Elia, Derek Melber, and William Stanek All rights reserved No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher Library of Congress Control Number: 2005922203 Printed and bound in the United States of America QWT Distributed in Canada by H.B Fenn and Company Ltd A CIP catalogue record for this book is available from the British Library Microsoft Press books are available through booksellers and distributors worldwide For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329 Visit our Web site at www.microsoft.com/learning/ Send comments to rkinput@microsoft.com Microsoft, Active Desktop, Active Directory, ActiveX, Authenticode, FrontPage, Hotmail, InfoPath, IntelliMouse, JScript, Microsoft Press, MSDN, MS-DOS, MSN, NetMeeting, OneNote, Outlook, PivotTable, PowerPoint, SharePoint, Visio, Visual Basic, Win32, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred This book expresses the author’s views and opinions The information contained in this book is provided without any express, statutory, or implied warranties Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book Acquisitions Editor: Martin DelRe Project Editor: Karen Szall Copy Editor: Ina Chang Technical Editor: Mitch Tulloch Indexer: Julie Bess Compositor: Dan Latimer Body Part No X11-06980 “The Microsoft® Windows® Group Policy Guide is a “must have” for any IT Professional looking to actively manage their desktops and servers! It contains a comprehensive collection of guidance on all aspects of Group Policy.” Michael Dennis Lead Program Manager, Group Policy at Microsoft i Thanks to Karen for keeping me motivated and to Sid for walking on top of my keyboard repeatedly as I tried to work — Darren Mar-Elia Thanks to my family for being there in the hard times and the good times — Derek Melber To my wife and children, keeping the dream alive — William R Stanek About the Authors Darren Mar-Elia (http://www.gpoguy.com) is Quest Software’s CTO for Windows Management and a Microsoft MVP for Group Policy Darren has more than 18 years of experience in systems and network administration, design, and architecture Darren is a contributing editor for Windows IT Pro Magazine He has written and contributed to ten books on Windows NT and Windows 2000, including Upgrading and Repairing Networks (Que, 1996), The Definitive Guide to Windows 2000 Group Policy (NetIQ, FullArmor, and Realtimepublishers.com), and Tips and Tricks Guide to Group Policy (NetIQ, FullArmor, and Realtimepublishers.com) You can reach Darren by sending him e-mail at darren@gpoguy.com Derek Melber is a technical instructor, consultant, and author Derek holds a Masters degree from the University of Kansas He also has Microsoft Certified Systems Engineer (MCSE) certification and Certified Information Security Manager (CISM) certification A Microsoft MVP with 15 years of experience in solution development, training, public speaking, and consulting, Derek has used his experience and knowledge to write numerous books on Windows Active Directory, Group Policy, security, auditing, and certifications Derek offers both training and consulting on Group Policy, and he has developed and trained over 100,000 technical professionals around the world To contact Derek for training, consulting, or questions, e-mail him at derekm@braincore.net William R Stanek (http://www.williamstanek.com) has 20 years of hands-on experience with advanced programming and development He is a leading technology expert, an award-winning author, and an exceptional instructor who teaches courses in Microsoft Windows, SQL Server, Exchange Server, and IIS administration Over the years, his practical advice has helped millions of programmers, developers, and network engineers all over the world His 50+ books have more than three million copies in print Current and forthcoming books include Microsoft Windows Server 2003 Inside Out (Microsoft Press, 2004), Microsoft Windows XP Professional Administrator’s Pocket Consultant, Second Edition (Microsoft Press, 2004), Microsoft Windows Server 2003 Administrator’s Pocket Consultant (Microsoft Press, 2003), and Microsoft IIS 6.0 Administrator’s Pocket Consultant (Microsoft Press, 2003) To contact William, visit his Web site (http://www.williamstanek.com) and send him an e-mail vii Thank you to those who contributed to the Microsoft Windows Group Policy Guide Group Policy Lead Program Manager: Michael Dennis Technical Contributors: John Kaiser, Anshul Rawat, Mark Williams, Dan Fritch, Kurt Dillard, Adam Edwards, Stacia Snapp, Tim Thompson, Scott Cousins, Jennifer Hendrix, Gary Ericson, John Hrvatin, Drew Leaumont, Michael Surkan, Joseph Davies, David Beder, Mohammed Samji, Bill Gruber, Patanjali Venkatacharya, Mike Stephens, Michael Dennis, Paul Barr, Mike Jorden, Tarek Kamel, Mike Treit, Judith Herman, Rhynier Myburgh, Colin Torretta From the Microsoft Press editorial team, the following individuals contributed to the Microsoft Windows Group Policy Guide: Product Planner: Martin DelRe Project Editor: Karen Szall Technical Reviewer: Mitch Tulloch Copy Editor: Ina Chang Production Leads: Dan Latimer and Elizabeth Hansford Indexer: Julie Bess Art production: Joel Panchot and William Teel ix 28 Part I: Getting Started with Group Policy ■ Ed ■ EdsPC The RSoP for Ed flows from Seattle Site to us.adatum.com, Sales OU, and then Support OU The RSoP for EdsPC flows from Seattle Site to us.adatum.com, Sales OU, and then Support OU When you look at RSoP, it’s also important to consider what will happen if you move the furniture around a bit—for example, if Beth visits the Seattle office and logs on to JohnsPC or if Ed from Support goes to New York and logs on to MikesPC Here is what happens with regard to Group Policy: ■ Beth in Seattle logging on to JohnsPC JohnsPC is subject to the Computer Configuration settings in the GPOs for Seattle Site, us.adatum.com, and the Sales OU Beth (logging on to JohnsPC while in Seattle) is subject to the User Configuration settings in the GPOs for NY Site, us.adatum.com, and the Services OU By default, the User Configuration settings in the GPOs that apply to Beth have precedence ■ Ed in New York logging on to MikesPC MikesPC is subject to the Computer Configuration settings in the GPOs for NY Site, us.adatum.com, and the Services OU Ed (logging on to MikesPC while in New York) is subject to the User Configuration settings in the GPOs for Seattle Site, us.adatum.com, Sales OU, and the Support OU By default, the User Configuration settings in the GPOs that apply to Ed have precedence ■ CorpSvr01 (when it is moved into the Support OU) is subject to the GPOs for Seattle Site, us.adatum.com, Sales OU, and the Support OU By default, the policy settings for the Support OU have precedence Moving CorpSvr01 into the Support OU Managing Group Policy Objects Group Policy applies only to users and computers Group Policy settings are divided into two categories: Computer Configuration, which contains settings that apply to computers, and User Configuration, which contains settings that apply to user accounts Each category can be divided further into three major classes of settings, each of which contains several subclasses of settings: ■ Software Settings For automated deployment of new software and software upgrades Also used for uninstalling software ■ Windows Settings For managing key Windows settings for both computers and users, including scripts and security For users, you can also manage Remote Installation Services, Folder Redirection, and Microsoft Internet Explorer maintenance Chapter 2: ■ Working with Group Policy 29 Administrative Templates For managing registry settings that configure the operating system, Windows components, and applications Administrative templates are implemented for specific operating system versions The Group Policy management tools provide access to these three top-level classes of settings and make use of a number of extensions that provide the functionality necessary to configure Group Policy settings As we discussed previously, there are two types of Group Policy: Local Group Policy and Active Directory–based Group Policy Local Group Policy applies to the local machine only, and there is only one local GPO per local machine Active Directory–based Group Policy, on the other hand, can be implemented separately for sites, domains, and OUs When you want to work with Group Policy, you can so at the local machine level using the Local Security Policy tool or within Active Directory using the GPMC The sections that follow examine the key techniques you’ll use to access GPOs with these tools and to manage policy settings Note You manage the Group Policy settings for domain controllers using the Domain Controller Security Policy tool (as long as the domain controllers are part of the Domain Controllers OU) For more information on managing Group Policy for domain controllers and the Domain Controller Security Policy tool, see the section in Chapter titled “Working with Linked GPOs and Default Policy.” Managing Local Group Policy To work with Local Group Policy, you must use an administrator account In a domain, you can use an account that is a member of the Enterprise Admins, Domain Admins, or the Administrators domain local group In a workgroup, you must use an account that is a member of the local Administrators group Accessing Local Group Policy on the Local Computer You can access Local Group Policy in several ways The fastest way is to type the following command at the command prompt: gpedit.msc /gpcomputer:"%computername%" This command starts the Group Policy Object Editor in an MMC and tells the Group Policy Object Editor to target the local computer Here, %ComputerName% is an environment variable that sets the name of the local computer and must be enclosed in double quotation marks as shown You can also access Local Group Policy in the Group Policy Object Editor snap-in by completing the following steps: Click Start, Run In the Run dialog box, type mmc in the Open field, and then click OK 30 Part I: Getting Started with Group Policy Choose Add/Remove Snap-In from the File menu in the main window In the Add/Remove Snap-In dialog box, click Add In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then choose Add This starts the Group Policy Wizard The Select Group Policy Object page is displayed with the Local Computer selected as the Group Policy Object target Click Finish In the Add Standalone Snap-In dialog box, click Close Then, in the Add/ Remove Snap-In dialog box, click OK If you want to work only with security settings in Local Group Policy, you can use the Local Security Policy console, shown in Figure 2-3 Click Start, Programs or All Programs, Administrative Tools, and then select Local Security Policy Figure 2-3 Accessing Local Group Policy using the Local Security Policy tool In Group Policy Object Editor and Local Security Policy, you can configure security settings that apply to users and the local computer itself Any policy changes you make are applied to that computer the next time Group Policy is refreshed The settings you can manage locally depend on whether the computer is a member of a domain or a workgroup, and they include the following: ■ Account policies for passwords, account lockout, and Kerberos ■ Local policies for auditing, user rights assignment, and security options ■ Event logging options for configuring log size, access, and retention options for the application, system, and security logs ■ Security restriction settings for groups, system services, registry keys, and the file system ■ Security settings for wireless networking, public keys, and Internet Protocol Security (IPSec) ■ Software restrictions that specify applications that aren’t allowed to run on the computer Chapter 2: Working with Group Policy 31 You configure Local Group Policy in the same way that you configure Active Directory– based group policy To apply a policy, you enable it and then configure any additional or optional values as necessary An enabled policy setting is turned on and active If don’t want a policy to apply, you must disable it A disabled policy setting is turned off and inactive The enforcement or blocking of inheritance can change this behavior, as detailed in the section titled “Managing Group Policy Inheritance” in Chapter Accessing Local Group Policy on a Remote Machine Often you’ll want to access Local Group Policy on a remote machine For example, if you are logged on to EdsPC, you might want to see how Group Policy is configured locally on JohnsPC To access Local Group Policy on another computer, you use the Group Policy Object Editor snap-in One way to this is to type the following command at the command prompt: gpedit.msc /gpcomputer:"RemoteComputer" where RemoteComputer is the host name or fully qualified DNS name of the remote computer The remote computer name must be enclosed in double quotation marks, such as: gpedit.msc /gpcomputer:"corpsvr04" or gpedit.msc /gpcomputer:"corpsvr04.adatum.com" You can also access Local Group Policy on a remote computer by completing the following steps: Click Start, Run In the Run dialog box, type mmc in the Open field, and then click OK Choose Add/Remove Snap-In from the File menu in the main window In the Add/Remove Snap-In dialog box, click Add In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then choose Add This starts the Group Policy Wizard The Select Group Policy Object page is displayed Click Browse In the Browse For A Group Policy Object dialog box, click the Computers tab, select Another Computer, and then click Browse again In the Select Computer dialog box, type the name of the computer whose local group policy you want to access, and click Check Names When you have the right computer, click OK twice and then click Finish 32 Part I: Getting Started with Group Policy In the Add Standalone Snap-In dialog box, click Close Then, in the Add/ Remove Snap-In dialog box, click OK Repeat steps through as necessary to add other local computers whose policy you want to manage remotely When you are finished, click File, Save As, and then use the Save As dialog box to save your custom MMC As Figure 2-4 shows, when you work with Local Group Policy through the Group Policy Object Editor snap-in, the nodes of the console root reflect the computers to which you are connected In this example, the MMC is connected to a remote computer, CORPSVR04, and the local computer Figure 2-4 Accessing Local Group Policy using the Group Policy Object Editor snap-in Managing Active Directory–Based Group Policy The best way to manage Active Directory–based Group Policy is with the GPMC, which you must download and install You can use the GPMC to manage policy settings in accordance with your administrative privileges The account you use must be a member of the Enterprise Admins or Domain Admins group or must have been delegated permissions to work with specific aspects of Group Policy When you work with the Enterprise Admins and Domain Admins groups, keep the following in mind: ■ Members of Enterprise Admins can manage policy settings for the specific forest of which they are a member For example, if the user account WilliamS is a member of the Enterprise Admins group in the cpandl.com forest, WilliamS can manage the policy settings for any child domain in the cpandl.com domain as well as the parent domain (cpandl.com) This means he can manage the policy settings for tech.cpandl.com, cs.cpandl.com, and cpandl.com Chapter 2: ■ Working with Group Policy 33 Members of Domain Admins can manage policy settings for the specific domain of which they are a member For example, if the user account WilliamS is a member of the Domain Admins group in the tech.cpandl.com domain, WilliamS can manage the policy settings for the tech.cpandl.com domain He cannot manage policy settings for cs.cpandl.com or cpandl.com He can manage the policy settings for other domains only if he has Domain Admins privileges in those domains (or Enterprise Admins privileges for the forest) When you work with delegated administrative permissions, keep in mind that the account has only the specific permissions that were delegated Delegated permissions for Group Policy include permission to manage Group Policy links, generate RSoP for the purposes of logging, and generate RSoP for planning purposes The sections that follow discuss how to install and use the GPMC You’ll learn techniques for delegating administration later in the chapter in the section titled “Delegating Privileges for Group Policy Management.” Installing the GPMC The GPMC provides an integrated interface for working with policy settings You can install this console on computers running Windows Server 2003 or Windows XP Professional Service Pack with QFE 326469 or later (if the Microsoft NET Framework is also installed) Because the NET Framework in turn requires Internet Explorer version 5.01 or later, the minimum required components for working with GPMC are as follows: ■ Microsoft Internet Explorer 5.01 or later Internet Explorer 6.0 SP1 or later is recommended Computers running Windows XP Professional SP1 or Windows Server 2003 have Internet Explorer 6.0 or later installed already ■ NET Framework Computers running Windows XP Professional not have the NET Framework installed by default Computers running Windows Server 2003 have the NET Framework installed by default ■ GPMC with SP1 or later Computers running Windows XP Professional or Windows Server 2003 not have the GPMC installed by default The GPMC is available as a download only (as of this writing) Note Although you can use the GPMC to manage Group Policy on Windows Server 2003 and Windows 2000, you cannot install the GPMC on computers running Windows 2000 or earlier Only Windows XP Professional and Windows Server 2003 are compatible with the extensions used by this console 34 Part I: Getting Started with Group Policy The key steps for downloading and installing the NET Framework and the GPMC are as follows: Download the NET Framework 1.1 or later from Microsoft at www.microsoft.com/ downloads/ The installer file is named Dotnetfx.exe Download Dotnetfx.exe and then double-click it to start the installation process Because the GPMC installation process updates the MMC, you must close any console-based tools that are running before you install the GPMC If you don’t this, you’ll see a warning when you try to run the installer telling you that the GPMC cannot be installed until you close the consoles that are open Download the GPMC with SP1 or later from the Microsoft Download Center at www.microsoft.com/downloads/ The installation package is Gpmc.msi Doubleclick this file to start the installation process Caution Before installing the GPMC, you should think carefully about how you will manage Active Directory–based Group Policy Installing the GPMC changes the way a computer works with Group Policy, and afterward you can manage Active Directory– based Group Policy only via the GPMC This is, of course, a per-computer issue, and you have the option of using the existing Group Policy tools or installing and using the GPMC on other computers Using the GPMC You can run the GPMC from the Administrative Tools menu Click Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console As shown in Figure 2-5, the left pane of the GPMC has two top-level nodes by default: Group Policy Management (the console root) and Forest (a node representing the forest to which you are currently connected, which is named after the forest root domain for that forest) When you expand the Forest node, you see the following nodes: ■ Domains ■ Sites ■ Provides access to the Group Policy Modeling Wizard, which helps you plan policy deployment and simulate settings for testing purposes Any saved policy models are also available Provides access to the policy settings for domains in the forest being administered You are connected to your logon domain by default; you can add connections to other domains If you expand a domain, you can access Default Domain Policy, the Domain Controllers OU (and the related Default Domain Controllers Policy), and GPOs defined in the domain Provides access to the policy settings for sites in the related forest Sites are hidden by default Group Policy Modeling Chapter 2: ■ Working with Group Policy 35 Group Policy Results Provides access to the Group Policy Results Wizard For each domain to which you are connected, all the related GPOs and OUs are available to work with in one location Note GPOs found in domain, site, and OU containers in the GPMC are actually GPO links and not the GPOs themselves The actual GPOs are found in the Group Policy Objects container of the selected domain It is also helpful to note that the icons for GPO links have a small arrow at the bottom left, similar to shortcut icons Figure 2-5 The GPMC provides access to the policy settings in domains, sites, and OUs Connecting to Additional Forests The GPMC is designed to work with multiple forests, domains, and sites When you start the GPMC for the first time, you are connected to your logon domain and forest You can connect to additional forests by completing the following steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Right-click the Group Policy Management node in the console tree, and then select Add Forest In the Add Forest dialog box (shown in Figure 2-6), type the name of a domain in the forest to which you want to connect, and then click OK As long as there is an external trust to the domain, you can establish the connection and obtain forest information—even if you don’t have a forest trust with the entire forest 36 Part I: Getting Started with Group Policy From now on, when you start Group Policy Management Console, the additional forest should be listed Figure 2-6 Entering the name of a domain in the forest to which you want to connect Showing Sites in Connected Forests The GPMC doesn’t show the available sites by default If you want to work with the sites in a particular forest, follow these steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Expand the entry for the forest you want to work with, right-click the related Sites node, and then select Show Sites In the Show Sites dialog box (shown in Figure 2-7), select the check boxes for the sites you want to work with and clear the check boxes for the sites you don’t want to work with Click OK From now on, when you start the GPMC, the additional site or sites should be listed Figure 2-7 Selecting the sites to display Chapter 2: Working with Group Policy 37 Accessing Additional Domains In the GPMC, you can view the domains to which you are connected on a per-forest basis You are connected to your logon domain and forest by default To work with other domains in a particular forest, follow these steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Expand the entry for the forest you want to work with, and then expand the related Domains node by double-clicking it If the domain you want to work with isn’t listed, right-click the Domains node in the designated forest, and then select Show Domains Then in the Show Domains dialog box, select the check boxes for the domains you want to work with and clear the check boxes for the domains you don’t want to work with Click OK From now on, when you start the GPMC, the additional domain or domains should be listed Setting Domain Controller Focus Options When you start the GPMC, the console connects to Active Directory running on the domain controller that is acting as the PDC emulator for your logon domain and obtains a list of all GPOs and OUs in that domain It does this using LDAP to access the directory store and the Server Message Block (SMB) protocol to access the Sysvol If the PDC emulator isn’t available for some reason, such as when the server is down or otherwise offline, the GPMC displays a prompt so you can choose to work with policy settings on the domain controller to which you are currently connected or on any available domain controller If you want to force the GPMC to work with a domain controller other than PDC, you can configure this manually as well This process is referred to as setting the domain controller focus You can choose the domain controller to work with on a per-domain basis by completing the following steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Expand the entry for the forest you want to work with, and then expand the related Domains node by double-clicking it Right-click the domain for which you want to set the domain controller focus, and then select Change Domain Controller to open the Change Domain Controller dialog box shown in Figure 2-8 38 Part I: Getting Started with Group Policy Figure 2-8 Set the domain controller focus The domain controller to which you are currently connected is listed under Current Domain Controller Use the following Change To options to set the domain controller focus, and then click OK ■ The Domain Controller With The Operations Master Token For The PDC Emulator Choose this option if you aren’t connected to the PDC Emula- tor for some reason and want to try to establish a connection with this server at this time For example, if the PDC Emulator was offline for maintenance and is now online, you might want to try to reconnect with it ■ Any Available Domain Controller Choose this option to connect to any available domain controller running Windows 2000 or later Use this option if you don’t need to work with a domain controller running a specific version of the Windows server operating system ■ Any Available Domain Controller Running Windows Server 2003 Or Later Choose this option if you need to work with a domain controller that is running Windows Server 2003 or later ■ This Domain Controller Choose this option and then make a selection in the Domain Controllers panel if you want to work with a specific domain controller The site where each domain controller resides is listed as well so that you can work with a domain controller in a particular site if necessary Chapter 2: Working with Group Policy 39 Creating and Linking GPOs As discussed previously, the GPMC allows you to create and link GPOs as separate operations or as a single operation on a selected domain, site, or OU You can, for example, create a GPO without linking it to any domain, site, or OU You can also create a GPO for a selected domain or OU and have the GPO linked automatically to that domain or OU With sites, the only way to create and link a GPO is to so with separate operations How you create GPOs is a matter of preference There is no right or wrong way Some administrators prefer to create a GPO first and then link it to a domain, site, or OU Other administrators prefer to create a GPO and have it linked automatically to a specific domain, site, or OU However, you should remember that a GPO can be linked to multiple containers (domains, sites, and OUs) and at multiple levels Note When you create and link a GPO to a site, domain, or OU, the GPO is applied to the user and computer objects in that site, domain, or OU according to the Active Directory options governing inheritance, the precedence order of GPOs, and other settings In other words, these options can affect the way policy settings are applied For details, see the section in Chapter titled “Managing Group Policy Inheritance.” Creating and Linking GPOs for Sites In an Active Directory forest, only Enterprise Admins and forest root Domain Admins can create and modify sites and site links Similarly, only Enterprise Admins and forest root Domain Admins can create and manage GPOs for sites Site-level GPOs aren’t used that often, and when they are implemented, they are used primarily for managing network-specific policy settings—which is in keeping with the purpose of sites to help you better manage the physical structure of the network (your subnets) For example, you might want to use site-level GPOs to manage IP security, Internet Explorer configurations for proxies, wireless networking, or public key security on a per-subnet basis In the GPMC, you can create and link a new site GPO by completing the following steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Expand the entry for the forest you want to work with, and then expand the related Domains node by double-clicking it Right-click Group Policy Objects, and then select New 40 Part I: Getting Started with Group Policy In the New GPO dialog box (shown in Figure 2-9), type a descriptive name for the new GPO, and then click OK You’ll see the new GPO listed in the Group Policy Objects container Figure 2-9 Entering a descriptive name for the new GPO Right-click the new GPO, and then choose Edit This opens the Group Policy Object Editor Configure the necessary policy settings, and then close the Group Policy Object Editor In the GPMC, expand the Sites node and select the site you want to work with In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected site (if any) Right-click the site to which you want to link the GPO, and then select Link An Existing GPO Use the Select GPO dialog box (shown in Figure 2-10) to select the GPO to which you want to link, and then click OK Note Sites aren’t listed automatically If you don’t see the site you want to work with, right-click Sites and then select Show Sites You can then select the available sites that you want to display Figure 2-10 Selecting the GPO to which you want to link Chapter 2: Working with Group Policy 41 The GPO is now linked to the site In the right pane, the Linked Group Policy Objects tab should show the linked GPO Once Group Policy is refreshed for computers and users in the site, the policy settings in the GPO will be applied To learn how to manually refresh Group Policy, see “Refreshing Group Policy Manually” in Chapter Computer policy is refreshed during startup when the computer connects to the network User policy is refreshed during logon when the user logs on to the network Thus you can verify that computer policy settings have been applied as expected by restarting a workstation or server in the site and then checking the computer To verify user policy settings, have a user who is logged on to a computer in the site log off and then log back on You can then verify that user policy settings have been applied as expected Creating and Linking GPOs for Domains In an Active Directory forest, only Enterprise Admins, Domain Admins, and those who have been delegated permissions can manage objects in domains You must be a member of Enterprise Admins or Domain Admins or be specifically delegated permissions to be able to work with GPOs in a domain With regard to Group Policy, delegated permissions are primarily limited to management of Group Policy links and RSoP for the purposes of logging and planning Unlike site GPOs, which aren’t frequently used, GPOs are used widely in domains In the GPMC, you can create and link a new GPO for a domain as two separate operations or as a single operation Creating and Then Linking a GPO for a Domain To create a GPO and then link it separately for a domain, complete the following steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Expand the entry for the forest you want to work with, and then expand the related Domains node by double-clicking it Right-click Group Policy Objects and then select New In the New GPO dialog box, type a descriptive name for the new GPO and then click OK The new GPO is now listed in the Group Policy Objects container Right-click the GPO, and then choose Edit In the Group Policy Object Editor, configure the necessary policy settings and then close the Group Policy Object Editor 42 Part I: Getting Started with Group Policy In the GPMC, expand the Domains node and then select the domain you want to work with In the right pane, the Linked Group Policy Objects tab shows the GPOs that are currently linked to the selected domain (if any) Note If you don’t see the domain you want to work with, right-click Domains and then select Show Domains You can then select the available domains that you want to display Right-click the domain to which you want to link the GPO, and then select Link An Existing GPO Use the Select GPO dialog box to select the GPO to which you want to link, and then click OK The GPO is now linked to the domain In the right pane, the Linked Group Policy Objects tab should show the linked GPO as well When Group Policy is refreshed for computers and users in the domain, the policy settings in the GPO are applied To verify that computer policy settings have been applied as expected, restart a workstation or server in the domain and then check the computer To verify user policy settings, have a user who is logged on to a computer in the domain log off and then log back on You can then verify that user policy settings have been applied as expected Creating and Linking a Domain GPO as a Single Operation In the GPMC, you can create and link a domain GPO as a single operation by completing the following steps: Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console Or type gpmc.msc at a command prompt Expand the entry for the forest you want to work with, and then expand the related Domains node by double-clicking it Right-click the domain you want to work with, and then select Create And Link A GPO Here In the New GPO dialog box, type a descriptive name for the new GPO and then click OK The GPO is created and linked to the domain Right-click the GPO, and then choose Edit In the Group Policy Object Editor, configure the necessary policy settings and then close the Group Policy Object Editor ... I Part II 10 11 12 Part III 13 14 15 Part IV 16 17 Part V A B C D Getting Started with Group Policy Overview of Group Policy Working with Group Policy ... Manager, Group Policy at Microsoft xxvii A08IX 110 6980.fm Page xxix Tuesday, April 5, 2005 11 :11 AM Introduction Welcome to the Microsoft? ? Windows® Group Policy Guide The Microsoft Windows Group Policy. .. A08IX 110 6980.fm Page xxxiv Tuesday, April 5, 2005 11 :11 AM Part I Getting Started with Group Policy In this part: Chapter 1: Overview of Group Policy Chapter 2: Working