As discussed previously, there are two types of Group Policy: local group policy and Active Directory group policy. Local group policy applies to a local machine only, and there is only one local GPO per local machine. Active Directory group policy, on the other hand, can be implemented separately for sites, domains, and OUs. Two GUI tools are available to work with Active Directory group policy. You can use the Group Policy Object Editor, which is included with a standard installation of Windows Server 2003, or the Group Policy Management Console (GPMC), which is available as a free download from the Microsoft Downloads center (http://www.microsoft.com/downloads).
When you use either of these tools to create a new GPO or modify an existing GPO, the related changes are made on the domain controller acting as the PDC Emulator if it is available. The reason the PDC Emulator is used is so that there is a central point of contact for GPO creation and editing, and this in turn helps to ensure that only one administrator is granted access to a particular GPO at a time. This also simplifies replication of the changes because changes are always replicated from the same point of origin—the PDC Emulator. However, if the PDC Emulator cannot be reached or is otherwise unavailable when you try to work with GPOs, you are given the opportunity to choose to make changes on the domain controller to which you are currently connected or any available domain controller.
Any user that is a member of the Domain Admins or local Administrators group can work with local group policy. To work with local group policy, you use the Local Security Policy tool, which can be accessed by clicking Start, Programs or All Programs, Administrative Tools, Local Security Policy. On a domain controller, you select Domain Controller Security Policy instead. In either case, this displays a dialog box similar to the one shown in Figure 38-4.
Inside Out: Accessing local group policy remotely
You can access the local group policy on another computer using the Group Policy Object Editor snap-in. Follow these steps:
Click Start, select Run, type mmc in the Open field, and then click OK.
Choose Add/Remove Snap-In from the File menu in the main window. In the Add/ Remove Snap-In dialog box, click Add.
In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then choose Add. This starts the Group Policy Wizard.
The Select Group Policy Object page is displayed. Click Browse.
In the Browse For A Group Policy Object dialog box, click the Computers tab, select Another Computer, and then click Browse again.
This displays the Select Computer dialog box. Enter the name of the computer whose local group policy you want to access, and click Check Names. When you have the right computer, click OK.
Click OK again and then click Finish in the Group Policy Wizard.
In the Add Standalone Snap-In dialog box, click Close. Then in the Add/Remove Snap-In dialog box, click OK.
In local group policy, you can configure security settings that apply to users and the local computer itself. Any changes you make to policy are applied to that computer the next time Group Policy is refreshed. In a domain environment these settings include the following:
Account policies for passwords, account lockout, and Kerberos
Local policies for auditing, user rights assignment, and security options
Event logging options for configuring log size, access, and retention options for the application, system, and security logs
Security restriction settings for groups, system services, Registry keys, and the file system
Security settings for wireless networking, public keys, and Internet Protocol Security (IPSec)
Software restrictions that specify software applications that aren't allowed to run on the computer
Local group policy is configured in the same way as Active Directory group policy. If you want to apply a policy, you must define it and set its values as appropriate. For example, let's say you are concerned about someone possibly cracking into the local system using the local Administrator account and you want to use Group Policy to rename this account so that it is more difficult to locate. To do this, you would define the Accounts: Rename Administrator Account policy and set a new name for the local Administrator account by following these steps:
Start the Local Security Policy tool by clicking Start, Programs or All Programs, Administrative Tools, Local Security Policy.
Expand Security Options, and then double-click Accounts: Rename Administrator Account.
In the Accounts: Rename Administrator Account dialog box, shown in Figure 38-5, you would select the Define This Policy Setting option, type a new name for the local Administrator account, and then click OK.
Any user that is a member of the Domain Admins or Enterprise Admins group can work with Active Directory group policy. Working with Active Directory group policy is a bit different than working with local group policy. With Active Directory group policy, object creation and linking are separate. You can create GPOs and then later link them to a container in Active Directory. You can also create objects and simultaneously link them to the appropriate container. Linking GPOs to a container is what tells Active Directory to apply the related settings.
The Group Policy Object Editor is used to open specific GPOs. Although you could open a new MMC and add the Group Policy Object Editor snap-in set to the GPO you want to work with (as discussed previously in the sidebar entitled "Accessing Local Group Policy Remotely"), there are easier ways to access linked GPOs. The technique you use depends on the type of object to which the GPO is linked, as follows:
For a domain Start Active Directory Users and Computers. In the console tree, rightclick the domain you want to work with, and then select Properties. In the Properties dialog box, click the Group Policy tab, as shown in Figure 38-6.
For an OU Start Active Directory Users and Computers. In the console tree, rightclick the OU you want to work with, and then select Properties. In the Properties dialog box, click the Group Policy tab.
For a site Start Active Directory Sites and Services. In the console tree, right-click the site you want to work with, and then select Properties. In the Properties dialog box, click the Group Policy tab.
The New, Add, Edit, and Delete options in the Group Policy tab are discussed in the sections that follow.
Note
Once you install the Group Policy Management Console, the Group Policy tab options shown in Figure 38-6 are no longer available. You can click only Open to start the Group Policy Management Console—the use of which, I'll discuss in detail later in the chapter.
In the Group Policy tab, you can click New to create a new GPO that will be linked to the selected container. This link means any policy settings you define will be applied to the selected container according to the inheritance and preference options used by Active Directory. After you create the GPO by clicking New, an entry is added to the Group Policy Object Links list with the name highlighted, as shown in Figure 38-7. Type in a name, and then press Enter. Use the Up and Down buttons to change the preference order of the policy as necessary.
In the Group Policy tab, you can edit an existing GPO linked to the selected container by selecting it and then clicking Edit. This displays the Group Policy Object Editor dialog box, as shown in Figure 38-8. You can then make changes to Group Policy as necessary. The changes will be applied the next time Active Directory is refreshed, according to the inheritance and preference options used by Active Directory.
Linking a GPO to a container applies the object to the container. In the Group Policy tab, you can link to an existing GPO by clicking Add. This displays the Add A Group Object Link dialog box, as shown in Figure 38-9.
The container you are currently working with is selected in the Look In list, and any applicable policies are listed in the tab selected by default, which is either Domains/OUs or Sites depending on the type of container you are working with. If you select the All tab, you'll see all the GPOs that are available in the domain. Select the one you want to use, and then click OK. The linked policy will be applied the next time Active Directory is refreshed, according to the inheritance and preference options used by Active Directory.
In the Group Policy tab, you can remove an existing GPO by selecting it and then clicking Delete. This displays the Delete dialog box, as shown in Figure 38-10. You can now select the following options:
Remove The Link From The List Selecting this option removes the link to the GPO in this container and means the GPO no longer applies to the objects in the container.
Remove The Link And Delete Selecting this option removes the link to the GPO as well as the object itself. This permanently deletes the GPO. If the object is linked to other containers, those links will be removed as well.
The Group Policy Management console provides an integrated interface for working with GPOs. This console was introduced in Windows Server 2003. The sections that follow provide an overview of installing and using the Group Policy Management Console.
The Group Policy Management Console (GPMC) is available as a free download from the Microsoft Downloads Center (http://www.microsoft.com/downloads). This tool can be installed on computers running Windows Server 2003 or Windows XP Professional Service Pack 1 with QFE 326469 or later, providing Microsoft .NET Framework is also installed. Once you've downloaded the Group Policy Management Console you can install it by completing the following steps:
Double-click the installer file Gpmc.msi. When the Microsoft Group Policy Management Console Setup Wizard starts, click Next.
Accept the license agreement by selecting I Agree, and then click Next again to begin the installation process.
When the wizard completes the installation, click Finish.
You can run the Group Policy Management console from the Administrative Tools menu. Click Start, Programs or All Programs, Administrative Tools, and Group Policy Management Console.
Caution
You cannot install Group Policy Management Console on computers running Windows 2000 or any previous versions of Windows. These operating systems are not compatible with the extensions used by the Group Policy Management console. Once you install the Group Policy Management console on a computer, you can no longer access the Group Policy tab options discussed in the section entitled "Working with the Group Policy Object Editor" earlier in this chapter.
When you start Group Policy Management Console, the tool connects to Active Directory running on the domain controller acting as the PDC Emulator for your logon domain and obtains a list of all GPOs and OUs in that domain. It does this using Lightweight Directory Access Protocol (LDAP) to access the directory store and Server Message Block (SMB) protocol to access the Sysvol. The result, as shown in Figure 38-11, is that for each domain to which you are connected, you have all the related GPOs and OUs available to work with in one location.
Working with forests, domains, and sites in Group Policy Management Console is fairly straightforward, as follows:
Accessing forests The forest root is listed for each forest to which you are connected. You can connect to additional forests by right-clicking the Group Policy Management node in the console tree and selecting Add Forest. In the Add Forest dialog box, shown in the following screen, type the name of a domain in the forest to which you want to connect, and then click OK. As long as there is an external trust to the domain, you can establish the connection and obtain forest information—even if you don't have a forest trust with the entire forest.
Accessing domains You can view the domain to which you are connected in a forest by expanding the forest node and then expanding the related Domains node. By default, you are connected to your logon domain in the current forest. If you want to work with other domains in a particular forest, right-click the Domains node in the designated forest, and then select Show Domains. In the Show Domains dialog box, which has the same options as the Show Sites dialog box, select the options for the domains you want to work with and clear the options for the domains you don't want to work with. Then click OK.
Accessing sites Because Group Policy is primarily configured for domains and OUs, sites are not shown by default in GPMC. If you want to work with the sites in a particular forest, right-click the Sites node in the designated forest, and then select Show Sites. In the Show Sites dialog box, shown in the following screen, select the options for the sites you want to work with and clear the options for the domains you don't want to work with. Then click OK.
In the Group Policy Management Console you can create and link a new GPO by completing the following steps:
Access the domain or OU you want to work with in Group Policy Management Console. Do this by expanding the forest node and the related Domains node as necessary, with the following guidelines:
Right-click the domain or OU node, and select Create And Link A GPO Here.
In the New GPO dialog box, type a name for the GPO, and then click OK.
Note
Group Policy Management console doesn't let you create and link a new GPO for sites. You can, however, use the Group Policy Management console to link a site to an existing GPO. For more information, see the section "Linking to an Existing GPO in the Group Policy Management Console" later in this chapter.
The new GPO is added to the current list of linked GPOs. If you select the domain or OU node, you can change the preference order of the GPO by selecting it in the Linked Group Policy Objects tab and then using the Move Link Up or Move Link Down buttons to change the preference order (see Figure 38-12).
In the Group Policy Management console, you can edit an existing GPO linked to the selected container by right-clicking it and then selecting Edit. This displays the Group Policy Object Editor dialog box. You can then make changes to Group Policy as necessary. The changes will be applied the next time Active Directory is refreshed, according to the inheritance and preference options used by Active Directory.
Linking a GPO to a container applies the object to the container. In the Group Policy Management console, you can link an existing GPO to a domain, OU, or site by completing the following steps:
Access the domain or OU you want to work with in Group Policy Management Console. Do this by expanding the forest node and the related Domains node as necessary.
Right-click the domain, OU, or site node, and select Link An Existing GPO.
In the Select GPO dialog box, shown in Figure 38-13, select the GPO to use, and then click OK.
The linked policy will be applied the next time Active Directory is refreshed, according to the inheritance and preference options used by Active Directory.
In the Group Policy Management console, you use different techniques to remove GPO links and the GPOs themselves, as follows:
If you want to remove a link to a GPO, you right-click the GPO in the container to which it is linked and then select Delete. When prompted to confirm that you want to remove the link, click OK.
If you want to remove a GPO and all links to the object, expand the forest, the Domains node, and the Group Policy Objects node. Right-click the GPO, and then select Delete. When prompted to confirm that you want to remove the GPO and all links to it, click OK.