How to Create the Exchange GPOs and Import the Exchange Group Policy Security Templates

  • Article

 

This topic explains how to import the Exchange Group Policy Security Templates (available from the Microsoft Download Center) into the organizational unit structure that is suggested in Security-Hardening Exchange 2003 Servers.

Before You Begin

Before you perform the following procedure, it is highly recommended that you review Security-Hardening Exchange 2003 Servers

Procedure

To create the Exchange GPOs and import the Exchange Group Policy Security Templates

  1. In Active Directory Users and Computers, expand Member Servers, right-click Exchange Back-End Servers, and then click Properties.

  2. On the Group Policy tab, click New to add a new Group Policy object (GPO).

  3. Type Exchange Back-End Policy, and then press ENTER.

  4. Click Edit.

  5. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, right-click Security Settings, and the click Import Policy.

    Note

    If Import Policy does not appear on the menu, close Group Policy Object Editor and repeat Steps 4 and 5.

  6. In Import Policy From, navigate to the location where you saved the Exchange Group Policy Security Templates, and then double-click Exchange 2003 Backend_V1_1.inf.

  7. Close Group Policy Object Editor, and then click OK.

  8. Repeat Steps 1 through 7 for the Exchange 2003 Front-end Servers organizational unit (using the Exchange 2003 Frontend_V1_1.inf template) and for each protocol that your organization uses.

  9. In the Active Directory site where the Exchange servers reside, verify that all domain controllers are updated with the new GPO policies. Depending on your Active Directory environment, it may take several minutes for the new GPO policies to be replicated to all domain controllers in the site. To force Active Directory replication within the site, you can use the Active Directory Sites and Services MMC snap-in or the Windows Support tool, Repadmin.exe.

    For more information about both methods, see Microsoft Knowledge Base article 232072, "Initiating Replication Between Active Directory Direct Replication Partners."

  10. If you have not yet moved the servers from the root Member Server organizational unit, move a server for each role into the appropriate organizational unit.

  11. On the server, download the policy: at the command prompt, type gpupdate /force.

  12. Restart each server to ensure that each reboots successfully and that the policies have taken effect.