Linking GPOs

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be delegated only to administrators who are trusted and understand Group Policy.

Linking GPOs to the Site

If you have a number of policy settings to apply to computers in a particular physical location only — certain network or proxy configuration settings, for example — these settings might be appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is possible that computers in the site might need to cross domains to link the GPO to the site. In this case, make sure there is good connectivity.

If, however, the settings do not clearly correspond to computers in a single site, it is better to assign the GPO to the domain or OU structure rather than to the site.

Linking GPOs to the Domain

Link GPOs to the domain if you want them to apply to all users and computers in the domain. For example, security administrators often implement domain-based GPOs to enforce corporate standards. They might want to create these GPOs with the GPMC Enforce option enabled to guarantee that no other administrator can override these settings.

Important

  • If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option. In general, do not modify this or the Default Domain Controller Policy GPO. If you do, be sure to back up these and any other GPOs in your network by using GPMC to ensure you can restore them.

As the name suggests, the Default Domain Policy GPO is also linked to the domain. The Default Domain Policy GPO is created when the first domain controller in the domain is installed and the administrator logs on for the first time. This GPO contains the domain-wide account policy settings, Password Policy, Account Lockout Policy, and Kerberos Policy, which is enforced by the domain controller computers in the domain. All domain controllers retrieve the values of these account policy settings from the Default Domain Policy GPO. In order to apply account policies to domain accounts, these policy settings must be deployed in a GPO linked to the domain, and it is recommended that you set these settings in the Default Domain Policy. If you set account policies at a lower level, such as an OU, the settings only affect local accounts (non-domain accounts) on computers in that OU and its children.

Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If for some reason there is a problem with the changes to the default GPOs and you cannot revert back to the previous or initial states, you can use the Dcgpofix.exe tool to recreate the default policies in their initial state.

Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO and Default Domain Controller GPO to their original states in the event of a disaster where you cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the default GPOs at the time they are generated. The only Group Policy extensions that include policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore other GPOs that administrators create; it is only intended for disaster recovery of the default GPOs.

Note that Dcgpofix.exe does not save any information created through applications, such as SMS or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a Windows Server 2003 domain.

Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as follows:

DCGPOFix [/Target: Domain | DC | BOTH]

Table 2.1 describes the options you can use with the command line parameter /Target: when using the Dcgpofix.exe tool.

Table 2.1   Dcgpofix.exe Options for Using the /Target Parameter

/Target option: Description of option

DOMAIN

Specifies that the Default Domain Policy should be recreated.

DC

Specifies that the Default Domain Controllers Policy should be recreated.

BOTH

Specifies that both the Default Domain Policy and the Default Domain Controllers Policy should be recreated.

For more information about Dcgpofix.exe, in Help and Support Center for Windows Server 2003 click Tools, and then click Command-line reference A-Z

Linking GPOs to the OU Structure

Most GPOs are normally linked to the OU structure because this provides the most flexibility and manageability:

  • You can move users and computers into and out of OUs.

  • OUs can be rearranged if necessary.

  • You can work with smaller groups of users who have common administrative requirements.

  • You can organize users and computers based on which administrators manage them.

Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy environment easier to understand and can simplify troubleshooting. However, separating the user and computer components into separate GPOs might require more GPOs. You can compensate for this by adjusting the GPO Status to disable the user or computer configuration portions of the GPO that do not apply and to reduce the time required to apply a given GPO.

Within each domain, site, and OU, the link order controls the order in which GPOs are applied. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. Links with the lowest number have higher precedence for a given site, domain, or OU. For example, if you add six GPO links and later decide that you want the last one that you added to have the highest precedence, you can adjust the link order of the GPO link so it has link order of 1. To change the link order for GPO links for a domain, OU, or site, use GPMC.