Creating and Working with GPOs

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Because changes to a GPO take place immediately, keep the GPO unlinked from its production location (site, domain, or OU) until you have fully tested it in a test environment. While you are developing the GPO, keep it either unlinked or linked to a test OU.

For more information about testing your Group Policy configurations prior to deployment, see "Staging Group Policy Deployments" in this book. This section details the process of creating and deploying GPOs.

The following procedures detail creating GPOs by using GPMC:

To create an unlinked Group Policy object

  1. Expand the GPMC console tree until you see Group Policy Objects in the container domain for which you want to create a new GPO.

  2. Right-click Group Policy Objects.

  3. Click New.

  4. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

To edit a GPO

  1. In the GPMC console tree, right-click the GPO you want to edit, and then click Edit. This starts the Group Policy Object Editor MMC snap-in.

  2. In the Group Policy Object Editor console tree, expand the items to view their policies in the details pane.

  3. In the details pane, double-click the names of the settings to open their Properties dialog boxes and change their settings. Note that some settings, such as the settings for deploying a new software installation package, use unique user interfaces.

The primary mechanism for applying the settings in a GPO to users and computers is by linking the GPO to a container in Active Directory. GPOs can be linked to three types of containers in Active Directory: sites, domains, and organizational units. A GPO can be linked to multiple Active Directory containers.

GPOs are stored on a per-domain basis. For example, if you link a GPO to an OU, the GPO is not actually located in that OU. A GPO is a per domain object that can be linked anywhere in the forest. The UI in GPMC helps clarify the distinction between links and actual GPOs. In GPMC, you can link a GPO to Active Directory containers using any of the following methods:

  • Right-click a site, domain, or OU item, and then click Link an existing GPO here. This option is equivalent to choosing Add on the Group Policy tab that was available in the Active Directory Users and Computers MMC snap-in, prior to installing GPMC. This requires that the GPO already exist in the domain.

  • Drag a GPO from under the Group Policy objects item to the OU. This drag-and-drop functionality works only within the same domain.

You can also use the GPMC user interface to simultaneously create a new GPO and link it at the same time in one step, as described below.

  • Right-click a domain or OU item, and then click Create and Link a GPO here. This option is equivalent to clicking New on the Group Policy tab that was available in the Active Directory Users and Computers snap-in, prior to installing GPMC. In the New GPO dialog box, type a name for the new GPO, and then click OK. Although this operation is presented in GPMC as one action to the user, there are actually two steps taking place. First, a GPO is created in the domain, and second, the new GPO is linked to the domain or OU.

To create a GPO and link it to a site, you must first create the GPO in the domain, and then link it.

  1. In the GPMC console tree, right-click the GPO you want to unlink.

  2. In the details pane, click the Scope tab.

  3. In the Links section, right-click the Active Directory object.

  4. Select Delete Link from the drop-down list.

Note

  • Deleting a link is different than deleting a GPO. It you delete only the link, the GPO still exists, as do any other existing links to that GPO. However, if you delete a GPO, you will be prompted to delete the GPO and all links to it in this domain. This does not delete links to the GPO from other domains. Be sure to remove links to the GPO in other domains before deleting this GPO in this domain.

Disabling the User or Computer Configuration Property of a GPO

If you are creating a GPO to set only user-related policy settings, you can disable the Computer Configuration portion of the GPO. Doing this slightly reduces computer startup time because the Computer GPO does not have to be evaluated to determine if any policies exist. If you are configuring only computer-related policy settings, turn off the User Configuration portion of the GPO.

See Figure 2.9 to help you identify the GPMC items referred to in the procedure that follows.

Figure 2.9   Setting GPO Status

Setting GPO Status

To disable the User or Computer Configuration settings in a GPO

  1. In the GPMC console tree, click the GPO you want to modify.

  2. Click the Details tab, or right-click the GPO.

  3. In the GPO Status drop-down box, select one of these choices:

    • All settings disabled

    • Computer settings disabled

    • Enabled (default)

    • User settings disabled

Special Considerations for Site-linked GPOs

GPOs linked to sites might be appropriate to use for setting policy for proxy settings and network-related settings. Any GPO that is linked to a site container is applied to all computers in that site, regardless of which domain in the forest the computer belongs to. This has the following implications:

  • Ensure that the computers do not access a site Group Policy object across a WAN link, which would lead to significant performance issues.

  • By default, to manage site GPOs, you need to be either an Enterprise Admin, or the domain admin of the forest root domain.

  • Active Directory service data-replication between domain controllers in different sites occurs less frequently than replication between domain controllers in the same site, and occurs during scheduled periods only. Between sites, FRS replication occurs spontaneously, and is not determined by the site link replication schedule; this is not an issue within sites. The directory service replication schedule and frequency are properties of the site links that connect sites. The default inter-site replication frequency is three hours. To change it, go to the appropriate site link, go to the IP link, and change the replication frequency or schedule as needed.

Changing either the replication frequency or schedule can significantly affect policy. For example, assume that you have replication set to three hours or longer, and you create a GPO and link it to an OU in a domain that spans several sites. You will likely need to wait several hours before all users in that OU receive the GPO.

If most of the users in an OU are in a remote location, and you have a domain controller in that site, you can work around inter-site replication latency by performing all Group Policy operations on a domain controller in that site.