Installation and Configuration of Active Directory Base Model Banking & Security Solution by Windows Server 2003 through the Act of Central Bank
Beginning the Installation Windows Server 2003
Setup creates the disk partitions on the computer running Windows Server 2003, formats the drive, and then copies installation files from the CD to the server.
Note: These instructions assume that installing Windows Server 2003 on a computer that is not already running Windows. If upgrading from an older version of Windows, some of the installation steps may differ.
To begin the installation
- Insert the Windows Server 2003 CD in the CD-ROM drive.
- Restart the computer. If prompted, press any key to boot from the CD.
- The Windows Server 2003 installation begins.
- On the Welcome to Setup screen, press Enter.
- Review and, if acceptable, agree to the license agreement by pressing F8.
- Follow the instructions to delete all existing disk partitions. The exact steps will differ based on the number and type of partitions already on the computer. Continue to delete partitions until all disk space is labeled as Unpartitioned space.
- When all disk space is labeled as Unpartitioned space, press C to create a partition in the unpartitioned space on the first disk drive (as applicable).
- If the server has a single disk drive, split the available disk space in half to create two equal-sized partitions. Delete the total space default value. Type the value of half total disk space at the Create partition of size (in MB) prompt, and the press Enter. After the New <Raw> partition is created, press Enter.
Select Format the partition using the NTFS file system <Quick>, and then press Enter.
Windows Server 2003 Setup formats the partition and then copies the files from the Windows Server 2003 Server CD to the hard drive. The computer restarts and the Windows Server 2003 Installation Program continues.
Completing the Installation
To continue the installation with the Windows Server 2003 Setup Wizard
- The Windows Server 2003 Setup Wizard detects and installs devices. This can take several minutes, and during the process the screen may flicker.
- In the Regional and Language Options dialog box, make changes required for locale (Here select +6 GMT Astana Dhaka) and then click Next.
- In the Personalize Your Software dialog, type Moni in the Name box and type Personal in the Organization box. Click Next.
- Type the Product Key (found on the back of your Windows Server 2003 CD case) in the text boxes provided, and then click Next.
- In the Licensing Modes dialog box, select the appropriate licensing mode for organization, and then click Next.
In the Computer Name and Administrator Password dialog box, type the new computer name DC-1 in the computer name box, and then click Next.
Best Practice: To facilitate the steps in these guides, the Administrator password is left blank and there is no password. This is not an acceptable security practice. When installing a server for the production network, a password should always be set. Windows Server 2003 requires complex passwords by default.
- When prompted by Windows Setup, click Yes to confirm a blank Administrator password.
- In the Date and Time Settings dialog box, correct the current date and time if necessary, and then click Next.
- In the Networking Settings dialog box, make sure Typical Settings is selected, and then click Next.
- In the Workgroups or Computer Domain dialog box (No is selected by default), click Next.
Note: A domain name could be specified at this point, but this guide uses the Configure Your Server Wizard to create the domain name at a later time. The Windows Server 2003 Installation continues and configures the necessary components. This may take a few minutes.
Preparing a Secondary Partition or Secondary Disk Drive
The unpartitioned space from the installation of Windows Server 2003 requires formatting before it can be accessed by the operating system. Management of disks and partitions occurs through the Computer Management snap-in for Microsoft Management Console. The following steps assume a second disk drive is in use; modify procedures accordingly for a second partition.
To prepare a secondary partition or disk drive
Warning: Formatting a partition destroys all data on that partition. Make sure that select the correct partition.
1. Press Ctrl+Alt+Del and log on to the server as administrator. Leave the password blank.
2. Click the Start button, point to Administrative Tools, and then click Computer Management.
3. To define and format the unpartitioned space, click Disk Management.
4. Right-click Unallocated on Disk 1.
5. To define a partition, click New Partition, and then click Next to continue.
6. Select Primary Partition (default), and then click Next to continue.
7. Click Next leaving the Partition size in MB set to the default.
8. For Assign the following drive letter, select (D….), and then click Next to continue.
9. Under Format this partition with the following settings, click Perform a quick format. Click Next, and then Finish to complete the configuration of the secondary disk drive. Once finished, disk allocation should look similar to the following Figure.
How to Install Active Directory on Windows Server 2003
This topic explains how to install Active Directory on a Windows Server 2003.
Either at the console or through a terminal session, we have to log on to as a member of the Administrators group.
To install Active Directory on Windows Server 2003
- Click Start, click Run, type dcpromo, and then click OK
- On the first page of the Active Directory Installation Wizard, click Next
- On the next page of the Active Directory Installation Wizard, click Next
- On the Domain Controller Type page, click Domain Controller for a new domain, and then click Next
- On the Create New Domain page, click Domain in a new forest, and then click Next
- On the New Domain Name page, in the Full DNS name for new domain box, type com (Domain name), and then click Next.
- On the Database and Log Folders page, accept the defaults in the Database folder box and the Log folder box, and then click Next
- On the Shared System Volume page, accept the default in the Folder location box, and then click Next
- On the DNS Registration Diagnostics page, click Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS Server, and then click Next
- On the Permissions page, click Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems, and then click Next
- On the Directory Services Restore Mode Administrator Password page, enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next
- On the Summary page, confirm the information is correct, and then click Next
- When prompted to restart the computer, click Restart now
- After the computer restarts, log on to as a member of the Administrators group
Create a new child domain
To create a new child domain
- Click Start, click Run, and then type dcpromo to start the Active Directory Installation Wizard.
- On the Operating System Compatibility page, read the information and then click Next. If this is the first time one have installed Active Directory on a server running Windows Server 2003.
3. On the Domain Controller Type page, click Domain controller for a new domain, and then click Next
4. On the Create New Domain page, click Child domain in an existing domain tree, and then click Next
5. On the Network Credentials page, type the user name, password, and user domain of the user account one want to use for this operation, and then click Next. The user account must be a member of the Enterprise Admins group.
6. On the Child Domain Installation page, verify the parent domain and type the new child domain name, and then click Next
7. On the NetBIOS Domain Name page, verify the NetBIOS name, and click Next
8. On the Database and Log Folders page, type the location in which one want to install the database and log folders, or click Browse to choose a location, and then click Next
9. On the Shared System Volume page, type the location in which one want to install the Sysvol folder, or click Browse to choose a location, and then click Next
10. On the DNS Registration Diagnostics page, verify the DNS configuration settings are accurate, and then click Next
11. On the Permissions page select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems and then click next
12. On the Directory Services Restore Mode Administrator Password page, type and confirm the password that one want to assign to the Administrator account for this server, and then click Next. Use this password when starting the computer in Directory Services Restore Mode
13. Review the Summary page, and then click Next to begin the installation
Setting Up Additional Domain Controllers
Creating Additional Domain Controllers
The following steps should be performed on a computer that has Windows Server 2003 installed and is connected to the common network infrastructure created in Prerequisites in this guide.
Best Practice: While not strictly required, Microsoft highly recommends that all domain controllers, DNS and Dynamic Host Configuration Protocol (DHCP) servers, routers, and printers within the common infrastructure be assigned static Internet Protocol (IP) addresses.
Configuring Static IP addresses
- Log on to the server.
- Click the Start button, right-click My Network Places, and then click Properties.
- Right-click Local Area Connection, and then click Properties.
- In the Local Area Connection dialog box, double-click Internet Protocol.
- In the Local Area Connection dialog box, click OK.
- Close the Network and Dial-up Connection dialog box.
Configuring a Replication Partner
The Role of Sites in Active Directory Replication
Sites enable the replication of directory data both within and among sites. Active Directory replicates information within a site more frequently than across sites, implying that better connected domain controllers receive updates first. The domain controllers in other sites will receive all updates to the directory, although, to reduce the bandwidth requirements for slower network connections, updates are scheduled to occur less frequently.
A site is delimited by a subnet and is usually geographically bound. Sites differ in concept from Windows Server 2003 based domains in that sites can span multiple domains, and a domain can span multiple sites. Sites are not part of the domain namespace but they do control replication of domain information and help determine resource proximity. For example, a workstation will select a domain controller within its site against which to authenticate.
Directory information can be exchanged using the following replication transports: Remote Procedure Call (RPC) over Transmission Control Protocol/Internet Protocol (TCP/IP) and Simple Mail Transfer Protocol (SMTP). To take advantage of multi-master replication, one can set up another domain controller to serve as a replication partner for the first domain controller in the Banani child domain.
Configuring an Additional Domain Controller as a Replication Partner
To configure an additional domain controller as a replication partner
- On dalimpc the Start button, click Run, type DCPromo, and then click OK.
- Once the Active Directory Installation Wizard appears, click Next to begin.
- Review the Operating System Compatibility information, and then click Next to continue.
- On the Domain Controller Type page, select Additional domain controller for an existing domain, and then click Next to continue with the installation of Active Directory.
- In the Network Credentials box, enter the user name as Administrator, do not enter a password, type the domain name as securesystem.com, and then click Nex
- On the Additional Domain Controller page, enter the domain name as support.securesystem.com, and then click Next to continue.
- In the NetBIOS Domain Name box, accept the default value of SUPPORT, and then click Next
- On the Database and Log on Locations page, accept the defaults, and then click Next
- On the Shared System Volume page, accept the defaults, and then click Next
- On the Directory Services Restore Mode Administrator Password page, type password for Restore Mode Password and Confirm password. Click Next to continue.
- Confirm one’s selections on the Summary page, and then click Next to start the configuration of Active Directory
- Once the Active Directory Installation Wizard completes, click Finish, and then click Restart Now to reboot the system.
How To Install and Configure DNS Server in Windows Server 2003
This step-by-step process describes how to install and configure DNS on Windows Server 2003 computer.
Before start to configure DNS, we have to gather some basic information. Internic must approve some of this information for use on the Internet, but if one is configuring this server for internal use only, can decide what names and IP addresses to use.
One must have the following information:
• The domain name (approved by Internic).
• The IP address and host name of each server that one want to provide name resolution for.
Before configure the computer as a DNS, verify that the following conditions are true:
• Operating system is configured correctly. In the Windows Server 2003 family, the DNS service depends on the correct configuration of the operating system and its services, such as TCP/IP. If we have a new installation of a Windows Server 2003 operating system, then we can use the default service settings. We do not have to take additional action.
• Have allocated all the available disk space.
• All the existing disk volumes use the NTFS file system. FAT32 volumes are not secure, and they do not support file and folder compression, disk quotas, file encryption, or individual file permissions
Open Windows Components Wizard. To do so, use the following steps:
- Click Start, click Control Panel, and then click Add or Remove Programs.
- Click Add/Remove Windows Components.
- In Components, select the Networking Services check box, and then click Details.
- In Subcomponents of Networking Services, select the Domain Name System (DNS) check box, click OK, and then click Next
Start the Configure Your Server Wizard. To do so, click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard.
On the Server Role page, click DNS server, and then click Next
On the Summary of Selections page, view and confirm the options that have selected. The following items should appear on this page:
- Install DNS
- Run the Configure a DNS Wizard to configure DNS
If the Summary of Selections page lists these two items, click Next. If the Summary of Selections page does not list these two items, click Back to return to the Server Role page, click DNS, and then click Next
When the Configure Your Server Wizard installs the DNS service, it first determines whether the IP address for this server is static or is configured automatically. If server is currently configured to obtain its IP address automatically, the Configuring Components page of the Windows Components Wizard prompts to configure this server with a static IP address.
- In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
- In the Internet Protocols (TCP/IP) Properties dialog box, click Use the following IP address, and then type the static IP address, subnet mask, and default gateway for this server.
- In Preferred DNS, type the IP address of this server.
- In Alternate DNS, type the IP address of another internal DNS server, or leave this box blank.
- When finish setting up the static addresses for DNS, click OK, and then click Close.
After click Close, the Configure a DNS Server Wizard starts. In the wizard, follow these steps:
- On the Select Configuration Action page, select the Create a forward lookup zone check box, and then click Next
- To specify that this DNS hosts a DNS zone that contains DNS resource records for network resources, on the Primary Server Location page, click This server maintains the zone, and then click Next.
- On the Zone Name page, in Zone name, specify the name of the DNS zone for network, and then click Next. The name of the zone is the same as the name of the DNS domain for organization or branch office.
- On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates, and then click Next. This makes sure that the DNS resource records for the resources in network update automatically.
- On the Forwarders page, click No, it should not forward queries, and then click Next
- On the Completing the Configure a DNS Wizard page of the Configure a DNS Wizard, one can click Back to change any of the settings. To apply selections, click Finish.
- After finish the Configure a DNS Wizard, the Configure the Server Wizard displays the This Server is Now a DNS Server page. To review all the changes that made to server in the Configure the Server Wizard or to make sure that a new role was installed successfully, click Configure Your Server log. The Configure Server Wizard log is located at %systemroot%\Debug\Configure Server.log. To close the Configure Your Server Wizard, click Finish.
Install DHCP (1st process)
Open Windows Components Wizard. To do so, use the following steps:
- Click Start, click Control Panel, and then click Add or Remove Programs.
- Click Add/Remove Windows Components.
Setting up a DHCP Server (2nd process)
This will serve as a step-by-step guide on how to setup a DHCP server.
Installing the DHCP server is made quite easy in Windows 2003. By using the “Manage your server” wizard, one is able to enter the details one require and have the wizard set the basics.
- Open to “Configure your server” wizard, select the DHCP server option for the list of server roles and press Next, Enter the name and description for scope. (Scope: A scope is a collection of IP addresses for computers on a subnet that use DHCP.)
- The next window is to define the range of addresses that the scope will distribute across the network and the subnet mask for the IP address. Enter the appropriate details and click next.
- A window in which must add any exclusion to the range of IP addresses specified in the previous window. In this case, eleven IP’s will be reserved and not distributed amongst the network clients.
- It is now time to set the lease duration for how long a client can use an IP address assigned to it from this scope. It is recommended to add longer leases for a fixed network (in the office for example) and shorter leases for remote connections or laptop computers. In this example we have set lease duration of twelve hours since the network clients would be a fixed desktop computer in a local office and the usual working time is eight hours.
- Choosing No will allow configuring these options at a later stage. So, click on the radio button besides Yes, I want to configure these options now.
- The router, or gateway, IP address may be entered in next. The client computers will then know which router to use.
- In the following window, the DNS and domain name settings enter. The DNS server IP address will be distributed by the DHCP server and given to the client.
- If one have WINS setup then here is where to enter the IP Address of the WINS server. One can just input the server name into the appropriate box and press “Resolve” to allow it to find the IP address itself. In our case we have not configure WINS server that’s why it is retain empty.
- The last step is to activate the scope – just presses next when see the window below. The DHCP server will not work unless do this.
- The DHCP server has now been installed with the basic settings in place. The next stage is to configure it to the needs of network structure.
Configuring a DHCP server
Here under is a simple explanation of how to configure a DHCP server.
- The address pool displays a list of IP ranges assigned for distribution and IP address exclusions. We are able to add exclusion by right clicking the address pool text on the left hand side of the mmc window and selecting “new exclusion range”. This will bring up a window (as seen below) which will allow us to enter an address range to be added. Entering only the start IP will add a single IP address.
- DHCP servers permit to reserve an IP address for a client. This means that the specific network client will have the same IP for as long as wanted it to. To do this we will have to know the physical address (MAC) of each network card.
- Enter the reservation name, desired IP address, MAC address and description – choose whether want to support DHCP or BOOTP and press add. The new reservation will be added to the list. As an example, we have reserved an IP address (192.168.0.115) for a client computer called Moni.
- If one right click scope options and press “configure options” one will be taken to a window in which configure more servers and their parameters. These settings will be distributed by the DHCP server along with the IP address. Server options act as a default for all the scopes in the DHCP server. However, scope options take preference over server options.
- In our opinion, the DHCP server in Windows 2003 is excellent! It has been improved from the Windows 2000 version and is classified as essential for large networks. Imagine having to configure each and every client manually – it would take up a lot of time and require far more troubleshooting if a problem was to arise. Before touching any settings related to DHCP, it is best to make a plan of our network and think about the range of IPs to use for the computers.
Changing Domain and Forest Functionality
Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to enable domain– or forest-wide Active Directory features within your network environment. Different levels of domain functionality and forest functionality are available depending on your environment.
If all domain controllers in your domain or forest are running Windows Server 2003 and the functional level is set to Windows Server 2003, all domain– and forest-wide features are available. When Windows NT® 4.0 or Windows 2000 domain controllers are included in your domain or forest with domain controllers running Windows Server 2003, only a subset of Active Directory domain– and forest-wide features are available.
The concept of enabling additional functionality in Active Directory exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security ID (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and SID history capabilities are available. Domain controllers running Windows 2000 Server are not aware of domain and forest functionality.
Warning: Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level.
To raise domain functionality
- Right-click the domain object (in the example, contoso.com), and then click Raise Domain Functional Level.
- From the Select an available domain functional level drop-down list, select Windows Server 2003, and then click Raise.
- Click OK on the warning message to raise domain functionality. Click OK again to complete the process.
- Close the Active Directory Domains and Trusts window.
Delegating Creation and Deletion of Users
The following steps demonstrate the delegation of specific tasks to an authoritative security group. In this example, the HRTeam—members of the Human Resources Department—need permissions for the creation or deletion of user accounts to facilitate employment operations. This type of delegation represents a secondary level of delegation in that control is assigned on a subset of rights for a specific container. In the previous example, all rights for a specific container were assigned.
To delegate control of specific tasks to the HRTeam
- In the Active Directory Users and Computers snap-in, click the Divisions OU.
- Right-click Divisions, and then click Delegate control. The Delegation of Control wizard appears. Click Next.
- On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HRTeam, double-click HRTeam, and then click OK. Click Next to continue.
- On the Tasks to Delegate page, under Delegate the following common tasks, click Create, delete, and manage user accounts—the first option—as shown in Figure. Click Next to continue.
Verifying the Permissions Granted
To verify the permissions granted
- In the Active Directory Users and Computers snap-in, right-click Divisions, and then click Properties.
- On the Security tab, click Advanced. As shown in Figure 4, permissions that apply to user objects are detailed, including appropriate permissions for the HRTeam.
- Double-click the second HRTeam entry (Create/Delete User Objects) and note that the Create User objects and
- Delete User objects rights have been successfully assigned. Note that these permissions Apply onto this object (Divisions OU) and all child objects. Close all windows.
Delegating Resetting of Passwords for All Users
Expanding the previous example of delegating control for specific tasks, this section details a common IT support operation—resetting passwords. As password resets are one of the most frequent IT support requests, delegating control to a lower tier of IT support can streamline IT operations.
To delegate control of password resets to the HelpDesk group
1. In the Active Directory Users and Computers snap-in, click the Divisions OU.
2. Right-click Divisions, and then click Delegate control. The Delegation of Control wizard appears. Click Next.
3. On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HelpDesk, double-click HelpDesk, and then click OK. Click Next to continue.
4. On the Tasks to Delegate page, under Delegate the following common tasks, click Reset user passwords and force password change at next logon as shown in Figure. Click Next to continue.
Delegating Control of Custom Tasks
The previous examples detailed varying levels of delegating control on specific Active Directory containers. For the delegation of specific tasks, predefined options were selected for delegation. The Delegation of Control Wizard provides an additional level of granularity allowing for custom-built tasks to be assigned to specific users or groups. In the following section, the HRTeam will be assigned permissions to modify specific user attributes to facilitate general employment operations.
To assign control for creating and deleting a user’s personal information in Active Directory to the HRTeam
- In the left pane, right-click Divisions OU, and then click Delegate control. The Delegation of Control wizard appears. Click Next.
- On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HRTeam, double-click HRTeam, and then click OK. Click Next to continue.
- On the Tasks to Delegate page, click Create a custom task to delegate. (This allows you to delegate control of the entire container.) Click Next.
- On the Active Directory Object Type screen, click Only the following objects in the folder.
- Scroll down to the final entry and select the User Objects check box. At the bottom of the Active Directory Object Type screen, select both Create / Delete selected objects in this folder check boxes. Review your settings as shown in Figure 6, and then click Next to continue.
Note: Selecting the property-specific check box will provide an additional level of detail at the attribute level. For example, if you only wanted the HRTeam to be able to change a user’s street address, you would select that particular attribute.
Group Policy Management Console (GPMC)
Installing and Configuring GPMC
Installing GPMC is a simple process that involves running a Windows Installer (.MSI) package.
To install the Group Policy Management Console
1. On server mpc, navigate to the folder containing gpmc.msi, double-click the gpmc.msi package, and then click Next.
2. Click I Agree to accept the End User License Agreement (EULA), and then click Next.
3. Click Finish to complete the installation of GPMC.
When the installation is complete, the Group Policy tab that appeared on the Property pages of sites, domains, and organizational units (OUs) in the Active Directory snap-ins is updated to provide a direct link to GPMC. The functionality that previously existed on the original Group Policy tab is no longer available since all functionality for managing Group Policy is available through GPMC.
To open the GPMC snap-in
1. On server mpc, click the Start button, click Run, type GPMC.msc, and then click OK.
Note: Alternatively, either of the following methods can be used to launch the GPMC.
• Click the Group Policy Management shortcut in the Administrative Tools folder on the Start menu or in the Control Panel.
2. Create a custom MMC console: click the Start button, click Run, type MMC, and then click OK. Point to File, click Add/Remove Snap-in, and then click Add. Click to highlight Group Policy Management, click Add, click Close, and then click OK.
Configuring GPMC for Multiple Forests
Multiple forests can be easily added to the GPMC console tree. By default, we can only add a forest to GPMC if there is a two-way trust with the forest of the user running GPMC. We can optionally enable GPMC to work with only one- way trust or even no trust. Adding an additional forest to the GPMC is accomplished by highlighting Group Policy Management at the tree’s root, selecting Action from the context menu, and then clicking AddForest. Since the sample environment only contains a single forest, performing these steps is beyond the scope of this step-by-step guide.
Note: When adding forests to which have no trust, some functionality will not be available. For example, Group Policy Modeling is not available, and it is not possible to open the Group Policy Object Editor on GPOs in the untrusted forest. The untrusted forest scenario is primarily intended to enable copying GPOs across forests.
Managing Multiple Domains Simultaneously
GPMC supports management of multiple domains at the same time, with each domain grouped by forest in the console. By default, only a single domain is shown in GPMC. When we first start GPMC using either the pre-configured snap-in (gpmc.msc) or a custom MMC console, GPMC displays the domain that contains the user account we used to start GPMC. We can specify domains in each forest that we want to manage using GPMC by adding and removing the domains shown in the console.
Note: We can add externally trusted domains, even if we do not have forest trust with the entire forest. By default, must have two-way trust between the domain want to add and the domain of user object. We can also add domains across a one-way trust by disabling the trust detection feature of GPMC, using the Options dialog box on the View menu. To add externally trusted domains, must first use the AddForest dialog box to add one domain from a forest that contains the externally trusted domains. Once this forest is added, can add any domains in that forest that are trusted by right-clicking the Domains node of the forest, and then clicking Show Domains.
To add the banani.securesystem.com child domain to the console
1. In the Group Policy Management window, click the plus sign (+) next to Forest:securesystem.com to expand the tree, and then click the plus sign (+) next to Domains.
2. Right-click Domains, and then click Show Domains.
3. Select the check box next to banani.securesystem.com as shown in Figure, and then click OK.
In each domain available to GPMC, the same domain controller is used for all operations in that domain. This includes all operations on the GPOs, OUs, security principals, and WMI filters that reside in that domain. In addition, when the Group Policy Object Editor is opened from GPMC, it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.
GPMC allows to choose which domain controller to use for each domain. We can choose from these four options.
• Use the primary domain controller (PDC) emulator (default choice).
• Use any available domain controller.
• Use any available domain controller that is running a Windows Server 2003 family operating system. This option is useful if restoring a deleted GPO that contains Group Policy software installation settings.
• Use a specific domain controller that you specify.
To change the domain controller used by GPMC for the banani.securesystem.com domain
1. In the Group Policy Management window, under the Domains folder, right-click banani.securesystem.com, and then click Change Domain Controller.
2. In the Change Domain Controller dialog box, click This domain controller, and then click to highlight hpc.banaini.securesystem.com as shown in Figure.
3. Click OK to continue.
Managing Group Policy Objects
Viewing Domain GPOs
Within each domain, GPMC provides a policy-based view of Active Directory and the components associated with Group Policy, such as GPOs, WMI filters, and GPO links. The view in GPMC is similar to the view in Active Directory Users and Computers MMC snap-in in that it shows the OU hierarchy. However, GPMC differs from this snap-in because instead of showing users, computers, and groups in the OUs, it displays the GPOs that are linked to each container, as well as the GPOs themselves.
Each domain node in GPMC displays the following items.
• All GPOs linked to the domain.
• All top-level OUs and a tree view of nested OUs and GPOs linked to each of the OUs.
• The Group Policy Objects container showing all GPOs in the domain.
• The WMI Filters container showing all WMI filters in the domain.
To view GPOs associated with a particular container
Under the Domains tree, click the securesystem.com tree. The GPOs associated with the container (domain root) appear as shown in Figure. This concept can be applied to any domain container.
To view all GPOs associated with a particular domain
Under the Domains tree, click the plus sign (+) next to securesystem.com, and then click Group Policy Objects.
Searching for GPOs
Searching for GPOs is available at the forest or domain level. Individual or multiple search parameters can assist in narrowing search results within a large set of GPOs.
To find a specific GPO within the contoso.com forest using multiple search parameters
1. In the console tree, right-click Forest:securesystem.com, and then click Search.
2. In the Search item box, select GPO Name, type Password for Value, and then click Add.
3. In the Search item box, select Computer Configuration, select Security for Value, and then click Add.
4. Click Search. The results should appear as shown in Figure.
The value of Group Policy can only be realized through properly applying the GPOs to the Active Directory containers want to manage. Determining which users and computers will receive the settings in a GPO is referred to as “scoping the GPO”. Scoping a GPO is based on three factors.
• The site(s), domain(s), or OU(s) where the GPO is linked The primary mechanism by which the settings in a GPO are applied to users and computers is by linking the GPO to a site, domain, or OU in Active Directory. The location where a GPO is linked is referred to as the Scope of Management or SOM (also seen as SDOU in previous white papers). There are three types of SOMs: sites, domains, and OUs. A GPO can be linked to multiple SOMs, and an SOM can have multiple GPOs linked to it. A GPO must be linked to an SOM for it to be applied.
• The security filtering on the GPO By default all Authenticated Users that are located in the SOM (and its children) where a GPO is linked will apply the settings in the GPO. We can further refine which users and computers will receive the settings in a GPO by managing permissions on the GPO. This is known as security filtering. For a GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy permissions on the GPO. By default, GPOs have permissions that allow the Authenticated Users group both of these permissions. This is how all authenticated users receive the settings of a new GPO when it is linked to a SOM (OU, domain, or site). These permissions can be changed, however, to limit the scope of the GPO to a specific set of users, groups, and/or computers within the SOM(s) where it is linked.
• The WMI filter on the GPO WMI filters allow an administrator to dynamically determine the scope of GPOs based on attributes (available through WMI) of the target computer. A WMI filter consists of one or more queries that are evaluated to be either true or false against the WMI repository of the target computer. The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter; however, the same WMI filter can be linked to multiple GPOs. When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied. If the WMI filter evaluates to true, the GPO is applied.
To scope the Domain Password Policy GPO found in the previous search
1. In the Search for Group Policy Objects search results pane, double-click Domain Password Policy, and then click Close.
Note: Once the Search for Group Policy Objects dialog box is closed, the previously selected GPO will have focus in the GPMC. The GPO Scope page will appear as shown in Figure.
GPO Backup, Restore, Copy, Import
Backing Up a GPO
Backing up a GPO copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO.
Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following:
• The GPO globally unique identifier (GUID) and domain GPO settings
• The discretionary access control list (DACL) on the GPO
• The WMI filter link, if there is one, but not the filter itself
• Links to IP Security policies, if any
• Extensible Markup Language (XML) report of the GPO settings, which can be viewed as HTML from within GPMC
• Date and time stamp of the backup
• User-supplied description of the backup
Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO includes the following:
• Links to a site, domain, or OU
• WMI filter
• IP Security policy
This data is not available when the backup is restored to the original GPO or imported into a new one.
To backup a Domain Policy GPO
1. In the Group Policy Management window, under the securesystem.com tree, click the Group Policy Objects folder.
2. In the Group Policy Objects folder, right-click the A domain Policy GPO, and then click Back Up.
3. In the Back Up Group Policy Object dialog box, type D:\windows for Location, type Name of the Policy Backup for Description, and then click Back Up.
4. Once the backup is complete, click OK to continue.
Multiple backups of the same or different GPO can be stored in the same file system location. Each backup is identified by a unique backup ID. The collection of backups in a given file system location can be managed using the Manage Backups dialog box in GPMC or through the scriptable interfaces. The Manage Backups dialog box is available by right-clicking either the Domains node or the Group Policy Objects node in a given domain. When open Manage Backups from the Group Policy Objects node, the view is automatically filtered to show only backups of GPOs from that domain. When opened from the Domains node, the Manage Backups dialog box shows all backups, regardless of which domain they are from.
To manage available GPO backups
1. In the Group Policy Management window, under the securesystem.com tree, right-click the Group Policy Objects folder, and then click Manage Backups. The Manage Backups window should appear as shown in Figure.
2. In the Manage Backups window, click to highlight the Domain Password Policy Backup created previously, and then click View Settings.
3. Review the detailed GPO information, and then close Internet Explorer.
Restoring from Backup
Restoring a GPO re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state. A restore operation replaces the following components of a GPO.
• GPO settings
• The DACL on the GPO
• WMI filter links (but not the filters themselves)
The restore operation does not restore objects that are not part of the GPO. This includes links to a site, domain, or OU; WMI filters, and IPSec policies.
To restore the Domain Password Policy GPO
In the Manage Backups window, click Restore.
1. When prompted, click OK to restore the selected backup.
2. Click OK after the GPO restoration is complete.
3. In the Manage Backups dialog box, click Close.
Copying a GPO
A copy operation allows to transfer settings from an existing GPO in Active Directory directly into a new GPO. The new GPO created during the copy operation is given a new GUID and is unlinked. One can use a copy operation to transfer settings to a new GPO in the same domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy between production environments. They are also used for migrating Group Policy that has been tested in a test domain or forest to a production environment, as long as there is trust between the source and destination domains.
To copy a GPO
1. Under the securesystem.com tree in the Group Policy Objects folder, right-click the Enforced User Policies GPO, and then click Copy.
2. Click the plus sign (+) next to banani.securesystem.com to expand the domain, and then click the plus sign (+) next to Group Policy Objects to expand the tree.
3. Right-click Group Policy Objects, and then click Paste.
4. On the Cross-Domain Copying Wizard, click Next to continue.
5. On the Specify Permissions screen, select Use the default permissions for new GPOs (default) as shown in Figure, and then click Next.
6. Once the original GPO is scanned, click Next to continue.
7. On the Completing the Cross-Domain Copying Wizard screen, verify settings, and then click Finish.
8. Once the copy operation is complete, click OK.
Note: The Enforced User Policies GPO has been copied to the banani.securesystem.com domain; however, it has not been linked to any container.
To link the Enforced User Policies GPO to the root of banani.securesystem.com
• Right-click banani.securesystem.com, click Link an Existing GPO, click to highlight Enforced User Policies, and then click OK.
Importing a GPO
The import operation transfers settings into an existing GPO in Active Directory using a backed up GPO in the file system location as its source. Import operations can be used to transfer settings from one GPO to another GPO within the same domain, to a GPO in another domain in the same forest, or to a GPO in a domain in a different forest. The import operation always places the backed up settings into an existing GPO. It erases any pre-existing settings in the destination GPO. Import does not require trust between the source domain and destination domain; therefore, it is useful for transferring settings across forests and domains that do not have trust. Importing settings into a GPO does not affect its DACL, links on sites, domains, or OUs to that GPO, or a link to a WMI filter.
To import the securesystem.com Domain Password Policy into banani.securesystem.com Domain Password Policy
1. In the Group Policy Management window, right-click banani.securesystem.com, and then click Create and Link a GPO here.
2. In the New GPO dialog box, type Domain Password Policy for the Name, and then click OK.
3. Under Group Policy Objects in the banani.securesystem.com tree, right-click the Domain Password Policy GPO, and then click Import Settings.
4. On the Import Settings Wizard, click Next to continue.
5. On the Backup GPO screen, click Next to continue without backup as the GPO currently has no policy definitions.
6. Accept the default backup folder, D:\windows, and then click Next to continue.
7. Since the Domain Password Policy is the only current backup, it is selected by default. Click Next to begin importing the settings from this GPO.
8. Click Next after the GPO is scanned for security principals, and then click Finish.
9. When the Import Settings Wizard completes, click OK.
Group Policy Modeling
Group Policy Modeling is a simulation of what would happen under circumstances specified by an administrator. It requires that you have at least one domain controller running Windows Server 2003 because this simulation is performed by a service running on a domain controller that is running Windows Server 2003.
With Group Policy Modeling, you can either simulate the RSoP data that would be applied for an existing configuration, or you can perform “what-if” analyses by simulating hypothetical changes to your directory environment and then calculating the RSoP for that hypothetical configuration. For example, you can simulate changes to security group membership, or changes to the location of the user or computer object in Active
Directory. Outside of GPMC, Group Policy Modeling is referred to as RSoP – planning mode.
To simulate the effects of GPOs
1. In the Group Policy Management window, click the minus sign (-) next to Domains to collapse the tree.
2. Under the Forest: securesystem.com tree, right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.
3. On the Group Policy Modeling Wizard screen, click Next.
4. On the Domain Controller Selection screen, leave the default settings, and then click Next.
5. On the User and Computer Selection screen, under User information, click User. Click Browse, type Christine under Enter object name to select, and then click OK. Select the Skip to the final page of this wizard without collecting additional data check box, and then click Next. Your settings should appear as shown in Figure.
6. On the Summary of Selections screen, click Next to start the simulation.
7. Click Finish. The right pane will contain the simulation results.
Group Policy Feature Set
Several administrative tools are available for the management of Group Policy settings including:
• Group Policy Object Editor Microsoft Management Console (MMC) snap-in
• Default MMC snap-in available in Windows Server 2003 and the one used throughout this step-by-step guide.
• Group Policy Management Console (GPMC) with Service Pack 1
• GPMC extends the default Group Policy Object Editor by simplifying the management of Group Policy, making it easier to understand, deploy, manage, and troubleshoot Group Policy implementations. GPMC also enables automation of Group Policy operations via scripting
• Third-party extensions, which host other policy settings
Group Policy includes policy settings for User Configuration, which affect users, and for Computer Configuration, which affect computers.
With Group Policy, you can do the following:
• Manage registry-based policy with Administrative Templates. Group Policy creates a file that contains registry settings that are written to the User or Local Machine portion of the registry database.
• Assign scripts. This includes scripts such as computer startup, shutdown, logon, and logoff.
• Redirect folders. You can redirect folders, such as My Documents and My Pictures, from the Documents and Settings folder on the local computer to network locations.
• Manage applications. You can assign, publish, update, or repair applications by using Group Policy Software Installation.
• Specify security options.
This document presents a brief overview of Group Policy, and shows how to use the Group Policy snap-in to specify policy settings for groups of users and of computers.
Group Policy and the Microsoft Management Console
Group Policy is directly integrated with Active Directory management tools through the MMC snap-in extension mechanism. The Active Directory snap-ins set the scope of management for Group Policy. The most common way to access Group Policy is by using the Active Directory User and Computers snap-in, for setting the scope of management to domain and OUs. One can also use the Active Directory Sites and Services snap-in to set the scope of management to a site. These two tools can be accessed from the Administrative Tools program group; the Group Policy snap-in extension is enabled in both tools. Alternatively, we can create a custom MMC console, as described in the next section.
Configuring a Custom Console
The examples in this document use the custom MMC console that you can create by following the procedures outlined in this section. We need to create this custom console before attempting the remaining procedures in this document.
To configure a custom console
1. Log on to mpc as firstname.lastname@example.org.
2. Click the Start button, click Run, type mmc, and then click OK.
3. In the Console1 window, click File, and then click Add/Remove Snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, in the Available standalone snap-ins list box, click Active directory users and computers, and then click Add.
6. Double-click Active directory sites and services snap-in in the Available standalone snap-ins list box.
7. Scroll down, and then double-click Group Policy Object Editor.
8. In the Select Group Policy Object dialog box, ensure Local computer is selected under Group Policy Object. Click Finish, and then click Close.
9. In the Add/Remove Snap-in dialog box, click the Extensions tab. Ensure that the Add all extensions check box is selected for each primary extension added to the MMC console (these are selected by default). Click OK.
Managing Group Policy
To manage Group Policy
• Access the context menu of a site, domain, or OU
• Select Properties, and then click the Group Policy tab. This displays the Group Policy Properties page.
Note the following for the Group Policy Properties page.
• This page displays any GPOs that have been associated with the currently selected site, domain, or OU. The links are objects; they have a context menu that you can access by right-clicking the object. (Right-clicking the white space displays a context menu for creating a new link, adding a link, or refreshing the list.)
• This page also shows an ordered GPO list, with the highest priority GPO at the top of the list. You can change the list order by selecting a GPO, and then using the Up or Down arrow keys.
• To associate (link) a GPO, click the Add button.
• To edit an existing GPO in the list, select the GPO, and then click the Edit button, or double-click the GPO. This starts the Group Policy Object Editor, where you can modify the GPO. For more information about modifying GPOs, see Editing a Group Policy Object.
• To permanently delete a GPO from the list, select it from the list, and then click the Delete button. When prompted, select Remove the link and delete the Group Policy object permanently. Be careful when deleting a GPO since it may be associated with another site, domain, or OU. If you only want to remove the GPO’s association with the current container, select the GPO from the links list, click Delete, and then, when prompted, select Remove the link from the list.
• To determine what other sites, domains, or OUs are associated with a given GPO, right-click the GPO, select Properties on the context menu, and then click the Links tab on the GPO Properties page. Click Find Now to retrieve a current link list for this GPO.
• By right-clicking the GPO, you can set the No override option. This option marks the selected GPO so that its policies cannot be overridden by another GPO.
Note: We can enable the No Override option on more than one GPO. All GPOs marked as No override will take precedence over all other GPOs that are not marked. Of those GPOs marked as No override, the GPO with the highest priority will be applied after all the other similarly marked GPOs.
• By right-clicking the GPO, you can set the GPO as Disabled, which simply disables (deactivates) the GPO without removing it from the list.
Note: It is also possible to disable only the User or Computer portion of the GPO. To do this, right-click the GPO, click Properties, and then, on the General tab, click either Disable Computer Configuration settings or Disable User Configuration settings.
• On the Active Directory container’s Group Policy properties page, we can set Block policy inheritance to negate all GPOs that exist higher in the hierarchy. However, it cannot block any GPOs that are enforced by using the No override check box; those GPOs will always be applied.
Note: Policy settings contained within the local GPO that are not specifically overridden by domain-based policy settings are also always applied. Block Policy Inheritance at any level will not remove local policy.
Review the following components of the Add a Group Policy Object Link dialog box and then close the dialog box.
• The Look in drop-down box allows navigate the entire Active Directory structure in search of a GPO. As change the value in this box, GPOs and all child objects will be displayed in the results pane.
• On the Domains/OUs tab, the list box displays the sub-OUs and GPOs for the currently selected domain or OU. To navigate the hierarchy, double-click a sub-OU or use the Up one level toolbar button.
• On the Sites tab, all GPOs associated with the selected site are displayed. Use the drop-down list to select another site. There is no hierarchy of sites.
• The All tab shows a flat list of all GPOs that are stored in the selected domain. This is useful when you want to select a GPO that you know by name, rather than where it is currently associated. This is also the only place to create a GPO that does not have a link to a site, domain, or OU.
• To create an unlinked GPO on the All tab, select the Create New Group Policy Object toolbar button or right-click the white space, and then click New. Name the new GPO, click Enter, and then click Cancel—do not click OK. Clicking OK links the new GPO to the current site, domain, or OU. Clicking Cancel creates an unlinked GPO.
• To associate a GPO with the currently selected domain or OU, double-click the desired GPO.
Deploying Scripts Through Group Policy Objects
We can define a GPO setting that runs scripts when users log on or log off, or when the system starts or shuts down. All scripts are Windows Scripting Host (WSH)–enabled. As such, they may include Java Scripts or Microsoft Visual Basic® Scripts, as well as .bat and .cmd files.
Creating a Logon Script
Note: This procedure uses the welcome.bat script. Create an Included Items folder, and then create the file welcome.bat within the Included Items folder by copying the script.
To define a logon script Group Policy setting
1. Close the Group Policy Object Editor for the HO Policy.
2. In the HeadOffice Properties dialog box, click Close.
3. In the GPWalkthrough console, right-click the securesystem.com domain, click Properties, and then click the Group Policy tab.
4. On the Group Policy properties page, select the Default Domain Policy GPO from the Group Policy objects links list, and then click Edit to open the Group Policy Object Editor snap-in.
5. In the Group Policy snap-in, under User Configuration, click the plus sign (+) next to Windows Settings, and then click the Scripts (Logon/Logoff) node.
6. In the details pane, double-click Logon.
The Logon Properties dialog box displays the list of scripts that run when a designated user logs on. This is an ordered list, with the script that is to run first appearing at the top of the list. We can change the order by selecting a script, and then using the Up or Down arrow keys.
To add a new script to the list, click the Add button. This displays the Add a Script dialog box. Browsing from this dialog box allows you to specify the name of an existing script located in the current GPO, or to browse to another location and select it for use in this GPO. The script file must be accessible to the user at logon, or it does not run. Scripts in the current GPO are automatically available to the user. To create a new script, right-click the empty space, select New, and then select a new file.
To edit the name or the parameters of an existing script in the list, select it, and then click the Edit button. This button does not allow the script itself to be edited. To edit the script, use the Show Files button. To remove a script from the list, select it, and then click Remove.
The Show Files button displays a Windows Explorer view of the scripts for the GPO. This allows quick access to these files or to the place to copy support files to if the script files require them. If one changes a script file name from this location, must also use the Edit button to change the file name, or the script cannot execute.
Note: If the View Folder Options for this folder are set to Hide file extensions for known file types, the file may have an unwanted extension that prevents it from being run.
7. Click the Start button, click All Programs, click Accessories, and then click Windows Explorer. Navigate to the welcome2006.bat file in the Included Items directory, right-click the file, and then click Copy.
8. Close Windows Explorer.
In general, Group Policy is passed down from parent to child containers within a domain. Group Policy is not inherited from parent to child domains. If we assign a specific Group Policy setting to a high-level parent container, that Group Policy setting applies to all containers beneath the parent container, including the user and computer objects in each container. However, if we explicitly specify a Group Policy setting for a child container, the child container’s Group Policy setting overrides the parent container’s setting.
If a parent OU has policy settings that are not configured, the child OU does not inherit them. Policy settings that are disabled are inherited as disabled. In addition, if a policy setting is configured (enabled or disabled) for a parent OU and the same policy setting is not configured for a child OU, the child inherits the parent’s enabled or disabled policy setting.
If a policy setting that is applied to a parent OU and a policy setting that is applied to a child OU are compatible, the child OU inherits the parent policy setting, and the child’s setting is also applied.
If a policy setting that is configured for a parent OU is incompatible with the same policy setting that is configured for a child OU (because the setting is enabled in one case and disabled in the other), the child does not inherit the policy setting from the parent. The policy setting in the child is applied.
Blocking Inheritance and No Override
The Block Policy inheritance option blocks GPOs that apply higher in the Active Directory hierarchy of sites, domains, and OUs. It does not block GPOs if they have No Override enabled. The Block Policy inheritance option is set only on sites, domains, and OUs, not on individual GPOs. These settings provide complete control over the default inheritance rules.
In the following section, you set up a GPO in the Accounts OU, which applies by default to the users (and computers) in all child objects within the Accounts OU. You then establish another GPO in the Accounts OU and set it as No override. These settings will apply to all child objects even if settings conflict with other settings applied through a GPO. You will then use the Block inheritance feature to prevent group policies set in a parent site, domain, or OU (in this case, the Accounts OU) from being applied to the Production OU.
To create new GPOs
- In the GPWalkthrough MMC and under com, right-click the Accounts OU.
- Click Properties, and then click the Group Policy
- Click New,enter Default User Policies for the GPO name, and then press Enter.
- Click New again, enter Enforced User Policies for the GPO name, and then press Enter.
- Click the Enforced Users Policies GPO, and then click the Up button to move it to the top of the list.
Note: The Enforced Users Policies GPO should have the highest precedence. Note that this step only serves to demonstrate the functionality of the Up button; an enforced GPO always takes precedence over those that are not enforced.
Select the No override setting for the Enforced User Policies GPO by double-clicking the No override column or using the Options button. The Accounts Properties page should now appear as in Figure.
To enable settings in the Enforced User Policies and Default User Policies GPOs
- On the Accounts Properties page, double-click the Enforced User Policies
- In the Group Policy Object Editor, under User Configuration, expand Administrative Templates.
- Expand System, and then click Ctrl+Alt+Del Options.
- In the details pane, double-click the Remove Task Manager policy, click Enabled in the Remove Task Manager dialog box, and then click OK. For more information about the policy, click the Explain The setting is now Enabled as shown in Figure.
- Click File, and then click Exit to close the Group Policy Object Editor.
- In the Accounts Properties dialog box, on the Group Policy tab, double-click the Default User Policies GPO in the Group Policy objects links
- In the Group Policy Object Editor, under User Configuration, expand Administrative Templates, expand Desktop, and then click Active Desktop.
- In the details pane, double-click the Disable Active Desktop
- Click Enabled, click OK, and then click OK.
- Click File, and then click Exit to close the Group Policy Object Editor.
Logging on to a client workstation as any user under the Accounts OU, including child OUs, will apply both the Default User and Enforced User GPOs. Both Task Manager and the Active Desktop will be disabled.
Increasing the Performance of GPOs
Because these GPOs are used solely for user configuration, the computer portion of the GPO can be disabled. Disabling the computer configuration settings reduces the target computer’s startup time as the computer GPOs do not need to be evaluated.
If no computers exist within the Accounts, or any child OUs, disabling the computer portion of the GPO has no immediate benefit. However, since these GPOs could later be linked to a different container that may include computers, you may want to disable the computer side of these GPOs.
To disable the computer portion of a GPO
- In the Accounts Properties dialog box, right-click the Enforced User Policies GPO, and then select Properties.
- In the Enforced User Policies Properties dialog box, click the General tab (default), and then select the Disable computer configuration settings check box. In the Confirm Disable dialog box, click Yes, and then click OK to finish.
Note that the General properties page includes two check boxes for disabling a portion of the GPO.
- Repeat steps 1 and 2 for the Default Users Policies
We can block inheritance so that one GPO does not inherit policy from another GPO in the hierarchy. The following example shows how to block inheritance so that only the settings in the Enforced User Policies affect the users in this OU.
To block inheritance of Group Policy for the Production OU
- In the AccountsProperties dialog box, click Close.
- Under the Accounts OU in the GPWalkThrough console, right-click the Production OU, select Properties on the context menu, and then click the GroupPolicy
- Select the BlockPolicy inheritance check box, and then click OK.
To verify that inherited settings are now blocked, you can log on as any user in the Production OU. Note that the Active Desktop is available, however, the Task Manager remains disabled since its disabling GPO was set to No Override in the parent OU.
Linking a GPO to Multiple Sites, Domains, and OUs
This section demonstrates how you can link a GPO to more than one container (site, domain, or OU) in Active Directory. Depending on the exact OU configuration, you can use other methods to achieve similar Group Policy effects; for example, we can use security group filtering or we can block inheritance. In some cases, however, those methods do not have the desired affects. Whenever you need to explicitly state which sites, domains, or OUs need the same set of policies, use the following method.
To link a GPO to multiple sites, domains, and OUs
- Under the Accounts OU in the GPWalkThrough console, right-click the Headquarters OU, select Properties on the context menu, and then click the Group Policy
- In the Headquarters Properties dialog box, on the Group Policy tab, click New to create a new GPO named Linked Policies.
- Select the Linked Policies GPO, and then click Edit.
- In the Group Policy Object Editor, under User Configuration and Administrative Templates, click Control Panel, and then click Display.
- On the details pane, double-clickthe Prevent changing wallpaper policy, and then click Enabled. Click OK to continue.
- Click File,and then click Exit to close the Group Policy Object Editor.
- In the Headquarters Properties page, click Close.
- Under the Accounts OU in the GPWalkThrough console, right-click the Production OU, click Properties on the context menu, and then click the Group Policy tab on the Production Properties dialog box.
- Click Add, or right-click the blank area of the Group Policy objects links list, and select Add on the context menu.
- In the Add a Group Policy Object Link dialog box, click the down arrow on the Look in box, and select the contoso.com OU.
- Double-click the Accounts.contoso.com OU in the Domains, OUs, and linked Group Policy objects list.
- Click the Linked Policies GPO, and then click OK.
- Click OK to finish.
We have now linked a single GPO to two OUs. Changes made to the GPO in either location result in a change for both OUs.
Loopback provides alternatives to the default method of obtaining the ordered list of GPOs whose User Configuration settings affect a user. By default, a user’s settings come from a GPO list that depends on the user’s location in Active Directory. The ordered list goes from site-linked to domain-linked to OU–linked GPOs, with inheritance determined by the location of the user in Active Directory and in an order that is specified by the administrator at each level.
Loopback can be set to Not Configured, Enabled, or Disabled, as can any other Group Policy setting. In the Enabled state, loopback can be set to Merge or Replace.
- Loopback with ReplaceThe GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup. The User Configuration settings from this list are applied to the user.
- Loopback with MergeThe GPO list is a concatenation. The default GPOs for computers is appended to the default GPOs for users, and the user gets the User Configuration settings in the concatenated list. Note that the GPO list that is obtained for the computer is applied later and, therefore, it has precedence if it conflicts with settings in the user’s list.
To enable Loopback processing
- Expand the Resources OU in the GPWalkThrough console, right-click the Desktop OU, click Properties on the context menu, and then click the Group Policy tab in the Desktop Properties dialog box.
- Click New to create a new GPO named Loopback Policies.
- Select the Loopback Policies GPO, and then click Edit.
- In the Group Policy Object Editor, in the ComputerConfiguration node, expand Administrative Templates, expand System, and then click Group Policy.
- In the details pane, double-click the User Group Policy loopback processing mode
- Click Enabled in the User Group Policy loopback processing mode dialog box, select Replace (default) in the Mode drop-down list, and then click OK.
The next section defines restrictive settings for the user’s Start Menu & Taskbar and Desktop environments as might be applied in a Kiosk scenario. To navigate policies efficiently, use the Next Policy navigation buttons in the policy dialog boxes.