Group Policy allows you to centrally control and configure Windows computers that participate in your AD network. You can utilize local Group Policy on stand-alone servers and clients that are not members of an AD domain. Group Policy Objects (GPOs) contain policy settings, and they can be linked to one or more containers within an AD. The GPOs are created using the Group Policy Management Console (GPMC), which can be used to create, apply, and update the GPOs. It can also be used to determine how the GPOs will be applied to a specific user or group. GPOs are processed in the order from local policies, to site GPOs, to domain GPOs, to OUs in order of hierarchy. By default, the last GPO to be applied can override previously applied GPOs if any settings conflict. You can configure a GPO as “enforced” to indicate that lower-level GPOs cannot override it. You can also block inheritance at the OU level to indicate that higher-level GPOs should not apply.
When creating multiple local GPOs (MLGPOs), you have three levels of application:
Local Policy Settings The local policy settings apply first, and they can contain both user and computer configuration settings.
Administrator/Non-Administrator Level The Administrator/Non-Administrator policy settings apply next and a single user receives only administrator or nonadministrator GPO settings, depending on administrative group membership.
Specific User Level The final policy settings to be applied are those in the specific user GPO—if one exists.
The Administrator/Non-Administrator level and specific user-level GPOs contain only user configuration settings.
You can use the Group Policy Management Console (GPMC), the local GPEDIT.MSC console, or Windows PowerShell to work with Group Policy. To use Windows PowerShell, you must import the GroupPolicy module with the Import-Module cmdlet.
- Use the local GPEDIT.MSC Editor to prevent access to the Command Prompt on a Windows 7 client.
- Create a GPO named SalesDept and link it to the Sales OU. If the Sales OU does not exist, create the OU using Active Directory Users and Computers first. Enable the following policy settings in the GPO: User Configuration\Policies\Administrative Templates\Control Panel\Display\Hide Settings Tab
User Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent changing screen saver
- Execute the GPUPDATE /FORCE command to refresh Group Policy immediately.
- Using the GPMC, view the settings in the Default Domain Policy GPO.
Answers for Exercises
- Launch the GPEDIT.MSC console from the Start menu Search field. Navigate to the following location in the GPEDIT.MSC console: User Configuration\Administrative Templates\System. Enable the policy named Prevent Access To The Command Prompt.
- Use the instructions provided in this chapter to create the GPO and link it to the OU. If you have to create the OU, use the instructions provided in “Managing Active Directory.” Right-click on the GPO and select Edit to apply the specified settings.
- Launch the Windows Command Prompt. Execute the GPUPDATE /FORCE command and view the results.
- Launch the GPMC. Click on the Default Domain Policy GPO in the console tree. Click on the Settings tab in the content pane.
- 1. What version of Windows Server must the DCs be running to support Group Policy settings that are new in Windows 7?
- A. Any version that supports Group Policy
- B. Server 2003 R2
- C. Server 2008
- D. Server 2008 R2
- 2. True or false: You can create GPOs and link them to multiple containers.
- 3. What must be added to a Windows client so that you can use it as a Group Policy management machine?
- A. RSAT
- B. MMC
- C. Remote Desktop Client
- D. GPEDIT.MSC
- 4. What must you use to work with MLGPO on a Windows 7 client?
- 5. Which of the following tools provide a GUI for Group Policy management? (Choose all that apply.)
- A. GPEDIT.MSC
- B. Windows PowerShell
- C. Windows Command Prompt
- D. GPMC
- 6. Define a GPO.
- 7. Define Group Policy Preferences.
- 8. What command must be executed before you can use the Group Policy cmdlets in Windows PowerShell?
- A. Import-Module GroupPolicy
- B. None, the cmdlets are there by default
- C. Import-Cmdlets GroupPolicy
- D. Get-Cmdlets GroupPolicy
- 9. What must exist in order to use centralized Group Policy provisioning for Windows clients?
- A. Active Directory
- B. SQL Server
- C. Exchange Server
- D. System Center Configuration Manager
- 10. True or false: You have created an MLGPO configuration. Policy settings are configured for the local policy, the administrative users, the nonadministrative users, and for Joe. When Joe logs on, the administrative users policy overrides his specific policies.
Answers for Review Questions
- 1. A As long as the GPOs are created on a Windows 7 client, they will work with earlier versions of AD.
- 2. True A single GPO can be linked to more than one container, such as a site, domain, or OU.
- 3. A The Remote Server Administration Tools (RSAT) include the GPMC so that you can manage Group Policy from a client. The MMC, Remote Desktop Client, and GPEDIT.MSC solutions are all installed on Windows clients by default.
- 4. A custom MMC with the Group Policy Object Editor loaded. The traditional GPEDIT.MSC console allows only the editing of local policies. To work with MLGPO, you must use a custom MMC.
- 5. A and D Three GUI tools are commonly used for Group Policy management. The first is the Group Policy Management Console (GPMC), which can be installed on client computers by installing RSAT. The second is the GPEDIT.MSC command for direct editing of local policy settings. The third is the custom MMC with the Group Policy Object Editor loaded for MLGPO support.
- 6. A Group Policy Object (GPO) is a collection of settings that can be applied to Windows computers by linking it to a container within the AD structure.
- 7. A simple method for configuring settings through GPOs with dialog boxes similar to those in the local Windows GUI interface. Unlike policies, preferences may be changed by users to override the preference settings.
- 8. A PowerShell supports Group Policy management through an add-on module. Use the Import-Module GroupPolicy command to enable Group Policy management.
- 9. A Centralized Group Policy is a feature of AD. You must have an AD network to take advantage of it.
- 10. False MLGPOs are applied in the order of local policy settings, Administrator/Non-Administrator settings and then specific user settings. Therefore, specific user settings override Administrative and Non-Administrative user settings because they are applied last.