Home



Write your own exam questions

 

Subnet Example Questions

Power in Group Policy - GPO

Windows 2000 Server is Object Orientated. Objects within the operating system schema include Domains, Sites, Organisational Units, Groups, Users, Hardware resources etc.

Group Policy or GPOs are registry templates that are applied to a workstaion (local policy), an entire domain or an Organisational Unit. These templates can enable/disable, permit/deny objects for a group of users enabling highly customised user environments. Software can be published to particular users or installed on selected workstations through GPOs using applications converted to MSI (Microsoft Installer) packages.

Every Windows domain has a default Group Policy that affects the entire domain. This can and should be pre-configured for the new networks security requirements. This default domain policy is the top level policy and is applied first when the operating system starts. Further GPO's can be applied on other objects such as Organisational Units (OU's) that change the default security behavior to permit/deny services, file permissions and modify the users environment.

The policy processing order is; Local Machine, Site, Domain, OU - Effects are cumulative but the last policy processed takes precedence if there is a conflict (Unless no over ride setting is used).

GPO's are created in the properties of the associated object (That is Right Click > Properties). Filtering of individual groups and users is done in the properties of the GPO itself within the Security Tab.

How to create GPOs

GPOs are a feature of Windows XP Professional and Windows 2000/3 Servers. You can launch the local GPO editor from the run box by typing gpedit.msc

Active Directory

How to create a domain and join a client

Active Directory Object Structure

On a local workstation it is possible to arrange users into groups and then through file/folder Access Control Lists [ACL's] manage their permissions

Active Directory adds new levels of grouping of the users into Organisational Units (OU), Sites and Domians.

This structure closely resembles an organisation's structure enabling the administrator to create a permission structure that reflects the business structure of the employees.


For example.

Mary and Joe work in sales for a national company with an office in Huddersfield

Domain - company.co.uk
	Site - huddersfield
		OU - sales
			Group - junior	
				User - Mary Bloggs
		  	Group - senior
				User - Joe Smith

In this model we can set permissions at every level of the structure

Group Policy in Action

By grouping users or groups together, the administrator can apply rules that permit or deny resources to the members. This is what is known as Group policy, and is managed by creating a Group Policy Object (GPO). GPOs are set at the Domain, Site or OU level of administration. After creating the GPO you can edit the security and individually filter Groups or Users using the Deny Apply GPO permission.

See Lab Sheet example for a Solitaire Restriction GPO.

Essential Excel GPO Template

All user management and GPO creation and assignment is done in Active Directory Users and Computers



Below you can see this console with some OU's created for Sales, Marketing and Year5. You can also see the Athorised workstation in the computers section



GPOs are a property of the Domain or OU [depending which level you are wanting to create them at]. To create them you begin by selecting Properties



All Windows PCs' have a Default Group policy. In Windows 2000/3 Servers you can create new additional policies.



New - Create a new GPO. Order they are applied is how they are stacked in the Group Policy Object Links window. You can name them whatever you wish, try and be descriptive.

Add - Link an existing GPO from another object.

Edit - Edit an existing GPO. This brings up the GPO editor console with the Administrative Templates for Computer and User.

Options - To set No-Override i.e. Cannot be changed by a later GPO.

Delete - Deletes the GPO.

Properties - Takes you to the properties of the selected GPO. On the next dialogue box you can select Security which is where you can manage the ACL for the GPO, i.e. You can choose who doesn't read this particular policy object, see below.

 

Further Reading

Active Directory Terms

GPO FAQ Further Reading

Active Directory FAQ Further Reading

GPOs and Vista

Microsoft on Vista GPOs

Excellent XP tutorials, not just on Group Policy

Local Group Policy Object

regedit tutorial