Post-class GPO knowledge:
Make a console for your convenience from the Microsoft Management Console.
Go to Start, Run… and enter mmc.
Go to File, Add/Remove snap-ins.
Click the ‘Add…’ button
Browse the list (you might have to install the AdminPack.msi to get these snap-ins) and choose Active Directory Users and Computers, ADSI, Resultant Set of Policy, and anything else that looks interesting and might be useful for your environment.
Add these snap-ins and save the console to your desktop or other convenient location.
Install the Group Policy Management Console from the Windows Server 2003 Resource kit for the best interface. .NET 1.1 is required for the GPMC.
Get to the GPMC by browsing through the Active Directory Users and Computers console. Right-click on an OU (Organization Unit) and select Properties. The far-right tab is labeled Group Policy and under it will have a button to “Launch Group Policy Management Console” if you have installed that component.
When creating GPO’s, it would be best-practice to disable the links first while editing them and then re-link when done. You should also have a separate OU created to use for testing as policies are edited live and would take effect the next time a machine refreshes their Group policy (default: every 90 minutes) and logs off for user policies or restarts for computer policies. Enable the links when you’re ready for the Group Policy to take effect.
The hierarchy of application of policies resolves any conflicts that might arise with contradicting policies. One policy at the domain level might say to disable something, while the policy at the OU level says to enable it. The more specific policy will win out.
Local/Machine Domain -> Site -> Domain -> OU
(ascending in specificity)
Permissions on computers in the Group Policy must allow read access to the policy, and allow “Apply Group Policy” permissions for the policy to take effect on that machine. The security permissions on the group policies can be used to filter access to those that can use the GPO by enabling or disabling permissions to security groups.
Loopback processing must be enabled to apply GPOs to users not in your OU. The setting can be found under Computer Config, Admin Templates, System, Group Policy.
Monitor the Application event log for an event from SceCli which will give information that the security policy was successfully applied to see that the group policy has refreshed.
See the group policy that applied to a machine with the command gpresult /z
Write this to a file for easier analysis with: gpresult /z > c:\gp.txt
Through the MMC, with the snap-in for Resultant Set of Policy, you can also view what policies were applied or under the command prompt type RSoP
.
Under the command prompt, type set
to see what system variables are named and available.