Fine-tune Group Policy
In "Controlling Group Policy, Part 1," November 2000, I explained how Windows 2000 uses Group Policy Objects (GPOs) and the sequence in which Win2K applies them. But you can't truly control Group Policy until you understand the processing options that let you fine-tune your policies. Because you can link a GPO to sites, domains, or organizational units (OUs), you can control how Win2K applies Group Policy at several levels. You can use GPO-level processing options to control how Win2K applies a GPO regardless of the sites, domains, or OUs to which the GPO is linked. You can use link-level processing options to control how Win2K applies a GPO within a particular site, domain, or OU to which the GPO is linked. Other settings let you tailor how Win2K applies Group Policy at the computer or user level.
GPO-Level Processing Options
As I explained in "Controlling Group Policy, Part 1," a GPO has settings that affect a Win2K computer's configuration and a user's profile. The GPO stores computer settings in a Computer Configuration subfolder and stores user settings in a User Configuration subfolder. If you create a GPO that contains only computer settings, you can disable the GPO's User Configuration portion to reduce users' logon time. Likewise, if you define only user settings, you can disable the GPO's Computer Configuration portion to reduce system boot-up time. To disable either portion of a GPO, go to Administrative Tools, Active Directory Users and Computers. Right-click the domain or OU to which the GPO is linked, click Properties, and select the Group Policy tab. Select the appropriate GPO, and click Properties. Go to the General tab, which Figure 1 shows, and select either the Disable Computer Configuration settings check box or the Disable User Configuration settings check box. These settings are both GPO-level settings.
When you disable a GPO's Computer Configuration or User Configuration portion, Win2K disables that portion in every site, domain, or OU to which the GPO is linked. Therefore, before you make this type of GPO-level change, you need to determine how the change will affect those sites, domains, and OUs. To see a complete list of these linked elements, open the GPO's Properties dialog box and go to the Links tab, which Figure 2 shows. Select a domain from the Domain drop-down list and click Find Now. Win2K will search the specified domain and display each site and OU to which the GPO links. (The domain link will also show up on the list if the GPO is linked at the domain level.) Because you can link a GPO to multiple domains, you need to search all the domains that appear in the drop-down list.
One way to fine-tune a GPO's application is through a GPO's ACL, which defines both who has permission to maintain the GPO and which computers and users Win2K applies the GPO to. To access the ACL, open the GPO's Properties dialog box and go to the Security tab, which Figure 3 shows. When a Win2K computer that is a member of a Win2K domain boots up, the computer logs on to Active Directory (AD) and uses its corresponding computer account in AD to look through its domain, sites, and OUs and determine which GPOs it needs to apply. When applying Group Policy to a computer, Win2K determines whether the computer account has permissions to read and to apply Group Policy for each GPO. If not, Win2K ignores the GPO for that computer. User accounts also require both Read and Apply Group Policy access; Win2K goes through the same determination process each time a user logs on and whenever Win2K reapplies Group Policy.
As Figure 3 shows, Authenticated Users (i.e., all computer and user accounts) have both permissions by default. When you want to disable a GPO's application to specific computers or users in an OU, you can open the GPO's ACL and add an access-control entry that denies Apply Group Policy access for the groups or accounts that you want to exempt. To view a GPO, you need Read access; to edit a GPO, you need Write access.
Link-Level Processing Options
An important difference exists between a GPO-level processing option and a GPO-link-level processing option. Whereas GPO-level processing options apply to all sites, domains, or OUs to which the GPO is linked, link-level processing options apply to only the immediate site, domain, or OU to which the GPO is linked. (A difference also exists between deleting a GPO and deleting a link to the GPO. When you select a GPO from the Group Policy tab and click Delete, Win2K asks whether you want to delete the entire GPO or only the link. When you delete the GPO, it disappears from every site, domain, or OU to which it is linked. When you delete the link, the other sites, domains, or OUs to which the GPO is linked remain unaffected.) You can choose among three link-level processing options.
Block Policy inheritance. Administrators use this option to isolate domains or OUs from group policies defined for a site or higher-level OU. When you select the Block Policy inheritance check box on the Group Policy tab, you effectively erect a gate above that domain or OU that blocks GPOs from trickling down. When you block policy inheritance at the domain level, Win2K won't apply any site-linked GPOs. When you block policy inheritance at the OU level, Win2K won't apply domain- or higher-OU-linked GPOs for computers or users in that OU. However, remember that Win2K always applies the computer's local GPO regardless of the Block Policy inheritance setting.
No Override. Administrators typically enable this setting at a domain level to enforce corporate password and account policies. The No Override setting overrides all lower-level Block Policy inheritance settings. For example, when you enable No Override for a site-level GPO link, Win2K applies that GPO to all computers in the site, regardless of the domain's or OU's Block Policy inheritance setting. When you enable No Override for a domain- or OU-level GPO link, Win2K applies that GPO to all computers and users, regardless of any lower OUs' Block Policy inheritance settings. To enable or disable the No Override setting, select the appropriate GPO from the Group Policy tab and click Options. Select the No Override check box, which Figure 4 shows.
Disabled. Disabling a GPO link is useful when you need to temporarily eliminate the GPO's effect on configuration (e.g., while debugging policy or temporarily suspending a restriction). When you disable a GPO link to a site, domain, or OU, Win2K won't apply the GPO to that site, domain, or OU. By disabling rather than deleting the link, you can more easily reinstate the GPO. To change the Disabled setting for a GPO link, select the appropriate GPO from the Group Policy tab and click Options. Select the Disabled check box, which Figure 4 shows.
System- and User-Level Processing Options
Another set of processing options exists as settings within each GPO; you define these settings at the system or user level. As I explained in "Controlling Group Policy, Part 1," each GPO contains a Computer Configuration subfolder and a User Configuration subfolder; in other words, each GPO has a Group Policy folder under \computer configuration\administrative templates\system and another folder under \user configuration\administrative templates\system, as Figure 5 shows. These folders contain settings that control how Win2K applies Group Policy to every computer and user that links to that GPO.
Changing the Computer Configuration settings for one GPO can affect a system's application of all GPOs. For example, suppose you go to the Marketing OU, create a new GPO, and select the Disable background refresh of Group Policy system-level setting. The next time a computer in that OU boots up or refreshes, the system will encounter the new GPO and change the setting in the local system configuration. After making the change, the system will disable background refresh of every GPO, not only of the GPO for which you enabled the setting.
Disable background refresh of Group Policy. Win2K periodically reapplies Group Policy after the initial system boot-up or user logon. The Disable background refresh of Group Policy setting disables this reapplication while a user is logged on to the system. The setting applies to policies under both the Computer Configuration and User Configuration portions of a GPO.
Previous
Register
