GROUP POLICY

Discussion in 'Active Directory' started by DD, May 27, 2009.

  1. DD

    DD Guest

    I would like to creat a different group policy fro each department, is there
    a guide how to create the group policy in DC 2003 steps by steps
     
    DD, May 27, 2009
    #1
    1. Advertisements

  2. Meinolf Weber [MVP-DS], May 27, 2009
    #2
    1. Advertisements

  3. DD

    Jorge Silva Guest

    Hi
    Before starting, be sure that you know what GPO model suits best in your
    scenario, have a look at MS Technet for policy design considerations.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MVP Directory Services
     
    Jorge Silva, May 27, 2009
    #3

  4. In addition to the links provided by Meinolf, here is a generalized overview that I put together and used from older courseware, to understand GPOs a little better before jumping into it.

    GPO Intro:
    http://www.fekay.com/SupportBlogs/IntroToGPOs.SWF

    How GPOs work with downhilf flow and inheritance.
    http://www.fekay.com/SupportBlogs/gpoflow.jpg


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    "Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
    http://twitter.com/acefekay
     
    Ace Fekay [Microsoft Certified Trainer], May 27, 2009
    #4

  5. Here is some additional information.
    ======================================================================================================
    ======================================================================================================
    Group Policy Objects (GPOs) Design Considerations and Guidelines

    It's suggested and recommended to not change the Default Domain Policy.
    Keep in mind, whatever you set at the domain level will flow downhill to
    everything. I would suggest to design your OU structure to reflect your
    organizaiton and/or departments, which will also help you create GPOs for
    the OU design.

    For example, for a company with more than one location/site, I would suggest
    the following:

    Domain
    ......Philly OU
    ...............Accounting
    ...............Sales
    ...............Marketing
    ...............Desktop
    ...............Users
    ...............Laptops
    ......Seattle OU
    ...............Accounting
    ...............Sales
    ...............Marketing
    ...............Desktops
    ...............Users
    ...............Laptops

    I separated Laptops and Desktops because I have two different Windows Update
    GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas
    the Laptop Updates run at 3:30 PM while the users have the laptops in the
    office. This design also allows me to create GPOs for the different offices,
    or I can create one and link them to both offices. The design possibilities
    are endless, especially if you control flow with Block Inheritance,
    Loopback, WMI filtering, disabling the Computer or User portion of a GPO,
    etc, however in many cases I do not use these features because trying to
    support them 8 months later when there's a problem it is difficult to
    remember what you had blocked, etc. Yes youcan use RSOP to look at what is
    being applied, etc, but I find it easier to simply create another OU or a
    child OU to have a different setting than the parent, such as the following,
    where I created a GPO to lock the desktop with two different time settings.
    The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout
    OU directly beneath it. Because the identical setting isdifferent on the
    child, it overrides the parent's setting. I can simply "look" at my OUs and
    know what I have applied.

    ......Seattle OU
    ...............Accounting
    ...............Sales
    ...............Marketing
    ...............Desktops
    .....................15 Minute Timeout
    ...............Users
    ...............Laptops

    These are just suggestions, and you may find that it may work for you, or
    not. Even in a single site, I still do it this way, because it is flexible.
    You never know when the customer or your company may expand. If they do,
    simply create another OU for the new location.

    Here's a basic visual of how GPOs work, and how it would flow downhill.
    http://www.fekay.com/supportblogs/gpoflow.jpg

    Design Considerations for Organizational Unit Structure and Use of Group Policy Objects
    http://technet.microsoft.com/en-us/library/cc785903.aspx

    TechNet Magazine: Group Policy
    http://technet.microsoft.com/en-us/magazine/cc135925.aspx

    Group Policy and Advanced Group Policy Management
    http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx

    Win2k3 AD OU/GPO Design Discussion
    http://www.tomshardware.com/forum/190896-46-win2k3-design-discussion

    AD Scalability
    http://technet.microsoft.com/en-us/library/cc756101.aspx
    ======================================================================================================
    ======================================================================================================

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], May 27, 2009
    #5
  6. DD

    DD Guest

    eg if I create 2 users policy , one for a/c & HR dept.

    how to check whether the policy is apply correctly to user pc ? or from user
    pc,

    are we able to check which policy actually apply to the user pc ?just want
    to ensure that HR policy is apply correctly to HR user pc .
     
    DD, May 28, 2009
    #6
  7. Hello DD,

    On the client machine run with an user account "rsop" or "gpresult /v" on
    the client. With the output you will see the applied GPO.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 28, 2009
    #7
  8. DD

    DD Guest

    I run the gpresult /v , under the applied group policy objetcss it show
    default domain policy , does it mean it use default domain policy ? i created
    2 policies called HR_USERS & AC_USERS, if the policy apply correctly to the
    ou , will it show the policy name HR_USER in the gpresult ?
     
    DD, May 29, 2009
    #8
  9. Hello DD,

    The output should show all applied policies. If not make sure the user accounts/computer
    accounts are added in the OU where the GPO is applied to.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 29, 2009
    #9
  10. As Meinolf said, if you created GPOs and it does not show upu in a gpresult, then that means the user account is not in the OU where you linked the GPO.

    To better help, can you let us know what OU the user account is in, and what OU the GPOs are linked to, please?
    Also let us know if you had changed any permissions or applied any restrictions, such as Block Inheritance, disabled the Computer or User section in the GPO, etc.

    Thanks,
    Ace
     
    Ace Fekay [Microsoft Certified Trainer], May 29, 2009
    #10
  11. In DD <>, posted the following:

    Also, post an unedited ipconfig /all from two of your domain controllers, so we can get a better understanding of the server(s) configuration as part of our diagnosis process.

    Thanks,

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], May 29, 2009
    #11
  12. DD

    DD Guest

    I read the guide provided , but not ready help , basically i just want the
    steps how to create the gpo and how it link.

    eg, create a new gpo for a new dept. no branch office.
     
    DD, Jun 2, 2009
    #12
  13. GPOs are created using the GPMC (group policy management console), and are linked to OU (organization units), not to AD groups or AD users. SO it really depends on YOUR OU design. The articles and pictures I provided should help understand this part, so please understand, they are NOT based on Active Directory Groups, they are based on OUs.

    So you would create an OU called by your department name or office name, then go into the GPMC and right click on the OU, and create a new GPO and make the changes.

    Let me find some articles on this basic task and will post back.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 2, 2009
    #13

  14. Here are some links that show how to create a GPO with pictures. I hope they help. Keep in mind, please understand what the GPOs can do and what they can't do. Please be careful not to apply the new GPOs you are creating at the domain level or they will affect everyone. Create a test OU and test user account, and create and link the GPO to the test OU so it applies to the test user account. You have to move the test user account into the OU so it will affect it.

    Create or delete a Group Policy object: Group PolicyJan 21, 2005 ... In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a Group Policy object (GPO). ...
    http://technet.microsoft.com/en-us/library/cc776678.aspx

    Creating and Working with GPOs: Group PolicyMar 28, 2003 ... Because changes to a GPO take place immediately, keep the GPO unlinked from its production location (site, domain, or OU) until you have ...
    http://technet.microsoft.com/en-us/library/cc782678(WS.10).aspx

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 2, 2009
    #14
  15. DD

    DD Guest

    1 )I create the new OU from the active diretory name hr
    2) use the group policy management , under group policy objects, create new
    policy name HR Policy, then i defined the my own policy .
    3) I do a link an existing GPO to the HR Policy
    4) from the active user directory , i move the test a/c to the Audit OU.

    when I login the test a/c , i doest not apply the new HR policy, still use
    default domain policy.

    any steps i missed out, your assist pls.
     
    DD, Jun 3, 2009
    #15
  16. Hello DD,

    The user account has to be in the OU (HR in your case) where the policy is
    linked to not in another OU (AUDIT).

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 3, 2009
    #16

  17. Hello DD,

    I assume in #3 in your post:
    "> 3) I do a link an existing GPO to the HR Policy"
    That you meant you linked the GPO to the HR OU, not the HR Policy.

    If you moved the user to the Audit OU, how is it going to get the GPO in the
    HR OU? As Meinolf said, it must be moved to where the GPO is linked.

    Otherwise, if you did move it to the HR OU, and it is not working, you can
    find out which GPOs are applied to the client by running in the command line
    on the client the following command:
    gpresults

    Post the output so we can take a look.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 3, 2009
    #17
  18. DD

    DD Guest

    PLS SEE RESULT
    u are right, is HR not audit.

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 6/4/2009 at 10:30:25 AM



    RSOP results for OCB\hrtest on SG050001 : Logging Mode
    ----------------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: OCB
    Domain Type: Windows 2000
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\hrtest
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=SG050001,CN=Computers,DC=OCSG,DC=co,DC=id
    Last time Group Policy was applied: 6/4/2009 at 10:25:42 AM
    Group Policy was applied from: SG080001.OCSG.co.id
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    SG050001$
    Domain Computers

    Resultant Set Of Policies for Computer:
    ----------------------------------------

    Software Installations
    ----------------------
    N/A

    Startup Scripts
    ---------------
    N/A

    Shutdown Scripts
    ----------------
    N/A

    Account Policies
    ----------------
    GPO: Default Domain Policy
    Policy: MinimumPasswordAge
    Computer Setting: 3

    GPO: Default Domain Policy
    Policy: PasswordHistorySize
    Computer Setting: 3

    GPO: Default Domain Policy
    Policy: LockoutDuration
    Computer Setting: 4294967295

    GPO: Default Domain Policy
    Policy: ResetLockoutCount
    Computer Setting: 90

    GPO: Default Domain Policy
    Policy: MinimumPasswordLength
    Computer Setting: 8

    GPO: Default Domain Policy
    Policy: LockoutBadCount
    Computer Setting: 3

    GPO: Default Domain Policy
    Policy: MaximumPasswordAge
    Computer Setting: 30

    Audit Policy
    ------------
    GPO: Default Domain Policy
    Policy: AuditPolicyChange
    Computer Setting: Success, Failure

    GPO: Default Domain Policy
    Policy: AuditPrivilegeUse
    Computer Setting: Success, Failure

    GPO: Default Domain Policy
    Policy: AuditDSAccess
    Computer Setting: Failure

    GPO: Default Domain Policy
    Policy: AuditAccountLogon
    Computer Setting: Failure

    GPO: Default Domain Policy
    Policy: AuditObjectAccess
    Computer Setting: Failure

    GPO: Default Domain Policy
    Policy: AuditAccountManage
    Computer Setting: Failure

    GPO: Default Domain Policy
    Policy: AuditLogonEvents
    Computer Setting: Failure

    GPO: Default Domain Policy
    Policy: AuditProcessTracking
    Computer Setting: Failure

    GPO: Default Domain Policy
    Policy: AuditSystemEvents
    Computer Setting: Failure

    User Rights
    -----------
    GPO: Default Domain Policy
    Policy: SystemtimePrivilege
    Computer Setting: Administrators

    GPO: Default Domain Policy
    Policy: InteractiveLogonRight
    Computer Setting: Users
    OCB\RAS and IAS Servers
    OCB\Domain Users
    Administrators

    GPO: Default Domain Policy
    Policy: DenyInteractiveLogonRight
    Computer Setting: N/A

    Security Options
    ----------------
    GPO: Default Domain Policy
    Policy: RequireLogonToChangePassword
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: PasswordComplexity
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: ClearTextPassword
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: NewAdministratorName
    Computer Setting: Enabled

    Event Log Settings
    ------------------
    GPO: Default Domain Policy
    Policy: MaximumLogSize
    Computer Setting: 2048
    Log Name: Security

    GPO: Default Domain Policy
    Policy: MaximumLogSize
    Computer Setting: 1024
    Log Name: System

    GPO: Default Domain Policy
    Policy: RetentionDays
    Computer Setting: 4294967295
    Log Name: Application

    GPO: Default Domain Policy
    Policy: MaximumLogSize
    Computer Setting: 1024
    Log Name: Application

    GPO: Default Domain Policy
    Policy: RetentionDays
    Computer Setting: 4294967295
    Log Name: System

    GPO: Default Domain Policy
    Policy: RetentionDays
    Computer Setting: 4294967295
    Log Name: Security

    GPO: Default Domain Policy
    Policy: RestrictGuestAccess
    Computer Setting: Enabled
    Log Name: System

    GPO: Default Domain Policy
    Policy: RestrictGuestAccess
    Computer Setting: Enabled
    Log Name: Application

    GPO: Default Domain Policy
    Policy: RestrictGuestAccess
    Computer Setting: Enabled
    Log Name: Security

    Restricted Groups
    -----------------
    N/A

    System Services
    ---------------
    N/A

    Registry Settings
    -----------------
    N/A

    File System Settings
    --------------------
    N/A

    Public Key Policies
    -------------------
    N/A

    Administrative Templates
    ------------------------
    N/A


    USER SETTINGS
    --------------
    CN=hrtest,OU=Audit,DC=OCSG,DC=co,DC=id
    Last time Group Policy was applied: 6/4/2009 at 10:25:42 AM
    Group Policy was applied from: sgs0001.OCSG.co.id
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Audit Policy
    Filtering: Not Applied (Empty)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    LOCAL
    Grpappexcalibur
    Grphrtest

    Resultant Set Of Policies for User:
    ------------------------------------

    Software Installations
    ----------------------
    N/A

    Public Key Policies
    -------------------
    N/A

    Administrative Templates
    ------------------------
    N/A

    Folder Redirection
    ------------------
    N/A

    Internet Explorer Browser User Interface
    ----------------------------------------
    N/A

    Internet Explorer Connection
    ----------------------------
    N/A

    Internet Explorer URLs
    ----------------------
    N/A

    Internet Explorer Security
     
    DD, Jun 4, 2009
    #18
  19. Hi DD,

    Thank you for posting this info.

    From what I see, the Audit policy exists and is is linked, but is not being
    applied because it is empty (meaning there are not settings changed or made
    in it).
    Look at this section:

    ===========
    USER SETTINGS
    --------------
    CN=hrtest,OU=Audit,DC=OCSG,DC=co,DC=id
    Last time Group Policy was applied: 6/4/2009 at 10:25:42 AM
    Group Policy was applied from: sgs0001.OCSG.co.id
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Audit Policy
    Filtering: Not Applied (Empty)

    Local Group Policy
    Filtering: Not Applied (Empty)
    ===========

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 4, 2009
    #19
  20. DD

    DD Guest

    I did define the password policy, account lockout policy and , local policy,
    & user rights , under the group policy object, Audit policy, windows setting,
    i can see the policy that i defined.
     
    DD, Jun 4, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.