The following points must be observed clearly before creating and implementing a GPO in production environment. You must know some rules. Without these rules a GPO will never work:
�
1. Group Policies can be applied to Active Directory Leaf objects such as users and computers but NOT security or distribution Group.
�
2. Users and Computers must reside in the OU where you have configured the Group Policy.
�
3. Group Policies can use Security Groups to filter the scope of policy settings.
�
4. By default Group Policies are applied to the following groups:
�
Authenticated Users�����������������������������������������
5. If the security properties are set to default then Group Policy settings should apply to administrators because by default when you create a GPO the following Security Settings permissions are set:
*Apply Group Policy* and *Read* Permission to the following Groups:-
�
Authenticated Users � � � � � � � � � � � � � � � � � � � �
Domain Admins � � � � � � � � � � � � � � � � � � � � � �
Enterprise Admins
Administrators.�
6. Group Policy processing depends on Client-Side-Extensions stored in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtensions
�
under the above sub-key all {GUID} are the�Client-Side-Extensions modules which activates itself when a processing from Winlogon service is required.
�
CSCs are used to process GPOs from Domain Controller. Winlogon.exe will capture a list of GPOs.
�
As per Microsoft�recommendation you should remove *Authenticated Users* group and create a new Group�and add all members to this group and then use Group Policy Filtering technique.�Basically, any user who is successfully logggin on to the network is�member of
Authenticated Users Group.
�
If you have configured anything in the parent OU and also configured in Child OU and all users are member of Authenticated Users Group then the settings are messed up and Group Policy rule is applied:
�
Group Policy Key terms:�
Not Configured ����������
This means Policy setting is not configured and Winlogon service at client end, while processing the Group Policy Objects from domain controller, will not�process this policy
setting.
�
DisabledThis means Policy setting is configured but Domain Controller will not publish it for processing or Winlogon at workstation will not process this setting.
�
EnabledThis means Policy setting is configured and will be processed by Winlogon service at workstation.
�
The Microsoft has designed two options for Group Policy for NOT processing Group Policy settings. The �Disabled� option in Policy settings are configured per policy setting whereas �Disable User or Computer Policy settings� in property of GPO is used to NOT to process any policy settings configured in the said container. The later option overrides settings configured in earlier option.
�
- Computer policy settings only run when computer starts just before user logon. Example, you have a network drive to map for all computers. This network drive mapping will be available for all the users who log on to that system.
- User policy settings only run after user log on to the system. In above example, the network drive mapping will be available to all users who logs on to the system.
- Third option is filtering Group Policy settings using groups. This option doesn�t necessarily defeat the above rule but is here to process the GPO for selected users or computers. In above example, if you create a Group called �ServiceComputers� and put 4 computers in that group and apply a policy setting to this group then only the 4 computers will receive this policy.
�
Other options are �Block Policy Inheritance� and �No Override�. The first option can be set on a child policy meaning you can not set this option at site level or there is no use of this option at parent policies. This option, if enabled, forces child GPO not to accept any policy settings coming from Parent GPO. The �No Override� option, if enabled, forces child GPO not to block any policy setting coming from parent GPO. If there is a conflict in the policy, the Parent GPO settings will be applied provided �No Override� option is enabled.
