Scott,
Let's start off with the basics. That is always a really good place to
start.
Group Policy is simply ( well, not always so simple! ) a way to make a
configuration setting in one location ( on a Domain Controller ) that
affects a whole lot of other things ( either user account objects or
computer account objects or both! ). In other words, you make the setting
in one place and from this one place the setting is applied to all of those
other 'things'. No more needing to go from computer to computer to
computer! This is very good!
Okay, how do we do this? What infrastructure needs to be in place for me to
do this?
First and foremost make sure that DNS is set up properly. What this
typically means is that all of your clients point only to one or more of
your internal DNS Servers and not to your ISP's DNS Server ( or any other
external DNS Server ). Internal means that it is part of your network and
external means that it is not part of your network. If DNS is not correct
then things get really messy! First and foremost, make sure that DNS is
correct.
You need to have Organizational Units. By default, when you install WIN2000
Active Directory there is only one Organizational Unit: Domain Controllers.
The others are simple containers. In this sense you can not link a GPO to a
container ( again, not really entirely accurate. We will see why in a
moment ).
Your user account objects or computer account objects must directly reside
in the Organizational Unit to which you linked the GPO. Many people seem to
think that they can leave the user account objects in the default USERS
container, create a security group in the desired OU ( after having created
the OU ), populate said security group with user or computer account objects
and then link a GPO to that OU ( the one that contains the security group ).
The GPO will not work!
Okay, what do we have so far?
1. DNS, DNS, DNS
2. Organizational Unit
3. Users or computers must directly reside in the OU to which the GPO is
linked
Okay, let's say that you have DNS all under control; you have created an OU
and you have moved the desired user account objects into that OU. Now what?
In Active Directory Users and Computers right click the OU in question and
select Properties. Then, go to the last tab named Group Policy. Click on
the New... button. Give it a name. Let's call it "Remove the Display Tab".
Congratulations. You just created your first Group Policy! Huh? But I did
not do much. Well, that is true. But you have created the GPO. Granted,
it is blank. But you have created it nonetheless!
So, what did you just do?
By the time you gave it the name of "Remove the Display Tab' several things
happened. On the Domain Controller that holds the FSMO Role of PDC Emulator
( well, this is the default ) you created the two halves of the GPO. Yep!
There are two halves. There is the one half that lives in the SYSVOL folder
( called the Group Policy Template, or GPT ) and there is the other half
that lives in Active Directory ( called the Group Policy Container, or
GPC ).
When you go back to this GPO you would need to click on the Edit... button
to make the actual settings. But that, for the moment, is secondary to what
is going on.
So, what in the world are the GPT and the GPC?
The GPT is the part that lives within the shared SYSVOL on your Domain
Controllers. If you follow the default location of
c:\WINNT\sysvol\SYSVOL\yourdomain.com\Policies you will find that you have -
upon installation of Active Directory - just two GPOs: the Default Domain
Policy ( or DDP ) and the Default Domain Controllers Policy ( or DDCP ).
Well, you do not really know this by looking inside the Policies folder.
All you see is a bunch of funny looking folders. The one with the name of
31B2F340-xxxx-xxxx-xxxx-00C04fB984F9 is the DDP and the one with the name of
6AC1786C-xxxx-xxxx-xxxx-00C04fB984F9 is the DDCP. Gosh, I hope that I did
not just make myself look stupid by using the incorrect names. Going from
memory. So, because you created your 'Remove the Display Tab' policy you
will now see a third folder in there with a similar looking name. We are
not going to worry about what is inside these folders at the moment ( if at
all! ). These policies will replicate to all Domain Controllers in THAT
domain. And that replication happens via NTFRS.
The GPC is that part that lives inside the Active Directory. Specifically
in the Domain Naming Context, or Domain Partition. A quick digression:
there are three partitions of Active Directory: the Schema NC, the
Configuration NC and the Domain NC. The first two NCs are replicated to all
Domain Controllers in the entire Forest. The Domain NC is replicated to all
Domain Controllers in the Domain. This replication happens via Active
Directory Replication. There are two kinds of AD replication: intra-site
and inter-site. We will not worry about that yet ( if at all! ). How do
you look at this? Install the Support Tools from the Service Pack CD Media
or download and install from the MS web site. Then fire up ADSIEdit. You
could also use ldp but ADSIEdit would be better! All of this will make
more sense if you take a look. But, you might want to install WIN2000
Server on a test system separate from your network and mess around
there....You can do some serious damage here!!!!
Okay. So I now know about the basic internal things. Or, what is going on
under the hood, right? Well, there is a little bit more.
You can see that you can create a GPO and link it to several levels. I was
using the Organizational Unit level as this is the most common. There are
three others, however. The levels are Local, Site, Domain and OU. This
also is the pecking order. Huh? Well, the order in which they are
processed. So, any local GPOs would be processed. Then any Site level GPOs
would be processed. Following that would be the Domain level GPOs. A
little digression: I mentioned in the very beginning that you can not link
GPOs to containers. I then wrote that this was not entirely correct.
Linking a GPO to the Site level or to the Domain level is actually linking a
GPO to a container! However, Site level GPOs are not used all that much (
well, normally speaking ). Usually Domain level GPOs are not used, either
( except the Password Policy.....which must be set at the Domain level ).
Okay, back to the discussion. Finally, any GPOs linked to the OU level are
processed.
Okay. You are probably thinking to yourself: what happens if I have several
GPOs linked to the same level? What happens there? Which one is processed
first and which one is processed last? And in terms of conflict, which one
wins? When you are looking in the Group Policy Editor ( er, when you right
click the OU, select Properties and then go to the Group Policy tab ) the
GPO that is listed at the bottom is the one that is processed first. The
one above that is processed second and the one at the top is processed last.
Now, in the event of a conflict ( meaning, one GPO has a setting configured
to X and another GPO has that same setting configured to Y ) the last GPO
processed wins. So, the one at or nearest to the top wins!
But, I have written that there are two sides: the computer configuration and
the user configuration. This is true. There are the two sides. So, what
happens there? Well, normally at boot up the GPOs that are linked to the
container in which the computer account objects directly reside are
processed ( in the pecking order that I have already described ). You are
then prompted for a user name and password. You supply a user name and
password. The GPOs that are linked to the container in which this specific
user account object directly resides are processed ( again, in the pecking
order that I have already described ). So, why did I use the term
'container'? Because of the possibility that you might have Site level and
Domain level ( which you have for sure....the DDP ) GPOs.
I left off a lot. However, there is already enough information to digest.
And this is just the bare basics. But once you get this the rest is pretty
simple. Did I talk about Block Inheritance? No. Did I talk about
disabling one half of the GPO? No. Did I talk about Group Filtering? No.
Did I talk about all the specific settings that are available? No. Did I
talk about software deployment? No. There are several more things that I
did not discuss right now. But, again, there is already a ton of important
information in here.
Hope that this gets you started!
--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com