Like NTFS permissions, GPs are cumulative and inherited—cumulative in that the settings modified by a policy can build upon other policies and "amass" configuration changes, and inherited in that objects below other objects in Active Directory can have any GPs that are applied to their parent object be applied to themselves automatically.
GPOs are associated with, or linked, to any number of objects, either within a directory or local to a specific machine. To implement a GP on a specific type of object, follow these guidelines.
Local computer
Use the Local Security Policy snap-in inside Control Panel à Administrative Tools. Or, for a more complete look, use Start à Run à gpedit.msc.
A specific computer
Load the MMC, and then select Add Snap-in from the File menu. Browse in the list and add the Group Policy Object Editor to the console. On the Select Group Policy Object screen, peruse the list to find the specific object you want.
Entire domain
OU within Active Directory
Install and launch the Group Policy Management Console, right-click on the OU, and create or edit a policy from there.
Active Directory site
Launch Active Directory Sites and Services, right-click the site's name, and select Properties from the context menu. Navigate to the Group Policy tab, and create or edit a policy from there.
Windows applies GPs in the following order, which you can remember with the acronym of "LSDOU":
Local GPOs
Site-specific GPOs, in an order which the site administrator configures
Domain-specific GPOs, in an order which the domain administrator configures
OU-specific GPOs, from the parent OU down through the ranks to the child OU
The only exception to this rule occurs when you're using NT 4.0 system policies that are created and set with the NT System Policy Editor. Recall from NT administration days that the system policies are called NTCONFIG.POL, so if Windows finds that file present, it applies these policies before the local GPO. Of course, these policies can be overwritten by policies that come farther down in the application chain.
No comments:
Post a Comment