Managing GPO Security Filtering
Managing security filtering is
one of the best ways to target a specific group of users and computers
for GPO application. Security filtering can be set to a specific user,
computer, or security group object or a combination of all three object
types. To change the security filtering of a GPO from the default of
Authenticated Users, perform the following steps:
1. | Log on to a designated Windows Server 2008 R2 administrative system.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Group Policy Objects container and expand it.
|
4. | Select the desired GPO and select the Scope tab in the right pane.
|
5. | In the Security Filtering section of the Scope tab, select the Authenticated Users group, and click the Remove button.
|
6. | Click OK in the confirmation dialog box to remove the security group from the GPO security filtering.
|
7. | In
the Security Filtering section of the Scope tab, click the Add button
to add an Active Directory object to the security filter for the GPO.
|
8. | Type in the name of the user or security group that will be applied to the GPO security filtering, and click OK.
|
9. | If multiple objects need to be added, repeat this process until all of the objects are added to the security filter.
|
10. | If
a specific computer object needs to be added, in the Select Users and
Group window, click the Object Types button, check the Computers object,
and click OK. Type the computer object name or browse for the object,
and then click OK.
|
Managing GPO Link Order of Processing
When an Active Directory
container has multiple GPOs linked to it, a specific order of processing
will occur. In many instances, the set of linked GPOs will have some
conflicting settings and the order of GPO processing must be modified to
produce the desired result. When reviewing both the Linked Group Policy
Objects Link order on a container or the Group Policy Inheritance
Precedence order, the Group Policies will be applied in a countdown
sequence ending with the number 1 policy being applied last. Group
Policy Link Order is inherited down from any parent or domain container
and can only be adjusted on the actual domain or container the GPO is
linked to. To change the GPO link order of processing, perform the
following steps:
1. | Log on to a designated Windows Server 2008 R2 administrative system.
|
2. | Open the Group Policy Management Console.
|
3. | Add the necessary domains or sites to the GPMC, as required.
|
4. | Expand the Domains or Sites node to expose the container with multiple GPOs linked.
|
5. | Select the desired container.
|
6. | In the right pane, select the Linked Group Policy Objects tab.
Note
When the order is presented,
the policy with the highest numeric value is applied first and the
remainder of the policies are applied sequentially and numerically. The
GPO listed as number 1 in the link order is processed last.
|
7. | If
the placement or order of a particular GPO needs to be changed, select
the GPO and click one of the following buttons on the left:
Move Link to Top is a double up arrow Move Link Up is a single up arrow Move Link Down is single down arrow Move Link to Bottom is a double down arrow
|
8. | After the GPO links are in the correct order, the task is complete.
|
Viewing GPO Settings and Creating Reports
One of the great features
of the GPMC is the ability to view GPO settings from within the window,
and to save the settings to share with others as HTML files. To view the
settings of a particular GPO, perform the following steps:
1. | Log on to a designated Windows Server 2008 R2 administrative system.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Group Policy Objects container and expand it.
|
4. | Select the desired GPO in the tree pane and select the Settings tab in the right pane.
|
5. | Browse the settings by expanding the sections using the Hide and Show hyperlinks.
|
6. | To save the settings to an XML or HTML file, right-click on the desired GPO in the left pane, and click Save Report.
|
7. | Specify
the location in which to save the GPO report, choose Save the File as
an HTML or an XML File, and click Save to save the file. |
