1. Viewing Policies with the Group Policy Management Console
You can view Active Directory-based group
policies with very little effort by using a single console, the Group
Policy Management Console (GPMC). This tool is a feature that can
installed on any Windows Server 2012 system using Server Manager. The
GPMC enables administrators to view group policies, edit group
policies, and model the effects of combinations of group policies (that
is, model the resulting configuration).
Note
Local group policy or security policy changes
are made using the Group Policy Object Editor, an MMC snap-in,
available on every Windows Server 2012, and the Local Security Policy
console, available under the Tools menu in Server Manager.
To open an existing policy, follow these steps:
1. Launch Server Manager on a machine that has the GPMC feature installed.
2. Expand the Tools menu and run Group Policy Management Console.
3. Expand the Forest folder.
4. Expand the Domains folder.
5. Expand the specific domain, such as companyabc.com.
6. Select a GPO, such as the Default Domain Policy. Click OK to close the linked policy warning window.
7. Select the Settings tab to review the settings. Or right-click the GPO and select Edit to change the settings.
After you
access the policy, you can view each setting or settings container to
determine the default value and, in some cases, learn what the setting
controls. Keep in mind that, with the correct level of permissions, any
changes you make to this policy are live changes; there is no undo
other than reversing the individual setting changes or performing an
authoritative restore of Active Directory.
When changes need to be made or tested using
group policies, the administrator should leave the production
environment untouched and create test policies in isolated test lab
environments. When test labs are not available or cannot replicate the
production environment, the administrator can test policies in isolated
organizational units within a domain. Also, if domain-based or
site-based policies need to be created for testing, security filtering
could be modified to apply the policy only to a specific set of test
users or groups.
The preceding section described how to locate
a group policy. Using the Group Policy Management Console, you can also
create, configure, and open site, domain, and organizational unit (OU)
group policies for editing.
In some cases, it will be necessary to
prevent a GPO from being applied to a user or computer. That is, there
might be a GPO that applies to all members of a department, but it is
necessary to make a single exception to the rule. Rather than create a
specific OU to apply the GPO, security filtering can be used to allow
or deny the application of the GPO.
The following steps outline how to create a
new domain-based policy and configure its security filtering to apply
to a single user:
1. Launch Server Manager on a machine that has the GPMC feature installed.
2. Expand the Tools menu and run Group Policy Management Console.
3. Expand the Forest folder.
4. Expand the Domains folder.
5. Select the specific domain, such as companyabc.com.
6. Right-click the domain and select Create a GPO in This Domain, and Link It Here.
7. Type in a descriptive policy name, leave the source starter GPO set to None, and click OK to create the policy.
Note
Source starter GPOs are GPO templates that
can be used to prepopulate settings in GPOs. If there are common
settings that will go into GPOs, they can be created in starter GPOs
and then seeded into new GPOs as they are created.
The starter GPOs are stored in a common
folder named StarterGPOs. Any GPOs created in this folder are available
for seeding GPOs. There are no starter GPOs in a domain by default.
8.
The new policy will be displayed under the domain. Right-click the new
policy and select Edit to launch the Group Policy Management Editor
snap-in.
9. Right-click the GPO name in the Group Policy Management Editor, and select Properties.
10. Select the Security tab and highlight the Authenticated Users entry.
11. In the
Permissions section, scroll down and uncheck the Allow check box for
Apply Group Policy. This means that the GPO will not take effect on any
user or computer.
12. Select each entry in the Group Policy ACL and verify that no existing groups are allowed to apply Group Policy.
13. Click Add and
type in the name of a user or group. To find a list of users and groups
within the current domain, click the Advanced button, and in the Search
window, click Find Now to return the complete list. Scroll down and
select the users or groups you want, and click OK.
14. Click OK to add the entries to the policy.
15. Back in the Security window, select the respective entry and check the Allow check box for Apply Group Policy, as shown in Figure 1.
This means that the GPO will take effect on the members of this group,
which could include both users and computers. Click OK when you’re
finished.
Figure 1. Modifying a group policy’s application scope.
16. Close the Group Policy Management Editor snap-in.
Now the group
policies set in the GPO will affect only the users or computers that
were specified—in this case, members of the HelpDesk group. This allows
for fine-grained application of group policies to targeted groups.
