How to configure Group Policy Objects for Windows Vista

This chapter excerpt from Microsoft Windows Vista Management and Administration, by Andrew Abbate, James Walker, Scott Chimner and Rand Morimoto, is printed with permission from Pearson Education, Copyright 2007. Click here for the chapter download or purchase the entire book here.

GPOs are created in a central manner and are stored on all domain controllers in a forest. GPOs can be accessed via Active Directory Users and Computers:

1. Click Start.
   
2. Click All Programs.
   
3. Select Administrative Tools.
   
4. Pick Active Directory Users and Computers.
   
5. Expand to an OU.
   
6. Right-click and choose Properties.
   
7. Select the Group Policy tab. If you have the GPMC loaded, it will prompt you to open it.

GPOs can also be accessed through the Group Policy Management console:

1. Click Start, Run, type gpmc.msc, and then press Enter. If Run is not available from the Start menu, it can be accessed by pressing the Windows and R keys at the same time.

The Group Policy Management Console is preinstalled on Vista.

Introducing the Group Policy Management Console (GPMC)

The release of the GPMC provided huge improvements in the creation and management of GPOs. Prior to the GPMC, an administrator had to open each GPO in the editor and examine all possible settings to determine which settings had been changed from the defaults. In the GPMC, you can view all the unique settings of a given GPO via the following steps:

1. Launch the GPMC (Start, Run, gpmc.msc).
   
2. Expand the Forest container.
   
3. Expand the Domains container.
   
4. Expand the Domain Object that holds the GPO you are interested in.
   
5. Expand Group Policy Objects.
   
6. Left-click the GPO in question.
   
7. Click the Settings tab in the right pane.

GPMC will show Generating Report and then the containers that are modified. Click Show All to see all settings contained in the GPO, as shown in Figure 22.1.

Figure 22.1

The GPMC is also useful for backing up and restoring GPOs. This should be used whenever a GPO is to be modified. This way, if the GPO causes unwanted issues, an administrator can restore the previous version of the GPO to return systems to their previous configuration. To back up a GPO with the GPMC, follow these steps:

1. Launch the GPMC (Start, Run, gpmc.msc).
   
2. Expand the Forest container.
   
3. Expand the Domains container.
   
4. Expand the Domain Object that holds the GPO you are interested in.
   
5. Expand Group Policy Objects.
   
6. Right-click the GPO in question and choose Backup.
   
7. Browse to the location where you want to store the backed up GPO and enter a description. Click Back Up.
   
8. When the backup is completed, click OK.

To restore a GPO with the GPMC, follow these steps:

1. Launch the GPMC (Start, Run, gpmc.msc).
   
2. Expand the Forest container.
   
3. Expand the Domains container.
   
4. Expand the Domain Object that holds the GPO you are interested in.
   
5. Expand Group Policy Objects.
   
6. Right-click the GPO in question and choose Restore from Backup.
   
7. When the wizard launches, click Next.
   
8. Browse to the location of the backup and click Next.
   
9. Choose the backup you want to restore (Note: this is where entering a description was helpful) and click Next.
   
10. Click Finish and the restore will begin.
    
11. When the restore has completed successfully, click OK.

Figure 22.2

Creating a New GPO in the GPMC

The GPMC is the logical place to create new GPOs. Generally speaking, the creation of a GPO should coincide with the desire to automate some specific configuration across multiple machines. This means that the person creating the GPO should already know what settings to assign to a given GPO.

To create a new GPO, follow these steps:

1. Launch the GPMC (Start, Run, gpmc.msc).
   
2. Expand the Forest container.
   
3. Expand the Domain container.
   
4. Expand the Domain Object that holds the GPO you are interested in.
   
5. Right-click Group Policy Objects and choose New.
   
6. Enter the name of the GPO you want to create (use a descriptive name) and click OK.

This will create a new, empty GPO in the management console. To modify settings within the GPO, you need to use the GPO Editor. Right-clicking the new GPO and choosing Edit will launch the GPO Editor.

Using the GPO Editor

The GPO Editor that is triggered via the GPMC is the same editor originally used since Windows 2000. Not much has changed. The editor expresses the GPO in two sections, Computer and User settings, as shown in Figure 22.3. Although an administrator can set both user and computer settings in the same GPO, it is considered a best practice to limit a given GPO to either User or Computer settings. This is related to the way GPOs are linked and is discussed in more detail later in this chapter.

Figure 22.3

The editor allows the administrator to browse through the available configuration settings in a graphic format. For example, you could expand User Configuration, Administrative Templates, System, and Windows HotStart to have the ability to turn off Windows HotStart. Because this is a new GPO setting, you might wonder what Windows HotStart is. By selecting Turn Off Windows HotStart, you will see that an explanation of the setting has appeared to the left of the setting. To save space in the window, you could click the Standard tab at the bottom of the screen. To get the explanation back, click the tab labeled Extended.

GROUP POLICY BASICS FOR WINDOWS VISTA

 Home: Introduction
 Tip 1: A basic primer on Microsoft Group Policy
 Tip 2: How to configure GPOs
 Tip 3: What's new with Vista Group Policy?
 Tip 4: How to manage GPOs
 Tip 5: Troubleshooting GPOs for Vista
 Tip 6: Group Policy best practices
ADVANCED GROUP POLICY FOR WINDOWS VISTA
 Home: Introduction
 Tip 1: Which GPOs are available
 Tip 2: Further understanding GPOs in Vista
 Tip 3: Examples of useful GPOs in Vista
 Tip 4: Moving policies between domains
 Tip 5: Recommended practices with Vista Group Policy