Examples of useful GPOs in Windows Vista

This excerpt from "Microsoft Windows Vista Management and Administration" takes a look at GPOs that can help admins deploy printers and standardize event logging on Vista clients.

Microsoft Windows Vista Management and Administration This chapter excerpt from Microsoft Windows Vista Management and Administration, by Andrew Abbate, James Walker, Scott Chimner and Rand Morimoto, is printed with permission from Pearson Education, Copyright 2007.

Click here for the chapter download or purchase the entire book here.

Administrators who are relatively new to GPOs and Vista are likely wondering what GPOs other administrators are commonly configuring in their environments. This section will cover some of the more commonly used GPO settings and will walk you through the process of configuring them.

Example 1 -- Deployed Printers

One very common use of GPOs is to assign printers to users based on either group membership or the site they log in to. This allows an administrator to ensure that users have access to a local printer that is not only conveniently located, but is enabled for their use. This prevents calls to the help desk for printer assignments and allows users to easily roam from office to office without interruption to their productivity.

How to Configure Deployed Printers

To properly deploy printers via Group Policy, you should perform a few prerequisites. First, printers should be shared from a print server. This is done with the following steps:

  1. From a print server, click Start, Settings, Printers and Faxes.
  2. Click Add Printer.
  3. When the wizard launches, click Next.
  4. If you are going to host a networked printer (this is the most common scenario) choose Local Printer Attached to This Computer and click Next.
  5. Choose Create a New Port and change the drop-down to read Standard TCP/IP Port. Click Next.
  6. When the Printer Port Wizard launches, click Next.
  7. Type the IP address of the networked printer (for example, This will populate the Port name field for you. Click Next.
  8. When the printer is contacted, click Next.
  9. The Printer Port Wizard will display a summary of the port created. Click Finish.
  10. In the left pane, choose the manufacturer of the printer. In the right pane, choose the model of printer. Click Next.
  11. Type the name of the printer and click Next.
  12. Choose Share Name and type the name you want to use for sharing this printer. This is the name that users will see. Click Next.
  13. In the Location field, type a description of where the printer is located. This will help in cases where users want to "self-serve" a different printer. Type any necessary comments. Click Next.
  14. Choose Yes to print a test page. This will enable you to ensure that the driver and print configuration are correct. Click Next.
  15. Review the printer configuration and click Finish.

Now that network printers are available (assuming they didn't already exist) you can configure the Group Policy to deploy printers. From a Vista system, logged in with the rights necessary in the domain to create a GPO, perform the following steps:

  1. Click Start, Run, and type gpmc.msc.
  2. Expand Forest.
  3. Expand Domains.
  4. Expand the domain in which you will deploy the new GPO.
  5. Expand Group Policy Objects.
  6. Right-click and choose New.
  7. Type a name for the new GPO and click OK.
  8. Right-click the new GPO and choose Edit.
  9. Expand Computer Configuration.
  10. Expand Windows Settings.
  11. Right-click Deployed Printers and choose Deploy Printer.
  12. Click Browse, navigate to your print server, and click Select.
  13. Click the printer you want to deploy and click Select.
  14. Click Add to deploy the printer via GPO. You can add more than one printer. Click OK.
  15. Close the GPO Editor.

In this example, we are deploying a printer for the accounting department in Building 4 (see Figure 23.4). As such, we will link the GPO to the site "Building 4" and filter the GPO by the accounting group. This will result in only the Accounting users in Building 4 getting this printer deployed.

We will perform this filtering with the following steps:

  1. In the GPMC, expand Sites.
  2. If your sites aren't present, right-click and choose Show Sites, select all, and click OK.
  3. Right-click the site to which you want to link the Deploy Printers GPO and choose Link an Existing GPO.
  4. Select the GPO from the list and click OK.

    At this point, systems located on the site to which the GPO is linked will attempt to process the GPO at startup.

  5. Click the GPO linked to the site. You will receive a pop-up stating that you have selected a link rather than an actual GPO and that changes made here will affect the actual GPO. Click OK to accept this fact.
  6. In the Security Filtering window, in the lower-right pane, you will see Authenticated Users listed. This is by default.
  7. Click Authenticated Users and click Remove. Click Yes to confirm.
  8. Click Add.
  9. Type the name of the group you want to add. In this example, we'll add Accounting. Click Check Names and then click OK.

With this security filtering set, the GPO will apply only to accounting users located in the Building 4 site. Clever administrators can use this methodology to create multiple GPOs to account for all the sites and groups that they manage. In this way users can travel seamlessly between sites and get the printers that are most appropriate for their use.

Figure 23.4

How to Test Whether a GPO Was Applied Correctly

Although most GPOs can be verified by simply checking the local settings to see if they've been applied, a more systematic method of testing is to query the workstation and see which GPOs it tried to apply.

Vista maintains an application that many administrators may already be familiar with, called GPResult.exe. By running GPResult.exe, the local system will report several things:

  • Computer OU membership
  • User OU membership
  • Computer site membership
  • Computer group memberships
  • User group memberships
  • Domain name and type
  • Domain controller that provided the GPOs
  • Applied Group Policies
  • Filtered Group Policies
  • By reviewing this data, you can quickly determine which GPOs were applied and which were filtered. This allows you to quickly troubleshoot GPOs that were not applied. Often this tool will uncover issues with security filtering, inheritance blocking, or replication of GPOs between domain controllers.

    Example 2 -- Standardizing Event Logging on Vista Clients

    One of the great things that can be done with GPOs is the conforming of systems to a corporate standard. A good example of this is using a GPO to enforce logging settings on all systems of a particular type. Servers might get one set of settings, domain controllers another, and clients yet another. Setting this via GPO ensures that any system joining the domain will be conformed to the expected standard without anyone having to remember to set them.

    How to Configure Event Logging

    To deploy a GPO that enforces Event Logging settings, perform the following steps from a Vista system logged in with the necessary rights to create a GPO:

    1. Click Start, Run, and type gpmc.msc.
    2. Expand Forest.
    3. Expand Domains.
    4. Expand the domain in which you will deploy the new GPO.
    5. Expand Group Policy Objects.
    6. Right-click and choose New.
    7. Type a name for the new GPO and click OK.
    8. Right-click the new GPO and choose Edit.
    9. Expand Computer Configuration.
    10. Expand Administrative templates.
    11. Expand Windows Components.
    12. Expand Event Log Service.
    13. Click Application.
    14. In the right pane, double-click Maximum Log Size.
    15. Select Enabled, enter a Maximum Log Size, and then click OK.
    16. In the right pane, double-click Backup Log Automatically.
    17. Select Enabled and click OK.
    18. In the right pane, double-click Retain Old Events.
    19. Select Enabled and click OK.
    20. Repeat these steps for Security, Setup, and System.
    21. Close the Group Policy Editor.

    Now that the settings have been standardized in the GPO, it is necessary to attach the GPO to the objects that should receive these settings. In this example, we'll assume that these settings should be applied to all client workstations but not servers.

    In our sample Active Directory is an OU for Managed_Computers, and all workstations have been placed under that container. An observant administrator might wonder why computers were not left in the default Computers container. The reason for this is that the Computers container is not an OU. This means that GPOs can't be linked directly to this container. One could apply the GPO to the domain level and therefore affect all computers but in this case, we only want to affect workstations and not servers or domain controllers. Although one could place the servers in a container where inheritance is blocked, it is simpler and cleaner to put the workstations into another OU, knowing that servers and domain controllers are likely going to receive a different GPO that conforms their Event Log settings.

    With the GPO built, it is ready to link to put it into use. In this example, we'll assume that there are OUs below Managed_Computers where local administrators have been delegated full control over their OUs. In our example, we'll also assume that the chief information security officer has stated that it is company policy to retain 50MB event log files and that when the logs fill, they should be backed up and retained. As such, it is necessary to ensure that local administrators cannot prevent these log settings from affecting their computers. This can be accomplished with the following steps:

    1. Launch the GPMC (Start, Run, gpmc.msc).
    2. Expand the Forest container.
    3. Expand the Domains container.
    4. Browse to the OU to which you plan to link the GPO.
    5. Right-click the OU and choose Link an Existing GPO.
    6. Choose the GPO you want and click OK.
    7. Right-click the newly linked GPO in the right pane and select Enforced.
    8. When prompted, click OK to change the Enforced setting.

    By setting the GPO to Enforced, the GPO will ignore any Block Policy Inheritance settings on an OU in the hierarchy. Generally speaking, you should only use the Enforced flag in situations where a GPO is being used to directly enforce written IT policies.


     Home: Introduction
     Tip 1: A basic primer on Microsoft Group Policy
     Tip 2: How to configure GPOs
     Tip 3: What's new with Vista Group Policy?
     Tip 4: How to manage GPOs
     Tip 5: Troubleshooting GPOs for Vista
     Tip 6: Group Policy best practices
     Home: Introduction
     Tip 1: Which GPOs are available
     Tip 2: Further understanding GPOs in Vista
     Tip 3: Examples of useful GPOs
     Tip 4: Moving policies between domains
     Tip 5: Recommended practices with Vista Group Policy

    Dig Deeper on Windows Server troubleshooting