It’s
true that creating and applying a policy can be relatively easy to do.
However, over time there have developed ways of manipulating policies
to alter the way they apply, to change the order in which they apply,
and even to remove all or part of their application.
In this section we will discuss the following alterations:
Raise or Lower the Link Order
Within each level of Group Policy application (site, domain, OU) is a ranking precedence order in which policies are applied.
For example, in Figure 1,
you can see two policies applied to the New York OU. One says No
Screensaver Tab, and the other says Include the Screensaver Tab. Which
will be applied?
The
way these will be processed is from lowest link to highest link. So,
number 2 will be processed first and then number 1. In this case, the
No Screensaver Tab policy will win in the conflict.
If
two policies within the same level contain values for the same setting,
the link order takes precedence. Therefore, if you look at the options
to the left of the table, you see that you can alter the link order to
ensure that the policy you want to be applied last is number 1 or
higher up in the process order than the policy that you want to win.
Disable a Policy
There
are many reasons you might want to disable a GPO. Perhaps you are
troubleshooting or reorganizing your policy settings. Whatever the
case, there are multiple ways to disable (without deleting) a GPO.
One
way is to disable it on the level where you are having difficulty. For
example, if you have a policy that is applied to multiple OUs, but only
one OU is having trouble, you can disable it from that OU by performing
the following steps:
1. | In the Group Policy Management tool, locate the OU where you want to disable the policy. Right-click the policy.
|
2. | Note the checkmark next to Link Enabled. Click Link Enabled to remove that checkmark.
|
3. | That policy, although still applied to the OU, is now disabled for that OU. The icon now appears slightly dulled.
|
If
you want to disable a policy at the GPO level (which will apply to all
applications of that policy), perform the following steps:
1. | In the Group Policy Management tool, locate the Group Policy Objects container under the domain.
|
2. | Locate and right-click the policy.
|
3. | Hover over GPO Status and select the option All Settings Disabled. The icon now appears dulled.
|
Disable Half a Policy
Every
policy adds a slight bit of performance overhead to your system during
bootup and login. Therefore, if you have a policy that contains only
user configuration settings, you might want to disable the computer
configuration portion of the policy. That might save you a tiny amount
of performance on the policy.
To disable half a policy, perform the following steps:
1. | In the Group Policy Management tool, locate the Group Policy Objects container under the domain.
|
2. | Locate and right-click the policy.
|
3. | Hover over GPO Status and under the option All Settings Disabled, elect one of the following options, depending on your needs:
|
Note
Be
warned here. You gain only a minor performance increase by disabling
half a policy. If, after you disable half a policy, you forget that
you’ve done so and have to figure out why a policy you reconfigure
isn’t applying, you will have a frustrating search on your hands. Use
this feature sparingly and don’t forget to document your settings.
Delete a Link or a Policy
To
delete a policy, you can right-click it and click Delete, but depending
on where you do this, you will have different results. For example, if
you right-click an applied policy within an OU (you can tell it is
applied because it has a little shortcut arrow in the bottom corner
that you do not see in the Group Policy Objects container) and then
click Delete, you will receive the message “Do you want to delete this
link? This will not delete the GPO itself.” On the other hand, if you
select a policy directly from the Group Policy Objects container,
right-click it, and choose Delete, the message you receive is “Do you
want to delete this GPO and all links to it in this domain? This will
not delete links in other domains.”
Note
Because
you are deleting a GPO that may be linked to other parts of your
domain, you should take a look at the Scope tab for the policy first
and note the other sites, domains, and OUs that have it linked so you
can inform any other administrators that you are deleting this policy
before you do it.
Block Inheritance
While
the typical method of policy application occurs from sites to domains
to OUs, and so forth, there may be times when you want to block a
policy from being applied. You can use the setting Block Inheritance to
block GPOs and their policies from applying down to areas you feel are
not applicable.
To
accomplish this, you locate the OU (or domain, if you are seeking to
block from the site level), right-click, and select Block Inheritance.
The OU now has a blue circle with a white exclamation point. This
setting will block all policies from above from applying to the OU. Now
only the policies applied to that OU will apply. However, there is a
way for administrators with greater power to enforce their policies and
trump your block inheritance. Read on.
Enforce a Policy
Any
time an administrator wants to ensure that a policy is absolutely
applied down the food chain, regardless of Block Inheritance settings,
you can enforce your policy by using the Enforced option.
Note
In first-release versions of Group Policy with Windows 2000, Enforced was called No Override.
Enforcing
policy settings is quite simple: You right-click the GPO link (so you
won’t find this in the Group Policy Objects container, but on the links
within an OU, at the domain or site level where the policies are
actually linked) and then choose Enforced. Note that the link icon
changes slightly, to reveal a little lock.
Filter GPO Application
There
are several ways to alter the application of a GPO. While turning off
the user or computer configuration options may alter the way the policy
is applied to a site, domain, or OU (as do the Block Inheritance and
Enforced policy options), it does not change the persons or computers
within a site, domain, or OU that have the policy applied toward them.
For
example, if a group of settings among multiple policies are added up
and applied to an OU that has 100 people in it, all 100 will typically
have those policies applied.
Now
one way to filter this is by using the Security Filtering settings.
When you select a policy in the Group Policy Management tool, you see
in the Security Filtering portion of the Scope tab (shown in Figure 2) that the default setting is to apply the policy to authenticated users.
If
you wanted certain persons or computers but not others to have the
policy applied, you can create different groups and then add those
persons/computers to the groups. You can then remove Authenticated
Users by clicking Remove and add in the security groups you have
created that you want those policies applied to.
Note
Technically,
you cannot attach a GPO to a group. However, you can attach it to an OU
and then use security filtering to attach it to a group that is in the
OU.
Now
this method certainly provides a way to apply policies to only those
you want, but you might want to drill down a little deeper and not have
a policy apply to someone in the group to which you just applied the
policy. You could remove this person from the group, but that might
cause other problems. So, how would you alter individuals or groups of
individuals who seem locked in to receive this policy?
The
key is knowing what is going on under the hood with the GPO. Users who
have the policy applied to them have two permissions settings that are
explicitly set: Allow Read and Apply Group Policy. These two settings
are absolutely necessary if you want the policy applied to the group.
You can explicitly deny those abilities to an individual in a group
that has the permissions, and this Deny setting will override anything
else. You can do this for multiple persons or create a group and deny
the group those permissions.
To
access the options you want to be in the policy, you select the
Delegation tab from within the Group Policy Management tool. Imagine,
in this scenario, that you have created special groups to which to
apply the policy, and you have removed the Authenticated Users group
from the security filtering options. At this point, you need to select
the Delegation tab and add the user or group to which you want to
explicitly deny access to the policy settings.
In
the Delegation tab, click Add, enter the object name to include, and
click OK. When it is included, select the object and click Advanced.
You now see the security settings over that object. You can purposely
select Deny for both the ‘Read’ and ‘Apply Group Policy’ settings.
With
the Deny setting chosen, those persons or groups with the Deny setting
will be passed over during the security check for policy application
because Deny takes precedence over everything else.
Note
You
have just learned two different approaches to filtering GPOs from
application. One is to apply a GPO through security filtering so that
only those you approve apply the policy. The other is to deny the
application to those you don’t want the policy applied to. The real
difference between the two methods appears when you are tracking a
problem. The security filter easily shows you who has it applied, and
that should be enough—unless you use the Deny feature. In that case,
you have to go to the Delegation tab and click Advanced on every object
in the tab to find out if any have the Deny setting on. So it just
depends on how methodical you want to be when creating and applying
policies in the first place. The preferred, recommended, and cleaner
method is the first one: applying a GPO through security filtering.