Pau Lo
asked on
group policy management console
In group policy management console – can anyone tell me (in words that a newbie to GP will understand) – if I highly an OU in the left pane, in the right pane, I see 3 tabs. One is “linked group policy objects”, second is “group policy inheritance” and 3rd is delegation.
Can you tell me what they represent? And is the number order of interest. For example, I have 1-6 entries in linked GP objects, and 15 GP objects in group policy inheritance.
Your assistance much appreciated as ever.
Finally, what does the blue exclamation mark next to an OU or container in GPMC represent? Some of our OU’s have a blue exclamation mark next to them and others don’t? What does this represent?
Can you tell me what they represent? And is the number order of interest. For example, I have 1-6 entries in linked GP objects, and 15 GP objects in group policy inheritance.
Your assistance much appreciated as ever.
Finally, what does the blue exclamation mark next to an OU or container in GPMC represent? Some of our OU’s have a blue exclamation mark next to them and others don’t? What does this represent?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thanks -
in the left pane of GPMC - If I expand our domain I see all OU's and container, and then the bottom two folders are "group policy objects" and WMI filters.
If I expand group policy objects - is this a list of ALL GPO's in our environment?
in the left pane of GPMC - If I expand our domain I see all OU's and container, and then the bottom two folders are "group policy objects" and WMI filters.
If I expand group policy objects - is this a list of ALL GPO's in our environment?
Yes, this will show you all the objects. Whatever is there is linked above. If you delete the link the GPO is not deleted, but if you delete the GPO the link gets deleted too.
A
A
Here please read this:
http://technet.microsoft.com/en-us/library/bb742376.aspx
& ask what is not clear, we are here to help.
http://technet.microsoft.com/en-us/library/bb742376.aspx
& ask what is not clear, we are here to help.
This is for 2008 R2, since I don't know your environment:
http://technet.microsoft.com/en-us/library/cc753298.aspx
http://technet.microsoft.com/en-us/library/cc753298.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) Linked Policy Objects
This tab show you only directly attached GPO links for that OU
2) Group Policy Inheritance
Shows all policies which are inherited from parent OUs or Site or Domain and those directly attached. You will see there in which order their are applied
3) Delegation tab
It's used for ACL management of GPO object (simply know as GPO Filtering)
Blue exclamation mark tells you that GPOs are not inherited. Inheritance is disabled. However, when GPO link has option "Enforce" then blocking inheritance is ommited. When you enforce any policy it's applied even that inheritance is blocked.
Krzysztof
This tab show you only directly attached GPO links for that OU
2) Group Policy Inheritance
Shows all policies which are inherited from parent OUs or Site or Domain and those directly attached. You will see there in which order their are applied
3) Delegation tab
It's used for ACL management of GPO object (simply know as GPO Filtering)
Blue exclamation mark tells you that GPOs are not inherited. Inheritance is disabled. However, when GPO link has option "Enforce" then blocking inheritance is ommited. When you enforce any policy it's applied even that inheritance is blocked.
Krzysztof
ASKER
Thanks so far.
If I go through a sample departmental OU (FINANCE) I might be able to better grasp it.
I want to know what policies are actually being applied to users/machines in this area.
We have finance OU – in Linked GP objects it shows:
Link Order GPO Enforced Link Enabled GPO Status WMI Filter Modified Domain
1 Name A Yes Yes Enabled None removed removed.net
2 Name B No Yes User configuration settings disabled None removed removed.net
3 WSUS No Yes User configuration settings disabled None removed removed.net
4 Outlook No Yes Computer configuration settings disabled None removed removed.net
5 Name E No Yes removed removed.net
6 PrintJobs No Yes Computer configuration settings disabled None removed removed.net
On the linked group policy objects tab:
Precedence GPO Location GPO Status WMI Filter
1 (Enforced) Name A Finance Enabled None
2 Name B Finance User configuration settings disabled None
3 WSUS Finance User configuration settings disabled None
4 Outlook Finance Computer configuration settings disabled None
5 Name E Finance
6 PrintJobs Finance Computer configuration settings disabled None
7 F removed.net User configuration settings disabled None
8 G removed.net User configuration settings disabled None
9 H removed.net Computer configuration settings disabled None
10 I removed.net All settings disabled None
11 J removed.net All settings disabled None
12 K removed.net Enabled None
13 L removed.net Enabled None
14 M removed.net Computer configuration settings disabled None
15 N removed.net User configuration settings disabled None
Which ones exactly are being applied? And why would there be so many?
Why would Name A be enforced and be number as opposed to say number 15 in the list?
Are all of these GPO’s being applied, but some may have the same parameter configured in each – thus number one overrides the same parameter setting lower down the order?
Why not just have 1 GPO for everything as opposed to what seems 15 being applied to this finance OU?
If I go through a sample departmental OU (FINANCE) I might be able to better grasp it.
I want to know what policies are actually being applied to users/machines in this area.
We have finance OU – in Linked GP objects it shows:
Link Order GPO Enforced Link Enabled GPO Status WMI Filter Modified Domain
1 Name A Yes Yes Enabled None removed removed.net
2 Name B No Yes User configuration settings disabled None removed removed.net
3 WSUS No Yes User configuration settings disabled None removed removed.net
4 Outlook No Yes Computer configuration settings disabled None removed removed.net
5 Name E No Yes removed removed.net
6 PrintJobs No Yes Computer configuration settings disabled None removed removed.net
On the linked group policy objects tab:
Precedence GPO Location GPO Status WMI Filter
1 (Enforced) Name A Finance Enabled None
2 Name B Finance User configuration settings disabled None
3 WSUS Finance User configuration settings disabled None
4 Outlook Finance Computer configuration settings disabled None
5 Name E Finance
6 PrintJobs Finance Computer configuration settings disabled None
7 F removed.net User configuration settings disabled None
8 G removed.net User configuration settings disabled None
9 H removed.net Computer configuration settings disabled None
10 I removed.net All settings disabled None
11 J removed.net All settings disabled None
12 K removed.net Enabled None
13 L removed.net Enabled None
14 M removed.net Computer configuration settings disabled None
15 N removed.net User configuration settings disabled None
Which ones exactly are being applied? And why would there be so many?
Why would Name A be enforced and be number as opposed to say number 15 in the list?
Are all of these GPO’s being applied, but some may have the same parameter configured in each – thus number one overrides the same parameter setting lower down the order?
Why not just have 1 GPO for everything as opposed to what seems 15 being applied to this finance OU?
Go to a client & run this:
gpresult /v > c:\result.txt
U will get result.txt in c drive & will tell u what u want.
gpresult /v > c:\result.txt
U will get result.txt in c drive & will tell u what u want.
To get know which GPOs settings are applied you need to use "Group Policy Results" wizard in GPMC console or RSoP on workstation.
In GPMC you will see only GPO links and order of appliance. In case of settings collision you need to know mechanism to be sure how they're applied. Much more easy and fast is to use mentioned "Group Policy Results" wizard or RSoP or gpresult /z in command-line
More about Group Policy processing and precedence at
http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx
Krzysztof
In GPMC you will see only GPO links and order of appliance. In case of settings collision you need to know mechanism to be sure how they're applied. Much more easy and fast is to use mentioned "Group Policy Results" wizard or RSoP or gpresult /z in command-line
More about Group Policy processing and precedence at
http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx
Krzysztof
In regards to why there are so many.
sometimes as a administrator i create seperate group policys to seperate the certain functions. Like i would create a firewall group policy that only job is to setup firewall exceptions.
Its easier on the eye when you just dealing with one part of it at a time.
Another reason is you may have two policys on the same ou which does two seperate things for the same part of group policy. for example, you may not allow access to network shares on one policy and the other policy only blocks one network share. You then assign deny, permit permissions in the delegations part so that certain users get one policy and certain users get the other.
sometimes as a administrator i create seperate group policys to seperate the certain functions. Like i would create a firewall group policy that only job is to setup firewall exceptions.
Its easier on the eye when you just dealing with one part of it at a time.
Another reason is you may have two policys on the same ou which does two seperate things for the same part of group policy. for example, you may not allow access to network shares on one policy and the other policy only blocks one network share. You then assign deny, permit permissions in the delegations part so that certain users get one policy and certain users get the other.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
do you need more detailed information in that topic or maybe you have some new ?
Krzysztof
do you need more detailed information in that topic or maybe you have some new ?
Krzysztof
ASKER
Would you be willing to crotique applied permissions on my machine vs general best practice in terms of security in a medium security enterprise. I know the usual "it depends on your organisation" comes into it but just perhaps if I post rsop screenshots up you can check nothing really major is missing?
You may send screen shots into my e-mail at kpytko at go2 dot pl
and I will check them
Krzysztof
and I will check them
Krzysztof
ASKER
Will do early tommorow many thanks
It would be fine if u cud post screenshots here, only if u don't mind.
Any other help required in this topic, pma111 ? Thanks in advance for the answer.
Krzysztof
Krzysztof
ASKER
Will get screenshots for your feedback to you asap just offsite at min
ASKER
emailing them through now isiek
would you mind posting them here?
ASKER
Would rather not but could email them if you wanted...
Sure:
bill.clinton@me.com
bill.clinton@me.com
http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx