Solved

group policy management console

Posted on 2011-09-27
25
590 Views
Last Modified: 2012-05-12
In group policy management console – can anyone tell me (in words that a newbie to GP will understand) – if I highly an OU in the left pane, in the right pane, I see 3 tabs. One is “linked group policy objects”, second is “group policy inheritance” and 3rd is delegation.

Can you tell me what they represent? And is the number order of interest. For example, I have 1-6 entries in linked GP objects, and 15 GP objects in group policy inheritance.

Your assistance much appreciated as ever.

Finally, what does the blue exclamation mark next to an OU or container in GPMC represent? Some of our OU’s have a blue exclamation mark next to them and others don’t? What does this represent?
0
Comment
Question by:pma111
  • 9
  • 7
  • 6
  • +2
25 Comments
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 100 total points
ID: 36708837
Linked Group Policy Objects: This tells you what all GPO's are linked to this OU
Group Policy Inheritance: This tells you what all is coming to the OU from above, like Domain.
Delegation: This will let you delegate the policy, like to whom should it be applied or denied.

When you see the level 1-6, its like countdown, that means what ever will be on no. 1 will always win in case of conflict.

Blue exclamation means that Inheritance is blocked, that is nothing from above can be applied to this OU, however if something is enforced on top level will definately be applied even if block inheritance is enabled.

Does that clear?
A
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708841
0
 
LVL 4

Assisted Solution

by:mustang83
mustang83 earned 100 total points
ID: 36708849
Ok.

Linked group policy objects = group policys that are attached at that location and will filter down the sub organisation objects in the highlighted OU.

Group policy Inheritance - Is inheritited group policys taken from parents ous or the domain.

Delegation - Essentially permissions for all the links group policys at current location. You could for example deny access to all group policys at that location for a group or user.

The numbers are in order of relevance. Number 1 will be assigned first followed by 2nd etc.

The blue exclamation mark means that the OU is blocking inheritance from its parent OU. Which means it will not inherit any policies from above.


Group policys are a mine field. Take your time learning them before you start doing anything you can severely disrupt your network.

0
 
LVL 3

Author Comment

by:pma111
ID: 36708880
Ok thanks -

in the left pane of GPMC - If I expand our domain I see all OU's and container, and then the bottom two folders are "group policy objects" and WMI filters.

If I expand group policy objects - is this a list of ALL GPO's in our environment?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708950
Yes, this will show you all the objects. Whatever is there is linked above. If you delete the link the GPO is not deleted, but if you delete the GPO the link gets deleted too.

A
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708953
Here please read this:
http://technet.microsoft.com/en-us/library/bb742376.aspx

& ask what is not clear, we are here to help.
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36708961
This is for 2008 R2, since I don't know your environment:
http://technet.microsoft.com/en-us/library/cc753298.aspx
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 200 total points
ID: 36708965
Group Policy Objects have all GPOs within a domain, right. Each OU which you can see have only GPO link. When you remove GPO link from OU you don't delete GPO at all (only removes link from OU). If you want to delete GPO you need to do that in Group Policy Objects node.

WMI has all filtering for applying to particular OS (i.e. you can use WMI filter to apply GPO only to XP clients)

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36709015
1) Linked Policy Objects
This tab show you only directly attached GPO links for that OU

2) Group Policy Inheritance
Shows all policies which are inherited from parent OUs or Site or Domain and those directly attached. You will see there in which order their are applied

3) Delegation tab
It's used for ACL management of GPO object (simply know as GPO Filtering)

Blue exclamation mark tells you that GPOs are not inherited. Inheritance is disabled. However, when GPO link has option "Enforce" then blocking inheritance is ommited. When you enforce any policy it's applied even that inheritance is blocked.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36709195
Thanks so far.

If I go through a sample departmental OU (FINANCE) I might be able to better grasp it.

I want to know what policies are actually being applied to users/machines in this area.

We have finance OU – in Linked GP objects it shows:

Link Order       GPO       Enforced       Link Enabled       GPO Status       WMI Filter       Modified       Domain
 1       Name A       Yes        Yes        Enabled        None       removed       removed.net
 2       Name B       No        Yes        User configuration settings disabled        None       removed       removed.net
 3        WSUS        No        Yes        User configuration settings disabled        None       removed       removed.net
 4        Outlook        No        Yes        Computer configuration settings disabled        None       removed       removed.net
 5        Name E        No        Yes                        removed       removed.net
 6        PrintJobs        No        Yes        Computer configuration settings disabled        None       removed       removed.net

On the linked group policy objects tab:

Precedence       GPO       Location       GPO Status       WMI Filter
     1  (Enforced)       Name A       Finance        Enabled        None
     2       Name B       Finance        User configuration settings disabled        None
     3        WSUS        Finance        User configuration settings disabled        None
     4        Outlook        Finance        Computer configuration settings disabled        None
     5        Name E        Finance                
     6        PrintJobs       Finance        Computer configuration settings disabled        None
     7       F       removed.net        User configuration settings disabled        None
     8       G       removed.net        User configuration settings disabled        None
     9       H       removed.net        Computer configuration settings disabled        None
    10       I       removed.net        All settings disabled        None
    11       J       removed.net        All settings disabled        None
    12       K       removed.net        Enabled        None
    13       L       removed.net        Enabled        None
    14       M       removed.net        Computer configuration settings disabled        None
    15       N       removed.net        User configuration settings disabled        None

Which ones exactly are being applied? And why would there be so many?

Why would Name A be enforced and be number as opposed to say number 15 in the list?

Are all of these GPO’s being applied, but some may have the same parameter configured in each – thus number one overrides the same parameter setting lower down the order?

Why not just have 1 GPO for everything as opposed to what seems 15 being applied to this finance OU?
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36709219
Go to a client & run this:
gpresult /v > c:\result.txt

U will get result.txt in c drive & will tell u what u want.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36709231
To get know which GPOs settings are applied you need to use "Group Policy Results" wizard in GPMC console or RSoP on workstation.
In GPMC you will see only GPO links and order of appliance. In case of settings collision you need to know mechanism to be sure how they're applied. Much more easy and fast is to use mentioned "Group Policy Results" wizard or RSoP or gpresult /z in command-line

More about Group Policy processing and precedence at
http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx

Krzysztof
0
 
LVL 4

Expert Comment

by:mustang83
ID: 36709403
In regards to why there are so many.

sometimes as a administrator i create seperate group policys to seperate the certain functions. Like i would create a firewall group policy that only job is to setup firewall exceptions.

Its easier on the eye when you just dealing with one part of it at a time.

Another reason is you may have two policys on the same ou which does two seperate things for the same part of group policy. for example, you may not allow access to network shares on one policy and the other policy only blocks one network share. You then assign deny, permit permissions in the delegations part so that certain users get one policy and certain users get the other.
0
 

Assisted Solution

by:ntnkapoor
ntnkapoor earned 100 total points
ID: 36709980
Linked Group Policy Objects: This tells you what all GPO's are linked to this OU
Group Policy Inheritance: This tells you what all is coming to the OU from above, like Domain.
Delegation: This will let you delegate the policy, like to whom should it be applied or denied.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36715714
Hi,

do you need more detailed information in that topic or maybe you have some new ?

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36715780
Would you be willing to crotique applied permissions on my machine vs general best practice in terms of security in a medium security enterprise. I know the usual "it depends on your organisation" comes into it but just perhaps if I post rsop screenshots up you can check nothing really major is missing?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36715890
You may send screen shots into my e-mail at kpytko at go2 dot pl
and I will check them

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36715909
Will do early tommorow many thanks
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36715925
It would be fine if u cud post screenshots here, only if u don't mind.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36915784
Any other help required in this topic, pma111 ? Thanks in advance for the answer.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36915893
Will get screenshots for your feedback to you asap just offsite at min
0
 
LVL 3

Author Comment

by:pma111
ID: 36943838
emailing them through now isiek
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36944158
would you mind posting them here?
0
 
LVL 3

Author Comment

by:pma111
ID: 36948759
Would rather not but could email them if you wanted...
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36948782
Sure:
bill.clinton@me.com
0

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now