Although defining local GPOs provides positive control over single computers, the real power of Group Policy is in AD. Defining GPOs in AD gives you the ability to centralize security rules and control how Windows applies each rule. You create AD GPOs on a domain controller. Windows stores GPOs in AD in such a way that the domain controller automatically replicates the GPOs to other domain controllers. This feature reduces the workload of administrators. Using Group Policy in AD relieves the need to define security rules on multiple computers one at a time.
AD GPOs are created on the domain controller using the Group Policy Management Console (GPMC) (FIGURE 6-6). Note that the GPMC is only available on domain controllers. The GPMC looks a lot like the Local Group Policy Editor, but it allows you to do far more than just create GPOs and maintain their settings. Here is a list of some of the actions you can perform in the GPMC:
Create and edit GPOs.
Import and export GPOs.
Copy and paste GPOs.
Back up and restore GPOs.
Search for GPOs.
Create reports on GPOs.
Although there are multiple ways to create GPOs, the most common method is to create GPOs under the desired domain in the GPMC. New AD GPOs don’t actually do anything until you link them with some entity. You’ll learn about GPO linking later in this chapter.
Windows stores AD GPOs in a folder on the domain controller. Computers that are in a domain retrieve all the GPOs that apply to that computer when a user logs on using a domain account or when a computer connects to the domain. The domain controller searches for the appropriate GPOs and sends them to the computer. Of course, the computer and user must first successfully authenticate to the domain controller. Then, every 90–120 minutes the remote computer asks the domain controller if any GPOs have changed. If they have, the domain controller sends the new or updated GPOs and the remote computer applies them.
The domain controller stores AD GPOs in a folder named Policies (FIGURE 6-7). Windows creates a Policies folder for each domain. For example, the full pathname for the Policies folder for a domain named corp.domain.com is: C:Windowssysvolsysvolcorp.domain.comPolicies.
Windows stores each GPO in a subfolder under Policies. The name of each subfolder under Policies is the GUID for the GPO. You can navigate to the GPO in Windows Explorer to see where Windows stores the GPO settings. Each GPO folder, or GPO shell, contains two subfolders named Machine and User. These subfolders contain the GPO settings for both the machine-wide and user-specific settings. Each subfolder contains policy files for defined GPOs that apply to a domain.
Unlike Local GPOs, AD GPOs do nothing until you link them to one or more containers. An AD container can be a site, a domain, or an OU. The Group Policy Objects section of the GPMC lists all defined GPOs. You can edit existing GPOs or add new GPOs. You must link GPOs to one or more sites, domains, or OUs to make the GPOs do anything (FIGURE 6-8 and 6-8A). A single GPO may be linked to multiple containers, and each container can have multiple GPOs linked to it. The easiest way to link GPOs to containers is from the context menu of the container.
18.188.154.252