1. Open the Active Directory Users and Computers administrative tool.
  2. Create a new OU called Group Policy Test.
  3. Create two new global security groups within the Group Policy Test OU and name them PolicyEnabled and PolicyDisabled.
  4. Exit Active Directory Users and Computers and open the GPMC.
  5. Right- click the Group Policy Test OU and select Link An Existing GPO.
  6. Choose Unlinked Test GPO and click OK.
  7. Expand the Group Policy Test OU so that you can see the GPO (Unlinked Test GPO) underneath the OU.
  8. Click the Delegation tab and then click the Advanced button in the lower-r ight corner of the window.
  9. Click the Add button and type PolicyEnabled in the Enter The Object Names To Select field. Click the Check Names button. Then click OK.
  10. Add a group named PolicyDisabled in the same way.
  11. Highlight the PolicyEnabled group and select Allow for the Read and Apply Group Policy permissions. This ensures that users in the PolicyEnabled group will be affected by this policy.
  12. Highlight the PolicyDisabled group and select Deny for the Read and Apply Group Policy permissions. This ensures that users in the PolicyDisabled group will not be affected by this policy.
  13. Click OK. You will see a message stating that you are choosing to use the Deny permission and that the Deny permission takes precedence over the Allow entries. Click the Yes button to continue.
  14. When you have finished, close the GPMC tool.
Delegating Administrative Control of GPOs

So far, you have learned about how to use Group Policy to manage user and computer settings. What you haven’t done yet is to determine who can modify GPOs. It’s important to establish the appropriate security on GPOs themselves for two reasons.

       If the security settings aren’t set properly, users and system administrators can easily override them. This defeats the purpose of having the GPOs in the first place.

       Having many different system administrators creating and modifying GPOs can become extremely difficult to manage. When problems arise, the hierarchical nature of GPO inheritance can make it difficult to pinpoint the problem.

Fortunately, through the use of delegation, determining security permissions for GPOs is a simple task. Exercise 8.4 walks you through the steps that you must take to grant the appropriate permissions to a user account. Specifically, the process involves delegating the ability to manage Group Policy links on an Active Directory object (such as an OU). To complete this exercise, you must have completed Exercises 8.1 and 8.2.

EXERCISE 8.4

Delegating Administrative Control of Group Policy
  1. Open the Active Directory Users and Computers tool.
  2. Expand the local domain and create a user named Policy Admin within the Group Policy Test OU.
  3. Exit Active Directory Users and Computers and open the GPMC.
  4. Click the Group Policy Test OU and select the Delegation tab.
  5. Click the Add button. In the field Enter The Object Name To Select, type Policy Admin and click the Check Names button.

EXERCISE 8.4 (continued)

6. The Add Group Or User dialog box appears. In the Permissions drop- down list, make sure that the item labeled Edit Settings, Delete, Modify Security is chosen. Click OK.

7. At this point you should be looking at the Group Policy Test Delegation window. Click the Advanced button in the lower- right corner.

8. Highlight the Policy Admin account and check the Allow Full Control box. This user now has full control of these OUs and all child OUs and GPOs for these OUs. Click OK.

If you just want to give this user individual rights, then, in the Properties window (step 8), click the Advanced button and then the Effective Permissions tab. This is where you can also choose a user and give them only the rights that you want them to have.

9. When you have finished, close the GPMC tool.

Understanding Delegation
Although I have talked about delegation throughout the book, it’s important to discuss it again in the context of OUs, Group Policy, and Active Directory. Once configured, Active Directory administrative delegation allows you to delegate tasks (usually administration related) to specific user accounts or groups. What this means is that if you don’t manage it all, the user accounts (or groups) you choose will be able to manage their portions of the tree. It’s important to be aware of the benefits of Active Directory Delegation (AD Delegation). AD Delegation will help you manage the assignment of administrative control over objects in Active Directory, such as users, groups, computers, printers, domains, and sites. AD Delegation is used to create more administrators, which essentially saves time. For example, let’s say you have a company whose IT department is small and situated in a central location. The central location connects three other smaller remote sites. These sites do not each warrant a full- time IT person, but the manager on staff (for example) at each remote site can become an administrator for their portion of the tree. If that manager administers the user accounts for the staff at the remote site, this reduces the burden on the system administrator of doing trivial administrative work, such as unlocking user accounts or changing passwords, and thus it reduces costs.
Controlling Inheritance and Filtering Group Policy

Controlling inheritance is an important function when you are managing GPOs. Earlier in this chapter, you learned that, by default, GPO settings flow from higher-l evel Active Directory objects to lower- level ones. For example, the effective set of Group Policy settings for a user might be based on GPOs assigned at the site level, at the domain level, and in the OU hierarchy. In general, this is probably the behavior you would want.

In some cases, however, you might want to block Group Policy inheritance. You can accomplish this easily by selecting the object to which a GPO has been linked. Right- click the object and choose Block Inheritance. By enabling this option, you are effectively specifying that this object starts with a clean slate; that is, no other Group Policy settings will apply to the contents of this Active Directory site, domain, or OU.

You can also force inheritance. By setting the Enforced option, you can prevent other system administrators from making changes to default policies. You can set the Enforced option by right- clicking the GPO and choosing Enforced (see Figure 8.5).

FIGURE 8.5 Setting the Enforced GPO option