What policies should you use if you are using Group Policy Objects with Windows?

All GPOs created in the directory should have unique names. Even though each GPO is associated with a specific container and could have the same name as another object in the tree, there will be much less confusion when troubleshooting if each GPO name is unique. GPO names can contain letters, numbers, and special characters, but the name cannot be longer than 255 characters. Any GPO name longer than 255 characters will be automatically truncated to the 255-character maximum.

There are no other specific rules as to how to name each GPO. In the same way that you should name each object in the directory to match its function or purpose, you can consider the same approach when naming GPOs. If you have a set of policies that will impact a single container in the directory, such as an OU, you could include the name of the OU in the name of the GPO. If the policies contained in a GPO are going to be linked to a number of containers in the directory, you could name the GPO after the function its policies are designed to perform.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781931836944500155

Feature focus

Dustin Hannifin, ... Joey Alpern, in Microsoft Windows Server 2008 R2, 2010

Creating and managing Group Policy Objects

GPOs are created using the Group Policy Management console in Server Manager. To create a new GPO, perform the following tasks:

1.

Log on to a DC and open Server Manager.

2.

Expand the nodes Features | Group Policy Management | <your forest name> | Domains | <your domain name>.

3.

Right-click an OU where you want to create a new GPO and select the option Create a GPO in this domain and link it here. Optionally, you could right-click on the Domain itself if you wanted to assign the GPO to the entire domain.

4.

Enter a name that describes the use of this policy. For example, HR Computer Policy. The new policy will appear under the OU you selected to apply it to (see Figure 4.41).

What policies should you use if you are using Group Policy Objects with Windows?

Figure 4.41. Editing a new GPO.

5.

Right-click on the newly created policy and select Edit.

6.

The GPO management editor window will open. Here, you can configure specific settings for users and computers. In our example, we will configure the HR GPO to turn on branch cache as seen in Figure 4.42. After editing the setting, close the GPO management editor window.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 4.42. Editing GPO Settings.

7.

The new GPO will now apply to all computers in the HR OU as seen in Figure 4.43.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 4.43. Newly created and applied GPO.

We will now assume that we have a VPs OU that we want to be sure they do not get the new settings. To prevent them from having the GPO applied, we need to block inheritance. By blocking inheritance, we tell the OU to not apply any parent GPOs. To block inheritance to the VPs child OU, right-click the OU and select the option Block Inheritance. You should now notice that a blue exclamation appears over the OU as seen in Figure 4.44.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 4.44. Organizational Unit Blocking Inheritance.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597495783000049

MCSA/MCSE 70–294: Working with Forests and Domains

Michael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2004

GPOs and GPO references in each renamed domain need to be repaired with the gpfixup.exe command-line tool as shown in Exercise 4.28. These GPOs and their links still have the old domain name embedded in their properties, and will not function normally until repaired. Managed software deployment is also impaired because Group Policy-based software installation and maintenance data such as software distribution point network paths can also be based on the domain name. Gpfixup.exe will repair these for you as well, and it needs to be run once in each renamed domain. Moreover, since GPOs cannot reference application directory partitions, there is no repair required on those. This step completes the core domain rename procedure; however, many other steps could be necessary depending on your configuration as shown in the section Steps to Take After the Domain Rename Procedure.

EXERCISE 4.28

1.

Open a command prompt. Click Start | All Programs | Accessories Command Prompt.

2.

Change to the RenameTools directory.

3.

Type this entire command on a single line: gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName /newnb:NewDomainNetBIOSName/dc:DcDnsName 2&gt;&amp;1 &gt; gpfixup.log. In this case:

OldDomainDnsName is the old DNS name of the renamed domain.

NewDomainDnsName is the new DNS name of the renamed domain.

OldDomainNetBIOSName is the old NetBIOS name of the renamed domain.

NewDomainNetBIOSName is the new NetBIOS name of the renamed domain.

DcDnsName is the DNS host name of a DC in the renamed domain, preferably the PDC Emulator. Pick one that successfully completed the rename operation with a final Done state in the dclist.xml state file in step 8.

What policies should you use if you are using Group Policy Objects with Windows?
NOTE

The command line parameters /oldnb and /newnb are only required if the NetBIOS name of the domain changed; otherwise, these parameters can be omitted from the command line for Gpfixup. In addition, the redirected output—both status and errors—is saved to the file gpfixup.log, which can be periodically displayed to monitor progress of the command.

4.

To force replication of the Group Policy repair changes to the rest of the DCs in the renamed domain, type repadmin /syncall /d /e/P /q DcDnsName NewDomainDN and then press Enter, In this case:

DcDnsName is the DNS host name of the DC that was targeted by the gpfixup command.

NewDomainDN is the DN corresponding to the new DNS name of the renamed domain.

What policies should you use if you are using Group Policy Objects with Windows?
NOTE

Remember, the DNS host name of a DC in a renamed domain does not change automatically when the domain name changes. Use the old name unless you have changed it manually to the new one at this point.

5.

Repeat steps 3 and 4 in this procedure for every renamed domain. You can do them in sequence. For two domains, execute gpfixup twice and repadmin twice. Do not run gpfixup more than once for each renamed domain, and do not run it at all for renamed application directory partitions.

What policies should you use if you are using Group Policy Objects with Windows?
NOTE

The GPO/link fix-up procedure does not repair interdomain GPO links. If you have any of these in your forest, they will have to be repaired manually. This is a matter of breaking and reestablishing each link. It also does not repair network paths for software distribution points that are external to the domain.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781931836944500106

Strong Access Controls

Dr.Anton A. Chuvakin, Branden R. Williams, in PCI Compliance (Second Edition), 2010

Setting File Permissions Using GPOs

GPOs can also be used to set permissions for the file system. This makes permissions easy to maintain and keeps all of your security settings in one place.

In the GPO that we created in the last section, go to Windows Settings | Security Settings. Click on File System, and you will see a list of any files that have permission set on them in your GPO. To change the settings on a file currently listed, double-click on the File and a Properties dialog box will open. You can change inheritance settings in this dialog box to tell Windows how subfolders permissions should be affected (see Fig. 5.6).

What policies should you use if you are using Group Policy Objects with Windows?

Figure 5.6. Windows 2003 Access Control

Click on Edit Security and a dialog box will open that will allow you to view and modify what kinds of rights user and group accounts have. To add a user or group to the list of group or user names, click on the Add button and the Select Users, Computers, or Groups dialog box will appear. You can then type in the name of a user or group. The Advanced button gives you more options to help you find the correct group or user to add. After you click OK, the user or group appears in the previous dialog (see Fig. 5.7).

What policies should you use if you are using Group Policy Objects with Windows?

Figure 5.7. Windows Access Control Settings

By clicking on the Advanced button, you can view and change special permissions settings. You can also modify auditing settings and owner settings using the Auditing and Owner tabs.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597494991000106

Microsoft Windows Server 2008

Aaron Tiensivu, in Securing Windows Server 2008, 2008

Fine-Grain Password and Account Lockout Policies

When a GPO is used to apply password and account lockout policies, these policies can be set for only the entire domain, and only one instance of each setting will be applied to for all users in the domain. In other words, you cannot set different password or account lockout policies for different types of users in a domain (such as administrators and general users) using GPOs. You can do this only using a new feature, fine-grain password and account lockout policy. A key distinction between group policy-based user and account lockout enforcement and fine-grain policies is how you apply them. Unlike group policy, however, fine-grain policies are quite complex to configure.

Warning

It's important to remember that only one set of GPO account and lockout policies applies to a domain. This functionality is unchanged from Windows 2000 Server and Server 2003. Although fine-grain policies can override the settings that are configured using a GPO at the domain level, they are not GPO-based.

You can apply fine-grain policies only to users and global security groups. They are not linked to the major Active Directory container objects: sites, domains, and organizational units (OUs). It is common for organizations to organize users using these traditional Active Directory container structures, so Microsoft recommends the creation of shadow groups which map to an organization's domain and OU structure. In this way, you can add the global security groups to the appropriate fine-grain policy object in Active Directory one time, and use group membership to determine to whom it applies. It's possible that a user can be a member of more than one global security group and for these groups to be associated with different fine-grain policies. To accommodate this, Microsoft allows you to associate a precedence value to each fine-grain policy. A policy given a lower number will take precedence over one given a higher number if both apply to a user.

Notes from the Underground…

A Long-Awaited Password and Account Policy Solution

Fine-grain password and account lockout policy is new in Windows Server 2008. In Windows 2000 and 2003 forests, you could apply these settings only at the domain level. A single effective set of policy settings was enforced for all users. For many midsize to large organizations, this provided an unacceptable level of security. The limitation led to all kinds of complicated technical workarounds and the use of more complex domain and forest structures, which increased management costs.

Although fine-grain policies are certainly not as easy to use as traditional GPOs, they are a step in the right direction. Most companies will no longer require their previous workarounds, and Microsoft expects that many who adopted more complex domain structures will be consolidating and simplifying their forests. Fine-grain policies also represent a major departure from Microsoft's previous instructions to administrators to adopt a site-, domain-, and OU- based management style. They cannot be applied to any of these Active Directory container objects.

Configuring a Fine-Grain Password Policy

Two new Active Directory object classes have been added to the Active Directory schema to support fine-grain policies. Policies are configured under a Password Settings Container (PSC). The actual policy objects themselves are called Password Settings objects (PSO). Creating a PSO involves using a lower-level Active Directory editing tool than you might be familiar with. There are two ways to do it. One is with the ADSI Edit graphics utility. The other is by using ldifde to script the operation at the command line. In this chapter, we'll be using ADSI Edit:

1

Open ADSI Edit by clicking Start | Run and type in adsiedit.msc.

2

Right-click on the ADSI Edit node in the leftmost pane and click Connect to. (See Figure 3.6.)

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.6. Bringing Up the Connections Settings Dialog

3

Accept the default naming context which appears in the Name: text box or type in the fully qualified domain name (FQDN) of the domain you want to use. Click OK. (See Figure 3.7.)

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.7. The Name: Text Box

4

Expand the Default naming context node (if present), rxpand your DC=DomainName node (here, DC=syngress,DC=com), and double-click on the CN=System node.

5

Right-click on the CN=Password Settings Container node and select New | Object, as shown in Figure 3.8.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.8. Creating the New Object in ADSI Edit

6

In the Create Object dialog box, select msDS-PasswordSettings and click Next. (See Figure 3.9.)

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.9. Selecting the msDS-PasswordSettings Option

7

In the Create Object dialog box, enter the desired name for your PSO in the Value: text box (here, psoUsers) and click Next. (See Figure 3.10.)

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.10. Entering the PSO Name

8

Configure the appropriate value for each of the password and account lockout policy settings. All are required. Refer to the information in the list after Figure 3.11 for more details on each setting.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.11. Configuring the Fine-grain Settings

msDS-PasswordSettingsPrecedence Sets the precedence value for deciding conflicts when more than one fine-grain policy applies to a user. Values greater than 0 are acceptable.

msDS-PasswordReversibleEncryptionEnabled Equivalent to the Store passwords using reversible encryption group policy setting. Acceptable values are TRUE and FALSE.

msDS-PasswordHistoryLength Equivalent to the Enforce password history group policy setting. Acceptable values are 0 through 1024.

msDS-PasswordComplexityEnabled Equivalent to the Passwords must meet complexity requirements group policy setting. Acceptable values are TRUE and FALSE.

msDS-MinimumPasswordLength Equivalent to the Minimum password length group policy setting. Acceptable values are 0 through 255.

msDS-MinimumPasswordAge Equivalent to the Minimum password age group policy setting. Acceptable values are (None) and days:hours:minutes:seconds (i.e., 1:00:00:00 equals one day) through the value configured for msDS-MaximumPasswordAge.

msDS-MaximumPasswordAge Equivalent to the Maximum password age group policy setting. Acceptable settings are (Never) and msDS-MinimumPasswordAge value through (Never). This value cannot be set to 0. It follows the days:hours:minutes:seconds format (i.e., 1:00:00:00 equals one day).

msDS-LockoutThreshold Equivalent to the Account lockout threshold group policy setting. Acceptable settings are 0 through 65535.

msDS-LockoutObservationWindow Equivalent to the Reset account lockout counter after group policy setting. Acceptable values are (None) and 00:00:00:01 through msDS-LockoutDuration value.

msDS-LockoutDuration Equivalent to the Account lockout duration group policy setting. Acceptable values are (None), (Never), and msDS-LockoutObservationWindow value through (Never). This value follows the days:hours:minutes:seconds format (i.e., 1:00:00:00 equals one day).

9

After specifying the preceding values, click the More Attributes button, as shown in Figure 3.12.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.12. The More Attributes Button

10

Although it is not required, at this point you can specify to which users or groups the fine-grain policy will apply. You can also do this in Active Directory Users and Computers (covered later). To configure this during PSO object creation:

Set Select which properties to view: to either Optional or Both.

Set Select a property to view to: to msDS-PSOAppliesTo.

Enter a distinguished name (DN) for a user or global security group in the Edit Attribute: text box and click Add. Multiple users and groups can be added and removed. When done, click OK. (See Figure 3.13.)

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.13. Associating Users and Global Security Groups

11

Click Finish in the Create Object dialog box. When done, ADSI Edit should resemble Figure 3.14.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.14. The ADSI Utility

Applying Users and Groups to a PSO with Active Directory Users and Computers

In addition to using ADSI Edit to associate users and global security groups with a PSO, administrators can also use Active Directory Users and Computers:

1

Open Active Directory Users and Computers by clicking Start | Administrative Tools | Active Directory Users and Computers.

2

Ensure that View | Advanced Features is selected.

3

In the left pane, navigate to Your Domain Name | System | Password Settings Container.

4

In the right pane, right-click on the PSO you want to configure, and select Properties, as shown in Figure 3.15.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.15. Opening the Properties for the PSO

5

In the Properties dialog box, select the Attribute Editor tab. In the Attributes: selection window scroll down and click on msDS-AppliesTo followed by Edit. (See Figure 3.16.)

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.16. The Attribute Editor Tab

6

There are two ways to add users and global security groups using the Multi-valued Distinguished Name with Security Principal Editor dialog (see Figure 3.17):

Click Add Windows Account to search for or type in the object name using a standard Select Users, Computers, or Groups dialog box.

Click Add DN to type in the DN for the object you want to add.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 3.17. The Multi-valued Distinguished Name with Security Principal Editor Window

7

You can also remove accounts from the Multi-valued Distinguished Name With Security Principal Editor dialog by highlighting the account in the Values: selection box and clicking the Remove button. When you are done adding and deleting accounts from this PSO, click OK.

8

In the Properties window, click OK.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492805000031

Monitoring and Managing a Network Infrastructure

Tony Piltzecker, Brien Posey, in The Best Damn Windows Server 2008 Book Period (Second Edition), 2008

Group Policy Objects (GPOs)

We are now ready to create our GPO to manage client settings. In our example, we will create a new GPO and link it to a Servers OU within Active Directory. If you have not done so already, create a new OU named “Servers” in Active Directory Users and Computers. After creating the new OU, you will be ready to create and link a GPO. To do this, follow along with the following Sidebar.

Configuring & Implementing…

Setting up a Group Policy to Configure Client Settings

1

Select Start | Administrative Tools | Group Policy Management. This will open the Group Policy Management Console (GPMC).

2

Within the GPMC, expand the nodes of the forest and domain in which you want to create a new GPO.

3

Locate and right-click on the newly created Servers OU. Choose the option to Create a GPO in this domain, and Link it here, as shown in Figure 8.20

What policies should you use if you are using Group Policy Objects with Windows?

Figure 8.20. Creating a New GPO

4

The New GPO dialog box will appear. Enter a name for the GPO and ensure that Source Starter GPO is set to None. Then click the OK button.

5

Right-click the new GPO you created and choose Edit, as shown in Figure 8.21. The Group Policy Editor window will open.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 8.21. Editing the New GPO

6

Select the Computer Configuration | Administrative Templates | Windows Components | Windows Update node. This will display the Windows Update settings that you can configure via GPO. Open each of the following settings by double-clicking on that policy setting. Set each of the following settings as shown in Table 8.1

Table 8.1. Windows Update GPO Settings

Group Policy OptionSetting(s)Configure Automatic Updates■ Enabled■ Configure Automatic Updating: 4 — Auto Download and Schedule the install■ Schedule Install Day: 7 — Every Saturday■ Schedule Install Time: 02:00Specify Intranet Microsoft Update Service Location■ Enabled■ Set the intranet update service for detecting updates: http://nameof yourWSUSserver■ Set the intranet statistics server: http://nameofyourWSUSserverAutomatic Updates Detection Frequency■ Enabled■ Check for updates at the following interval (hours): 12Enable Client Side Targeting■ Enabled■ Target group for this computer: My Servers

7

After configuring the appropriate GPO settings, close the Group Policy Editor. Then close the Group Policy Management Console. This policy will apply to any new clients added to the My Servers OU in Active Directory. In our example, we'll move our WSUS server to this OU.

8

After your clients perform a Group Policy update, they will check in and register with the WSUS server. You should see the clients appear in the My Servers computer group within WSUS role management, as shown in Figure 8.22. You can now easily set up any Windows client to register with your WSUS server for updates simply by placing them in the My Servers OU.

What policies should you use if you are using Group Policy Objects with Windows?

Figure 8.22. A New Computer Automatically Assigned to the WSUS Computer Group

We have just walked through an example of how to use Group Policy to configure your clients to connect to WSUS for update management. You can easily apply these GPO settings to multiple OUs or domains, depending on the needs within your organization.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492737000082

Microsoft Vista: Update and Monitoring Services

In Microsoft Vista for IT Security Professionals, 2007

Targeting Updates via Group Policy

We mentioned the scope of a Group Policy Object; this is an important and valuable tool when we have decided to target certain updates to specific computers or groups. An example of this would be if we put different machines in different organizational units (OUs) in our Active Directory and then applied specific Group Policy Objects to each OU. For instance, if we had a group of lab computers set up, we could put them in a separate computer group on our WSUS server by enabling Client-side targeting on the server and in the Group Policy Object. Then we would set a different value for Target group name for this computer for our lab computers than what we would set for our production computers. We can also separate our servers from our end-user machines this way.

We can even direct a certain group of computers to an entirely different WSUS server. This is helpful in larger environments where computers are geographically separated or where we have a large number of clients and want to spread out the workload among different servers.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597491396500133

Policies and Procedures for Securing XenApp

Tariq Bin Azad, in Securing Citrix Presentation Server in the Enterprise, 2008

Group Policy Objects

All group policy information is stored in Active Directory in GPOs.You can apply these objects at the site, domain, or OU level within the directory. Since the GPO is an object in the directory, you can set security permissions on the objects to determine who will access the policy settings stored in the GPO.

Because GPOs can impact a large portion of the directory, you should update GPOs infrequently. Each GPO update must propagate across the entire directory to take effect, and this could be a time consuming process if the directory structure is very large. You should also restrict the number of individuals who make changes to GPOs that can impact the entire organization. Otherwise, you can run into the situation where two administrators make contradictory changes to a GPO in different locations of the tree, and the changes propagate differently around the tree, potentially causing problems until the directory has completely updated the GPO changes.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492812000068

Microsoft Vista: Data Protection

In Microsoft Vista for IT Security Professionals, 2007

Real-World Usage: Our Road Warrior Returns

You’ve just been asked to make sure that road warriors are able to give corporate presentations while they are on the move, but that they can’t save them, or the confidential information they carry, to removable storage devices.

No problem; we’ll simply revisit our Group Policy Object from before, navigate to Computer Configuration | Administrative Templates | System | Removable Storage, and enable every policy that includes the words Deny write access (except, of course, for the option to deny write access to custom classes, because we don’t know which custom classes those might be, so our list would remain empty).

Notes from the Underground…

You Can't Ban What You Don't Know

Because device usage policies listed here work from an "allow by default" model, the only way to ban writes to all removable storage devices is to ban all access to all removable storage classes, using the All Removable Storage classes: Deny all access setting. Because this bans read access as well, you will probably be reluctant to do this.

In our opinion, this is a misstep on Microsoft's part, because it means that as soon as a new device class is created, you're going to have to add it to your Custom Classes: Deny write access list, or run the risk that confidential information can be copied over.

For us, this means that it may be possible to find a device that you haven't considered blocking, and that we can use to copy off large amounts of your business secrets, whether that's customer data, business intelligence, legal and contract information, and so on.

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597491396500091

MCSA/MCSE 70-294: Working with Trusts and Organizational Units

Michael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2003

Applying Group Policy to OUs

One of the fundamental reasons for creating an OU is to apply a GPO to it. After creating the OU, you can then create a new GPO or apply an existing GPO. The Group Policy tab found in the OU Properties window is the most important tab of the OU properties. This is where you create, associate, and edit the GPOs that will affect the OU. This tab has the following buttons:

New

Add

Edit

Options

Delete

Properties

The New button will create a new GPO. When it is clicked, you need to supply the name for the new GPO.

After the GPO is created, use the Edit button to edit its configuration settings. The GPO is broken into two sets of configuration settings, Computer and User. Each of these settings is further defined by three categories of settings: Software, Windows, and Administrative Templates. These are the settings you use to control the OU (or other unit to which the GPO is applied).

The Add button lets you create a Group Policy Object Link. The link lets you apply an existing GPO to the OU. You will have the ability to navigate through the domain to locate the existing GPO and link it to the new OU.

The Options button gives you two options: No Override and Disable. Disable is very intuitive; it will disable the GPO. The No Override option is used by a parent OU’s GPO to ensure that the settings in the GPO are not overridden by a child OU’s GPO. These options can be accessed by right-clicking the GPO and selecting the option from the context menu.

The Properties button opens the Properties window for the GPO. The Properties window has three tabs: General, Links, and Security. The General tab displays a Summary section and a Disable section. The Summary section displays GPO information such as the date created, date last modified, revision versions, domain name, and the unique name of the GPO. The Disable section allows you to disable either or both sets of configuration settings. You can disable the Computer Configurations Settings and/or the User Configuration Settings. Disabling unused parts of the GPO increases performance. The Links tab displays all of the sites, domains, or OUs found that use the GPO. It has a Find button to assist you in locating where the GPO has been applied. The Security tab sets the permissions for the GPO.

The permissions that are set via the Security tab control the level of access that a user or group of users has over the GPO. The levels of permissions are:

Full Control

Read

Write

Create Child Objects

Delete Child Objects

Apply Group Policy

The last button is Delete, which is used to delete a GPO.

At the bottom of the Group Policy tab is the option to Block Inheritance. Block Inheritance will block settings from the GPOs that would otherwise be inherited from a parent OU. This gives the child OU the ability to control which settings to accept from the parent OUs. However, if the parent has set the No Override and the child sets Block Inheritance, the No Override setting takes precedence.

Test Day Tip

The relationship between GPOs and OUs is one that makes for easy test questions. Pay particular attention to the effects of the No Override setting and the Block Inheritance setting.

What policies should you use if you are using Group Policy Objects with Windows?
Delegating Control of OUs

Delegation of control over an OU is done to alleviate the tasks of the network administrators from performing the routine functions of an OU. Often, a manager or supervisor whose account is in the OU will have a better understanding of the daily tasks associated with the users and computers that belong to the OU, and is thus well positioned to take care of the OU. Delegation is a simple process. A wizard will walk you through the process. The Delegation of Control Wizard is discussed later in the chapter.

After you have decided to whom you want to delegate control, decide on which tasks to delegate. You have the ability to delegate management control over users and groups as well as the Group Policy Links. You can pass control of different activities to different people in the organization.

Specifically, the levels of delegations are:

Create, delete, and manage user accounts

Reset passwords on user accounts

Read all user information

Create, delete, and manage groups

Modify the membership of a group

Manage Group Policy Links

As you can see, delegation can reduce the amount of daily management tasks required by the network administrator.

Test Day Tip

The administrative task of delegating control to others is one that is likely to be covered on the exam. It is likely to be a straightforward scenario that will ask you to delegate control to another user or group of users. Pay attention to the levels of control that can be delegated.

What are some best practices to use with Group Policy Objects GPOs )?

Some best practices for GPOs include: Create a well-designed organizational unit structure in Active Directory to simplify applying and troubleshooting Group Policy. Give GPOs descriptive names to enable admins to quickly identify what each GPO does.

What are 3 Best Practices for GPOs?

Here are Active Directory Group Policy best practices that will help you to secure your systems and optimize Group Policy performance..
Do not modify the Default Domain Policy and Default Domain Controller Policy. ... .
Create a well-designed organizational unit (OU) structure in Active Directory. ... .
Give GPOs descriptive names..

What are some good group policies?

Top 8 useful Group Policy settings recommendations.
Prohibit access to the control panel. ... .
Prevent access to the command prompt. ... .
Deny all removable storage access. ... .
Prohibit users from installing unwanted software. ... .
Reinforce guest account status settings. ... .
Do not store LAN Manager hash values on next password changes..

What is the order in which Group Policy Objects GPOs are applied?

When multiple Group Policy Objects are linked to a single AD container, they are processed in order of link, starting from the highest link order number to lowest; setting in the lowest link order GPO take effect.