The Group Policy Management Console is the Microsoft Management Console (MMC) snap-in that administrators use to create GPOs and manage their deployment to AD DS objects. The Group Policy Management Editor is a separate snap-in that opens GPOs and enables you to modify their settings.
There are several different ways of working with these two tools, depending on what youwant to accomplish. You can create a GPO and then link it to a domain, site, or OU, or you can create and link a GPO in a single step. Windows Server 2012 R2 implements the tools as the Group Policy Management feature and installs them automatically with the AD DS role.
You can install the feature manually on a member server by using the Add Roles And Features Wizard in Server Manager. The Group Policy Management tools are also included in the Remote Server Administration Tools package for Windows workstations.
Creating and linking nonlocal GPOs
If you decide to leave the default Windows GPOs unaltered, the first steps in deploying your own customized Group Policy settings are to create one or more new GPOs and link them to appropriate AD DS objects.
To use the Group Policy Management Console to create a new GPO and link it to an OU object in AD DS, use the following procedure.
1. Open the Active Directory Administrative Center and create an OU called Sales in your domain.
2. In Server Manager, from the Tools menu, select Group Policy Management. The Group Policy Management Console appears, as shown in Figure 6-1.
FIGURE 6-1 The Group Policy Management Console
3. Expand the forest container and browse to your domain. Then expand the domain container and select the Group Policy Objects folder. The GPOs that currently exist in the domain appear on the Contents tab.
4. Right-click the Group Policy Objects folder and, from the shortcut menu, select New. The New GPO dialog box appears.
5. In the Name text box, type a name for the new GPO and click OK. The new GPO appears in the Contents list.
6. In the left pane, right-click the domain, site, or OU object to which you want to link the new GPO and, from the shortcut menu, select Link An Existing GPO. The Select GPO dialog box appears.
7. Select the GPO you want to link to the object and click OK. The GPO appears on the object’s Linked Group Policy Objects tab, as shown in Figure 6-2.
FIGURE 6-2 The Linked Group Policy Objects tab
8. Close the Group Policy Management Console.
You can also create and link a GPO to an Active Directory container in a single step, by right-clicking an object and selecting Create A GPO In This Domain And Link It Here from the shortcut menu.
If you link a GPO to a domain object, it applies to all users and computers in the domain. On a larger scale, if you link a GPO to a site that contains multiple domains, the Group Policy settings are applied to all the domains and the child objects beneath them. This process is referred to as GPO inheritance.
Using security filtering
Linking a GPO to a container causes all the users and computers in that container to receive the GPO settings by default. This is because creating the link grants the Read and Apply Group Policy permissions for the GPO to the users and computers in the container.
More precisely, the system grants the permissions to the Authenticated Users special identity, which includes all the users and computers in the domain. However, by using a technique named security filtering, you can modify the default permission assignments so that only certain users and computers receive the permissions and, consequently, the settings in the GPO.
To modify the default security filtering configuration for a GPO, select it in the left pane of the Group Policy Management Console, as shown in Figure 6-3. In the Security Filtering area, you can use the Add button or the Remove button to replace the Authenticated Users special identity with specific user, computer, or group objects. Of the users and computers in the container to which the GPO is linked, only those you select in the Security Filtering pane will receive the settings from the GPO.
FIGURE 6-3 Security filtering in the Group Policy Management Console
This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :
70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests: