Domain administrators can use a policy to specify how Group Policy chooses a domain controller—that is, they can specify which domain controller option should be used. In such cases, the DC Options menu item is unavailable since a policy is in place that overrides any setting that the user chooses. This policy allows domain administrators to mandate that all administrators must use the PDC emulator, for example.
The DC options policy is available in the Administrative Templates node for User Configuration, in the System\Group Policy sub-container. The available DC options are the same as the preference settings listed above in the Options for domain controller selection dialog box description.
Error Handling on Failure to Reach a Domain Controller
If the Group Policy snap-in cannot reach the intended DC, the following error dialog box is displayed:
F
igure 7. Domain controller not found dialog box
The default option for this dialog box is always the first option. However, if there is a policy in place, this error dialog box is not displayed. Instead, the following message is displayed: “Failed to find a domain controller. There may be a policy that prevents you from selecting another domain controller.”
DC Selection Results
The following table indicates which DC the Group Policy snap-in will use, based on various combinations of conditions. Where:
PDC means use the DC with the Operations Master token for the PDC emulator.
Inherit means use the DC used by the Active Directory snap-ins.
Any DC means use any available DC.
1) and 2) means that 1) will be tried first, and then 2).
User preference
|
Policy
|
Results
|
Undefined
|
Undefined
|
1) PDC 2) Prompt
|
PDC
|
Undefined
|
1) PDC 2) Prompt
|
Inherit
|
Undefined
|
1) Inherit 2) Any DC
|
Any
|
Undefined
|
Any DC
|
N/A
|
PDC
|
PDC only
|
N/A
|
Inherit
|
1) Inherit 2) Any DC
|
N/A
|
Any
|
Any DC
|
Local Group Policy
You can set local Group Policy for any computer, whether or not it participates in a domain. To set local Group Policy, you use the Group Policy snap-in focused on the local computer. You can access the Group Policy snap-in tool by typing mmc at the command prompt, adding the Group Policy snap-in to the MMC console, and focusing the Group Policy snap-in on the local computer. Group Policy is processed in this order: local GPO first, followed by Active Directory linked GPOs (site, domain, OU, and any nested OUs).
Local Group Policy Object
On all computers, a Local Group Policy Object (LGPO) exists—this is just the Group Policy Template portion. The location of the LGPO is \%SystemRoot%System32\GroupPolicy. Each Group Policy extension snap-in queries the Group Policy engine to get the GPO type, and then decides if it should be displayed.
The following table indicates whether or not the Group Policy snap-in extensions open when the Group Policy snap-in is focused on an LGPO.
Group Policy snap-in extension
|
Loaded when Group Policy snap-in focused on LGPO
|
Security Settings
|
Yes
|
Administrative Templates
|
Yes
|
Software Installation
|
No
|
Scripts
|
Yes
|
Folder Redirection
|
No
|
Internet Explorer Maintenance
|
Yes
| Local Group Policy Object and DACLs
In the current release, there is no Apply Group Policy ACE for the local GPO. If you have Read access to the LGPO, then the local GPO applies to you. The implication is that it’s difficult to have to choose whom the LGPO should apply to (for example, the LGPO also applies to the administrator). Everyone with Read access to the LGPO who logs on gets the LGPO. If this is not what you want, a work-around exists. You can set the Read ACE to Deny for a specific user, and then the LGPO doesn’t apply to that user. This is useful for administrators who don’t want to be subject to the LGPO settings. However, without Read access, administrators cannot see the contents of the LGPO.
Viewing Policies When the Group Policy Snap-in is Focused on the Local Computer
When administrators run the Group Policy snap-in focused on a local computer, this shows the information in the local Group Policy object, not the cumulative effect of what has been applied to the computer or user. This feature is being investigated for the next release of the product. For Windows 2000, it shows the settings that a local administrator has set for that computer and all users of that computer. In the evaluation process, when the computer is joined to a domain, all the policy settings are subject to being overwritten by domain-based policy (any policy set in the site, domain, or OU).
Starting the Group Policy Snap-in on Windows 2000 Professional
Windows 2000 Professional does not provide a user interface for accessing the Group Policy snap-in directly. However, you can access the Group Policy snap-in in the following manner.
To start the Group Policy snap-in on Windows 2000 Professional:
Click Start, click Run, type MMC, and then press Enter.
In the MMC window, on the Console menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Add Snap-in dialog box, click Group Policy, and then click Add.
The Select Group Policy Object dialog box appears. Click Local Computer to edit the Local Group Policy Object (LGPO), or Browse to find the GPO that you want to use.
Click Finish.
Click OK. The Group Policy snap-in opens with focus on the specified Group Policy object.
To use the Group Policy snap-in on a remote computer, you must have administrative rights on both computers, and the remote computer must be part of the namespace.
Using the Group Policy Snap-in Focused on a Remote Computer
The Group Policy snap-in on a remote computer must be focused when the extension is added to an MMC console file, or as a command line option.
To add Group Policy to an MMC console focused on a specific remote computer
Click Start, click Run, and type MMC. Or you can open an existing saved console (like Console1.mmc).
In the MMC window, on the Console menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Add Snap-in dialog box, click Group Policy, and then click Add.
By default this is set to open on the local computer.
Select Browse.
You may now select a GPO from the Active Directory or, as in this case, select the Computer tab.
Select Another Computer.
Either type in the computer name, or click Browse to locate it.
You may use the Look in drop-down list box to select the domains to which you have access.
The supported computer name formats are:
NetBIOS names, for example, MachineName.
DNS-style, for example, MachineName.Streetmarket.com.
Starting the Group Policy Snap-in from the Command Line
The Group Policy snap-in (gpedit.msc) can be started with the following two command line switches:
/gpcomputer:"machinename"
Where "machinename" can be either a NetBIOS or a DNS-style name. For example, “gpedit.msc /gpcomputer:"machinename”
or
“gpedit.msc /gpcomputer:"machinename.streetmarket.com”
For example:
"LDAP://CN={GUID of the GPO},CN=Policies,CN=System,DC=Streetmarket,DC=com"
For these command line options to work with a saved console file, you must check the "Allow the focus of the Group Policy snap-ins to be changed when launching from the command line. This only applies if you save the console." checkbox. The shipping Gpedit.msc file is saved with this option on.
Note: The Security Settings extension does not support remote management for local policy in Windows 2000.
|
