Tip:
Highlight text to annotate it
X
Welcome to IT Free Training video on Group Policy processing order. In any large organization
it is more than likely that you will have multiple Group Polices affecting both computers
and users in the domain. This video will help you understand which Group Policy settings
are applied when multiple Group Policies are used within your organization.
When multiple Group Polices are associated with the same computer, the following order
is followed. Firstly, local Group Policy that is configured for that computer is applied.
After this, any Group Polices that have been applied at the site level are applied.
The next Group Policy to be applied is at the Domain level, while the final Group Policies
to be applied will be Organizational Units. If there are multiple levels of Organizational
Units, the Group Policy is applied starting from the top of the tree, moving downwards.
Let us go through an example to understand how this works. In this example, the local
group policy has been configured to apply custom desktop wallpaper and remove the recycle
bin from the desktop. Since no other Group Policy has been configured in the domain,
these two Group Policy setting configured in the local Group Policy will be applied.
If a Group Policy is added at the site level to configure a proxy server, this will then
be added to the result. The two settings from Local Group Policy will still apply though,
as the setting added from the site level Group Policy do not overlap with the settings applied
from the Local Group Policy. It is rare for Group Policy to be applied
at the site level, though when it is applied it will often be used for site-specific items
like configuring proxy servers.
If a Domain Group Policy is added that sets the Wallpaper whilst also disabling the control
panel, what will then eventuate is the following. The wallpaper that was applied by the local
Group Policy will then be overwritten by the Group Policy settings that were applied at
the domain level. Disabling the control panel has also been added to the result. The proxy
server configured at the site level is still remains as does removing the recycle bin from
the local Group Policy.
In this network, some computers have been configured to test out new software and thus
require the control panel. In order to do this, another Group Policy is created and
applied to a testing OU. Since this Group Policy enables the control panel, notice in
the results the control panel has been enabled again.
You can start to see how powerful Group Policy is. At each stage settings are either added
or replaced to the resulting Group Policy settings. This allows you to customize Group
Policy to meet the needs of your organization. I will change to my Windows 7 computer to
look at how to configured Group Policy. First of all I want to configure local Group
Policy. In order to does this, run edit Group Policy from the start menu. In this case,
the setting that I want to configure is the Desktop Wallpaper. This Group Policy setting
can be found under Administrative Templates, Desktop and Desktop.
Under Desktop, select the settings Desktop Wallpaper. Once I enable this Group Policy
setting, I will configure it to use an image store on a file Server. For the Wallpaper
Style I will configure to stretch to ensure the Wallpaper always fits the resolution the
user is using. Once configured, I will then exit out and
configure the option to hide the recycle bin. This setting can be found under Administrative
Templates, Desktop. The setting that I am after is Remove Recycle bin from desktop.
To configure this Group Policy setting all I will then need to do is enable it. Once
enabled, I will now close Group Policy Management, log off, then log back in again. Since I have
only changed User Settings, the Group Policy settings that I have changed will be applied
when I log back in, there is no need to reboot. Once logged back in, notice that the wallpaper
has changed to configured from Local Group Policy. Also notice that the Recycle Bin is
no longer visible. Even though you can configure settings using
local Group Policy, in most cases it is not recommended due to there being no centralized
control, thus making them difficult to manage. To configure Group Policy in the domain, I
will now run Group Policy Management from the start menu. In this case I will configure
Group Policy at the site level. Before I can assign Group Policy at the site level, I
first need to create a Group Policy Object. I can do this by right clicking Group Policy
Objects and then selecting New. I will call the Group Policy New York Proxy Server since
this Group Policy will be used to configure the proxy server at the New York site.
Some of you may be thinking, could I have created a Group Policy on the New York OU
rather than at the site level? When you organize your Active Directory objects like this, it
is possible to configure a proxy server at the OU level and achieve the same result.
You can see that even though it is possible to configure Group Policy at the site level,
many administrators will use different methods to get the same results rather than use site
level Group Policy. Once the group Policy is configured, the next
step is to go down to sites, right click it, then select the option - Show Sites. Once
I select which sites I want to show, in this case the site New York, the next step is to
right click on New York, then select the option Link an Existing GPO. Now I will be able
to select the Group Policy Object that I created earlier. Unlike when assigning Group Policy
to Organizational Units, there is no way to create and link the Group Policy in one step.
Since sites are configured at the Forest Level, this feature is most likely not available
since when creating the Group Policy it could be created in any domain in the forest. By
not having the option, this forces the administrator to create the Group Policy object in the correct
domain, rather than Group Policy Management guessing which domain the Group Policy Object
was to be created in. Once configured, I can right click the link
to New York Proxy Server and edit the Group Policy Object. Most settings any administrator
will configure are found in Administrative Templates, in this case the proxy settings
are found under Windows Settings, Internet Explorer Maintenance and then connection.
To configure the proxy setting, all I need to do is select the option on the right - Proxy
Settings. Once I enable the setting, I can then enter in the address of the proxy server.
Now that the proxy setting is configured, I will next configure the settings at the
domain level. I will first modify the Group Policy Domain
Wide Group Policy. This is a Group Policy that I created in an earlier video. To configure
the desktop, I will once again go down to Administrative Templates, Desktop and then
down again to Desktop. The setting that I am after is Desktop Wallpaper.
If you have watched our previous videos on Group Policy, you may remember that I have
already configured this setting. Before I start this demonstration I will cleared this
particular Group Policy setting, otherwise configuring the local Group Policy desktop
setting will have no effect. Once enabled, I will then configure this setting
to use special desktop wallpaper that I created with the writing on it indicating it came
from a Domain Group Policy. Like the local Group Policy setting, I will
also configure it to stretch so that the Wallpaper fills the screen if the user uses a different
resolution. I will now exit out of here and configure the Group Policy setting to disable
the Control Panel. This can be found under Administrative Templates and then Control
Panel. The setting that I need to configure is Prohibit Access to the Control Panel. This
setting only needs to be enabled. When enabling settings such as these, take
the time to read description. Since the setting disables the control panel it needs to be
enabled. If this setting was configured to disabled, this would enable the Control Panel.
Once configured, I will exit out of Group Policy Management, then log off and log back
in again. Once the user logs back in again, Group Policy will be reapplied for that user.
Notice that the Wallpaper has changed to the Wallpaper specified in the Domain Group Policy.
This Group Policy setting has replaced the Group Policy Setting that was configured in
the local Group Policy. Notice also the Recycle Bin is still hidden,
as this setting was configured in the local Group Policy setting. If I open the start
menu, notice that the Control Panel has been hidden so the user cannot access it.
In some cases you may have a user that needs different setting then the other users. In this
example, this user is testing some software and needs access to the control panel. To
achieve this I will create a special OU for this user.
To do this, open Active Directory Users and Computers from the start menu. Expanding downwards,
you can see that the User Trainer is under New York, Users, and then Marketing OU. For
this user I will create an Organizational Unit under Users by right clicking on Users,
selecting new and then Organizational Unit. I will now call the new Organization Unit
Testing. Once created, the next step is to move the Trainer user account into the Testing
OU. Notice that when I move the user I get a warning telling me that moving objects around
the domain can affect the user, for example which Group Policy settings are applied to
them. Since this is what I want, I will press OK, and then exit out of Active Directory
Users and Computers. To create the Group Policy Object for the
testing Organization Unit, run Group Policy Management. I will expand down to the Testing
OU, right click and select the option Create a GPO in This Domain, and link it here.
For the name of the Group Policy, I will call it New York Testing. Once the Group Policy
is created, I can edit it. To enable the control panel for this user,
I will expand down through Administrative Templates, Control Panel. From the right hand
side I will select the option Prohibit Access to the Control Panel.
See how this setting is configured to Not Configured. This means that it will not have
an effect. In order to reverse the effect of disabling the control panel configured
in the Domain Group Policy, I need to select the option Disabled. This will effectively
enable the control panel. The wording may seem a little strange at first.
Once configured, I will then exit out Group Policy Management and once again log out and
log back in again. A point to note here - if the computer account was moved in Active Directory
the computer will need to be restarted in order for Group Policy to be correctly applied.
Since it is only the user account being moved, I can log out and log back in and get the
correct Group Policy settings. Notice that the Wallpaper is still being applied
at the domain level and the Recycle Bin has been removed from the Desktop. If I go back
to the Start Menu, notice the Control Panel has reappeared in the Menu.
In this video I have looked at the order Group Policy is applied. This is Local, Site, Domain,
and then OU’s. It is important to understand this order when troubleshooting Group Policy
in your domain. Some of you may have already worked out that
if you configure a Group Policy at the domain level this will affect all computers and users
in the domain. This includes Domain Controllers and Administrators. Disabling the control
panel for the Domain Administrator was probably not the result originally intended when configuring
the Group Policy at the Domain level. This is just one example of why you should be careful
when configuring Group Policy, as a wrong setting can affect all the users and computers
in your domain. In the next video, I will look at how to target
Group Policy a bit better to avoid problems such as unintentionally removing the control
panel from all your Domain Administrators. As always, thanks for watching another one
of our always free videos from IT Free Training. See you next time.