This Post is one of the most basics post on Group Policies... But as we all know that first of all, everyone of us is not at the same level (technically) and secondly, as our technical knowledge grows, we tend to forget the basics... So here we are with the basics of Group Policies
What are Group Policies?
1. Policies are Set of Settings
2. Group Policies do not applies on Groups :)
3. Group Policies are applied on Users and Computers
4. Group Policies are applied on the following levels - Locally, Site, Domain and Organizational Units
The way the Group Policies are applied is :-
First the Local Policies are applied, then the Site level Policies applies, then Domain Wide and then finally the policies defined on the Organizational Units takes effect
So, in a nutshell, it wont be wrong to say that the Group Policy Settings are Cumulative...
In this post, we will see how the settings are applied and which setting take precedence
In this Lab, we have a Windows 2008 Terminal Server on which we will be doing all the testings
Local Group Policies Settings
We would like to hide "Help and Support" on the Terminal Server. This, we will achieved by the use of "Local Group Policy"
Lets use 'gpedit.msc" to open the local group policy and browse to "User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Help Menu from Start Menu"
We now Enable the Policy "Remove Help Menu from Start Menu" and once done, the "Help and Support" option from the Start Menu should get Removed....
We no longer have the "Help and Support" in the Start Menu....
Confirmed by running RSOP.MSC on this machine...
Site Level Group Policies Settings
Now I have created an OU named "TMG" and moved my "TMG1" Server in that OU
GPMC....
Applying a Group Policy on the Site Level
Lets create a new Group Policy
We will name it as "Site Level Group Policy to Hide Run"
The Group Policy is now Created...
We need to link the Group Policy on to the Site...
We will be removing the Run Menu from the Start Menu
Right Click on that Group Policy -> Edit
Browse to the following location in the Group Policy Object:
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Run Menu from Start Menu"
Lets enable the "Remove Run Menu from Start Menu" Group Policy Setting
Run got Removed...
RSOP.MSC showing that both the Policy Settings are getting Applied
Domain Level Group Policies Settings
Creating a New Group Policy to be Applied on the Domain Level
Linking the Group Policy on the Domain
This time, we will remove the network Icon from the Start Menu using a Group Policy
Right Click on that Group Policy -> Edit
Browse to the following location in the Group Policy Object:
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Network Icon from Start Menu"
Enable the "Remove Network Icon from Start Menu" Group Policy Setting
And the Network Icon is gone....
Confirming using RSOP.MSC
OU Level Group Policies Settings
Creating a Group Policy for the OU "TMG"
Linking the Group Policy
Now lets Remove the Documents Icon from the Start Menu
Browse to the following location in the Group Policy Object:
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Network Icon from Start Menu"
Enabled !!!
But whats this.... Even though we ran "gpupdate /force" and the setting is enabled, still the document icon is available on the start menu
Any Guesses....???
Ok... lets check things one by one...
Lets start with "Active Directory Users and Computers". The OU on which the Group Policy is Enabled has the Machine in it...
And the Group Policy is linked to this OU as well
The location of the Group Policy Setting Is:-
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Network Icon from Start Menu"
"User Configuration" ??.... So you mean, the settings are user specific??
If the settings are user specific, then the settings will apply on the user and not on the machine... But do you remember what does the OU contains where we are trying to apply the policy
Yes my dear friends, the OU contain the machine and we have applied a user settings group policy on that OU and do we still expect it to work?
Moving a User in that OU where the User Settings Group Policy is Applied...
Cool... The "Document" Icon is gone....
But one question remained unanswered... The other policies that we applied were also user specific and those took affect without moving the user in the OU... then why do we have to move the user in the last scenario where we applied the policy on the OU level
The answer lies in the fact that all the other policies that we applied were on the level above the OU (Site and Domain) and the user was covered in the blanket of Site/Domain (So in other words, the policy on the site/domain got applied on the user as well automatically given the fact that the policy was applied on the highest level covering the user), but in case of OU, the user was not in that OU on which we applied the policy and thus the policy didn't took affect.
RSOP.MSC showing all the Policies getting Applied
And the Results !!!
What are Group Policies?
1. Policies are Set of Settings
2. Group Policies do not applies on Groups :)
3. Group Policies are applied on Users and Computers
4. Group Policies are applied on the following levels - Locally, Site, Domain and Organizational Units
The way the Group Policies are applied is :-
First the Local Policies are applied, then the Site level Policies applies, then Domain Wide and then finally the policies defined on the Organizational Units takes effect
So, in a nutshell, it wont be wrong to say that the Group Policy Settings are Cumulative...
In this post, we will see how the settings are applied and which setting take precedence
In this Lab, we have a Windows 2008 Terminal Server on which we will be doing all the testings
Local Group Policies Settings
We would like to hide "Help and Support" on the Terminal Server. This, we will achieved by the use of "Local Group Policy"
Lets use 'gpedit.msc" to open the local group policy and browse to "User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Help Menu from Start Menu"
We now Enable the Policy "Remove Help Menu from Start Menu" and once done, the "Help and Support" option from the Start Menu should get Removed....
We no longer have the "Help and Support" in the Start Menu....
Confirmed by running RSOP.MSC on this machine...
Site Level Group Policies Settings
Now I have created an OU named "TMG" and moved my "TMG1" Server in that OU
GPMC....
Applying a Group Policy on the Site Level
Lets create a new Group Policy
We will name it as "Site Level Group Policy to Hide Run"
The Group Policy is now Created...
We need to link the Group Policy on to the Site...
We will be removing the Run Menu from the Start Menu
Right Click on that Group Policy -> Edit
Browse to the following location in the Group Policy Object:
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Run Menu from Start Menu"
Lets enable the "Remove Run Menu from Start Menu" Group Policy Setting
Run got Removed...
RSOP.MSC showing that both the Policy Settings are getting Applied
Domain Level Group Policies Settings
Creating a New Group Policy to be Applied on the Domain Level
Linking the Group Policy on the Domain
This time, we will remove the network Icon from the Start Menu using a Group Policy
Right Click on that Group Policy -> Edit
Browse to the following location in the Group Policy Object:
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Network Icon from Start Menu"
Enable the "Remove Network Icon from Start Menu" Group Policy Setting
And the Network Icon is gone....
Confirming using RSOP.MSC
OU Level Group Policies Settings
Creating a Group Policy for the OU "TMG"
Linking the Group Policy
Now lets Remove the Documents Icon from the Start Menu
Browse to the following location in the Group Policy Object:
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Network Icon from Start Menu"
Enabled !!!
But whats this.... Even though we ran "gpupdate /force" and the setting is enabled, still the document icon is available on the start menu
Any Guesses....???
Ok... lets check things one by one...
Lets start with "Active Directory Users and Computers". The OU on which the Group Policy is Enabled has the Machine in it...
And the Group Policy is linked to this OU as well
The location of the Group Policy Setting Is:-
"User configuration -> Administrative Templates -> Start Menu and Taskbar -> Remove Network Icon from Start Menu"
"User Configuration" ??.... So you mean, the settings are user specific??
If the settings are user specific, then the settings will apply on the user and not on the machine... But do you remember what does the OU contains where we are trying to apply the policy
Yes my dear friends, the OU contain the machine and we have applied a user settings group policy on that OU and do we still expect it to work?
Moving a User in that OU where the User Settings Group Policy is Applied...
Cool... The "Document" Icon is gone....
But one question remained unanswered... The other policies that we applied were also user specific and those took affect without moving the user in the OU... then why do we have to move the user in the last scenario where we applied the policy on the OU level
The answer lies in the fact that all the other policies that we applied were on the level above the OU (Site and Domain) and the user was covered in the blanket of Site/Domain (So in other words, the policy on the site/domain got applied on the user as well automatically given the fact that the policy was applied on the highest level covering the user), but in case of OU, the user was not in that OU on which we applied the policy and thus the policy didn't took affect.
RSOP.MSC showing all the Policies getting Applied
And the Results !!!
