Working with Local Group Policy Settings
You can work with local Group Policy settings using either a command prompt or by executing gpedit.msc
. The latter opens the Group Policy Object Editor where you can view and edit the values for any Group Policy settings except those configured at domain or forest level (see Figure 1
). Settings configured by administrators at higher levels cause the local setting to be disabled.
Notice in Figure 1
that Vista places .adm
templates in the section named "Classic Administrative Templates."
|Figure 1. The Group Policy Editor: The figure shows the contents of the Network\DNS Client administrative template and the DNS Servers setting within this template.||
|Figure 2. Editing Settings: The figure shows the dialog that lets you edit a setting in the Group Policy Editor.||
To edit a setting, double-click on it (or right-click and select Properties) to display the settings dialog. You can specify whether each setting is enabled, disabled, or not configured. When you enable a setting, you can enter the appropriate values in the controls displayed in the central section of this dialog. An Explain tab displays information about the setting (see Figure 2
Working with Domain Group Policy Settings
Group Policy is generally most effective when administrators need to manage multiple machines, such as all the servers in Web farm or all the machines running a specific application. To create a GPO that applies at domain or forest level, and edit the settings, you must install and configure an administrative template using the domain-level Group Policy Management Console (GPMC).
|Author's Note: You can run the GPMC on any Windows XP, Windows 2003 Server, or Windows Vista system within the domain, providing that your account has Domain Administrator privileges. You can download the GPMC from Microsoft.
Installing the GPMC adds the Group Policy Editor link to the Administrative Tools section of your Start menu. The editor (see Figure 3
) provides a view of all the GPOs and settings available for the forest and domains. The left-hand tree contains the forests, domains, sites, and GPOs, while the right-hand pane contains four tabbed pages that let you view the scope for a selected GPO, details of the GPO, the settings within that GPO, and the delegation for other users.
For example, Figure 3
shows the Scope page for the sample GPO used in this article. You can see in the Location list that it is set to Enforced
for this domain. The Link Enabled
setting places a link in the left-hand tree view directly under the domain item to make it easier to navigate to this GPO. You can see this link in Figure 3
. Right click on an item in the Location list to change the Enforced
and Link Enabled
|Figure 3. Group Policy Management Console—Scope Tab: Here, the console is showing the Scope page for the GPO example used in this article.||
|Figure 4. Group Policy Management Console—Settings Tab: Here's the Settings page showing the settings for the GPO example, for both computers and users.||
shows the Settings page for the GPO example. Here, you can view the settings for all the items in this GPO. Notice that the list contains two sections (the items in blue text) named Computer Configuration and User Configuration. The GPO example contains Group Policy settings for the computers in the domain and for the current user on each computer so that you can see the different effects of these two types of settings.
To edit the settings for a GPO, right-click the entry in the left-hand tree (either the entry under the Group Policy Objects item or the link directly under the domain item) and select Edit. This opens the same Group Policy Object Editor window as you saw used for Local Policy settings in the previous section of this article, but here it applies at the forest and domain levels instead of the local machine level.
Navigate to the GPO you want to edit (in the Administrative Templates section). You can enable or disable each setting, edit the setting values, and view the explanation for each setting (see Figure 5).
|Figure 5. Editing Settings: Here are the settings for the custom domain-wide GPO shown in the Editor window.||
|Figure 6. Replicated Values: This view of the Windows Registry shows the machine values in the HKLM hive applied through domain-wide Group Policy. Note that this does not show the user-specific values in the HKCU hive.||
Group Policy replicates the settings you specify throughout the domain to each computer, storing them in the Windows Registry. Figure 6
shows the Computer
settings for the GPO example viewed on one of the machines within the domain. Note that it takes a few minutes to the settings to replicate, so you may not see them immediately after editing the GPO.