HOW TO: Administer GPO Properties in Windows 2000 (322176)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q322176

IN THIS TASK

SUMMARY

This article describes how to access and administer Group Policy object (GPO) properties in a Windows 2000-based environment. To perform the procedures that are described in this article, you must be a member of the Administrators group on a computer that is running Windows 2000 Advanced Server.

back to the top

How to Start Group Policy Object Editor

You can start Group Policy Object Editor in several ways, depending on the action that you want to perform. The following sections describe how to start Group Policy Object Editor in a variety of scenarios.

To Edit a Group Policy Setting on the Local Computer

To start Group Policy Object Editor to edit the local GPO, click Start, click Run, type gpedit.msc, and then click OK.

back to the top

To Edit a Group Policy Setting on Another Computer

Open the local GPO that is stored on the Windows 2000-based network computer, and then locate the network computer. You must be an administrator of the network computer to complete this procedure.

back to the top

To Edit a Group Policy Setting on a Site

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, right-click the site for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.
  3. Click an existing GPO in the Group Policy object links list, click Edit, and then link a GPO to the intended site.
back to the top

To Edit a Group Policy Setting on a Domain

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click the domain or organizational unit for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.
  3. Click Edit to open the GPO that you want to edit, and then link a GPO to the intended domain.
back to the top

To Edit a Group Policy Setting on an Organizational Unit

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click the domain or organizational unit for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.
  3. Click Edit to open the GPO that you want to edit, and then link a GPO to the intended organizational unit.

    You can also link a GPO to an organizational unit that is higher in the Active Directory hierarchy so that the organizational unit can inherit Group Policy settings.
back to the top

How to Filter the Scope of Group Policy According to Security Group Membership

  1. Open the GPO whose scope you want to filter.
  2. Right-click the root node of the console to display the Group Policy icon that has the following label:

    GPO_name [domain_controller_name.domain_name] Policy

  3. Click Properties, click the Security tab, and then click the security group for which you want to filter this GPO.

    To change the list of security groups for which you want to filter this GPO, click either Add or Remove to add or remove security groups.
  4. Set the permissions as they are described in the following table, and then click OK.
    Your intentionSet these permissions The result
    You want to apply this GPO to members of this security group. Set Apply Group Policy to Allow. Set Read to Allow. This GPO applies to members of this security group unless they are members of at least one other security group that has Apply Group Policy set to Deny, Read set to Deny, or both.
    Members of this security group are exempt from this GPO. Set Apply Group Policy to Deny. Set Read to Deny. This GPO never applies to members of this security group regardless of the permissions those members have in other security groups.
    Membership in this security group does not determine if the GPO is applied.Do not set Apply Group Policy to either Allow or Deny. Do not set Read to either Allow or Deny. This GPO applies to members of this security group if they have both Apply Group Policy and Read set to Allow as members of at least one other security group. They also must not have Apply Group, Policy, or Read set to Deny as members of any other security group.


    NOTE: GPOs are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and the computers that they contain. Specifically, GPOs are not applied to security groups.

    The location of a security group in Active Directory does not affect filtering through that security group as it is described in this procedure.

    If a user or a computer is not contained in a site, a domain, or an organizational unit that is subject to a GPO either directly through a link, or indirectly through inheritance, you cannot set any combination of permissions on any security group to make those Group Policy settings affect that user or computer.

    Filtering at the GPO level, as it is described in this procedure, causes the GPO to be processed or not processed as a whole. The Software Installation extension and the Folder Redirection extension use security groups to refine control beyond the GPO level. Except for Folder Redirection and Software Installation, security groups are not used to filter individual settings or subsets of a GPO. For control over individual settings, edit or create a GPO instead.
back to the top

How to Find the Sites, Domains, and Organizational Units to Which a GPO Is Linked

  1. Start Group Policy Object Editor with the GPO that you want to find at the root node of the console.
  2. Right-click the root node of the console, and then click Properties.
  3. Click the Links tab, and then click Find Now.

    The sites, domains, and organizational units to which the GPO is linked are listed in the Sites, Domains or Organizational Units found box.NOTE: If the GPO is linked to more than one domain, you can limit your search for organizational units to one domain at a time by using the list in the Domain box.
back to the top

How to Turn Off the User Configuration Settings in a GPO

  1. Open the GPO that you want to edit.
  2. Right-click the console root, which appears as the following line:

    GPO_name [domain_name] Policy

  3. Click Properties, make sure that Disable User Configuration settings is selected, and then click OK.NOTE: The User Configuration settings in this GPO no longer affect any site, domain, or organizational unit to which this GPO is linked.
back to the top

How to Turn Off the Computer Configuration Settings in a GPO

  1. Open the GPO that you want to edit.
  2. Right-click the console root, which appears as the following line:

    GPO_name [domain_name] Policy

  3. Click Properties.
  4. Make sure Disable Computer Configuration settings is selected, and then click OK.NOTE: After you turn off the Computer Configuration settings in a GPO, they no longer affect any site, domain, or organizational unit to which this GPO is linked.
back to the top

REFERENCES

For more information about Group Policy, visit the following Microsoft Web site:

Group Policy Overview

back to the top
Modification Type:MajorLast Reviewed:10/30/2003
Keywords:kbhowto kbHOWTOmaster KB322176 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.