HOW TO: Administer GPOs in Windows 2000 (322143)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

This article was previously published under Q322143

SUMMARY

This article describes how to administer Group Policy objects (GPOs) in a Windows 2000-based environment. You must be a member of the Administrators group on a computer that is running Windows 2000 Advanced Server to perform the tasks that are described in this article. Policy settings are stored in GPOs. You may find it helpful to think of the Group Policy snap-in as a program that creates GPOs, in the same way that a word processor creates .doc or .txt files. There are two kinds of GPOs:
  • Nonlocal GPOs: These GPOs are stored on a domain controller and are available only in an Active Directory environment. They apply to users and computers in the site, domain, or organizational unit with which the GPO is associated.
  • Local GPOs: These GPOs are stored on each computer that is running Windows 2000. Only one local GPO exists on a computer, and it has a subset of the settings available in a nonlocal GPO. Local GPO settings can be overwritten by nonlocal settings if the GPOs conflict with each other; otherwise, both GPOs apply.
back to the top

How to Open Group Policy as a Standalone Snap-in

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the Console menu, click Add/Remove Snap-in.
  3. On the Standalone tab, click Add.
  4. Click Group Policy, and then click Add.
  5. Either click Local Computer to edit the local GPO or locate the GPO that you want to edit.
  6. Click Finish, and then click OK.
back to the top

How to Edit a GPO

  1. Start the Group Policy snap-in.
  2. Expand the GPO that you want to edit.
  3. In the details pane, double-click the item that you want to change, and then change the appropriate settings.

    NOTE: You must have Read and Write permissions on a GPO to open it.
If you change a GPO, the changes are applied immediately. Therefore, you may want to disable the GPO while you are editing it. For information about how to disable a GPO, see the "How to Disable GPOs" section in this article.

back to the top

How to Edit the Local GPO

Each computer that is running Windows 2000 has exactly one local GPO that is using these objects. You can store Group Policy settings on individual computers regardless of whether they are part of an Active Directory environment or part of a networked environment.

Because GPOs that are associated with sites, domains, and organizational units can overwrite the local GPO settings, the local GPO is the least influential GPO in an Active Directory environment. In a non-networked environment (or in a networked environment that does not have a Windows 2000-based domain controller), the local GPO settings are more important because other GPOs do not overwrite the local GPO settings.

To open Group Policy to edit the local GPO:
  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. In the left pane, expand the GPO that you want to edit.
  3. Double-click the item in the right pane, and then change the appropriate settings.
back to the top

How to Create a New GPO

  1. To create a GPO that is linked to a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

    Alternatively, to create a GPO that is linked to a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console, right-click either the site, the domain, or the organizational unit to which you want to link the GPO that you create. (The GPO is stored in the current domain.)
  3. Click Properties, and then click the Group Policy tab.
  4. Click New, type a name for the GPO, and then click Close.
NOTE: By default, the GPO that you create is linked to the site, the domain, or the organizational unit that was selected in the snap-in when the GPO was created. Therefore, the GPO's settings apply to that site, domain, or organizational unit. You might want to remove the link to the GPO from the site, the domain, or the organizational unit so that its settings are not applied.

back to the top

How to Delete a GPO

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the domain or any organizational unit in the domain.
  3. Click Properties, and then click the Group Policy tab.
  4. To find all of the GPOs that are stored in the domain, click Add, and then click the All tab.
  5. Right-click the GPO that you want to delete, and then click Delete.
  6. When you are prompted to confirm that you want to delete this GPO, click Yes, and then click OK.
NOTE: When you delete a GPO, any sites, domains, or organizational units to which the GPO is linked are no longer affected by the GPO. You may want to disable the GPO instead of deleting it.

back to the top

How to Link a GPO to a Site, a Domain, or an Organizational Unit

  1. To link a GPO to a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

    Alternatively, to link a GPO to a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Right-click the site, the domain, or the organizational unit to which the GPO should be linked.
  3. Click Properties, and then click the Group Policy tab.
  4. To add the GPO to the Group Policy object Links list, click Add.
  5. Click the All tab, click the GPO that you want to add, click OK, and then click OK.
NOTE: You link a GPO to specify that its settings apply to users and computers in the site, the domain, or the organizational unit, and to users and computers in Active Directory containers that inherit data from the site, the domain, or the organizational unit.

back to the top

How to Block Policy Inheritance

  1. To block policy inheritance in a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

    Alternatively, to block policy inheritance in a domain or organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the site, the domain, or the organizational unit in which you want to block Group Policy inheritance, and then click Properties.
  3. Click the Group Policy tab, make sure the Block Policy inheritance check box is selected, and then click OK.
NOTE: The Block Policy inheritance setting blocks GPOs that are higher in the Active Directory hierarchy of sites, domains, and organizational units. This setting does not block GPOs if they have the No Override setting selected.

The Block Policy inheritance setting is set only on sites, domains, and organizational units, and not on individual GPOs.

back to the top

How to Disable a GPO for a Site, a Domain, or an Organizational Unit

  1. To disable a GPO for a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

    Alternatively, to disable a GPO for a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Right-click the site, the domain, or the organizational unit from which you want to remove the link to the GPO.

    After you remove the link, the GPO is disabled for that site, domain, or organizational unit.
  3. Click Properties, and then click the Group Policy tab.
  4. Select the GPO that you want to disable, and then click Delete.
  5. Make sure Remove the link from the list is selected, and then click OK.
IMPORTANT: If you click Remove the link from the list to delete the GPO permanently, all of the sites, the domains, and the organizational units to which the GPO is linked no longer have those Group Policy settings applied to them.

back to the top

How to Prevent a GPO from Being Overridden

  1. For a GPO linked to a domain or an organizational unit, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

    Alternatively, for a GPO linked to a site, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the site, the domain, or the organizational unit to which the GPO is linked.
  3. Click Properties, and then click the Group Policy tab.
  4. Right-click the GPO link you want to prevent from being overridden, click No Override on the Context menu, and then click OK.

    The No Override state is changed to Active, and a check mark appears in the No Override column.
NOTE: If you set No Override on a GPO link, all the Group Policy settings are not overridden for all users or computers in the site, the domain, or the organizational unit, and on all users and computers in Active Directory containers that inherit Group Policy from it. Group Policy settings that have the No Override setting cannot be blocked.

back to the top

Modification Type:MajorLast Reviewed:10/21/2003
Keywords:kbhowto kbHOWTOmaster KB322143 kbAudITPro