Managing Group Policy from Administrative or Remote Workstations
It is very common for Windows system administrators to manage group policies from their own administrative workstations. To manage a Windows Server 2008 R2 environment properly, domain group policy administration should be performed using a Windows Server 2008 R2 or Windows 7 system with the Group Policy Management tools and the Print Services tools installed. The main reason for this is that by using the latest version of the tools possible, the administrator ensures that all possible features are available and that the most stable version of the tools are being used.
Group Policy management, aside from creating and managing policies, provides administrators with the ability to simulate policy processing for users and computers in specific containers in Active Directory using the Group Policy Modeling node in the GPMC. Furthermore, the previous application of Group Policy for users and computers can be collected and reviewed in the Group Policy Management Console using the Group Policy Results node in the GPMC. For an administrator, even a member of the Domain Admins group, to perform remote Group Policy Modeling using the GPMC from a machine other than a domain controller, the following requirements must be met:
- The administrator must be a member of the domain Distributed COM Users security group.
- The administrator must be delegated the Generate Resultant Set of Policy (Planning) right in Active Directory. This right must be applied to the domain, OU, container, or site that contains all of the computers and users the administrator will run simulated GPO processing against.
- The administrator must have the right to read all the necessary group policies, and this should be allowed by default.
To perform remote Group Policy Results tasks using the GPMC from a machine other than a domain controller, the following requirements must be met:
- The administrator must be a member of the remote computer's local Distributed COM Users security group.
- The administrator must be a member of the remote computer's local Administrators security group for legacy desktop platforms and the remote system must be accessible on the network.
- The Windows Firewall must be configured to allow the inbound Remote Administration exception and the remote workstation must be on a network that is defined within this exception.
- The administrator must be delegated the Generate Resultant Set of Policy (Logging) right in Active Directory. This right must be applied to the domain, OU, container, or site that contains all of the computers and users the administrator will run simulated GPO processing against.
- The administrator must have the right to read all the necessary group policies, and this should be allowed by default.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations
