Assume that you’ve just spent several days creating a GPO to link to a particular OU and have tested and verified that the policies it contains are correct. Also assume that you have two other OUs that need to use the same policies. You don’t really want to re-create those policies twice more, do you? Fortunately, you don’t have to. You can link a given GPO to multiple objects, so once you’ve created the GPO, you can easily use it in other objects simply by linking the GPO to the object.
In this example, assume you have an OU named Help Desk and want to apply the GPO previously created for the Support OU to the Help Desk OU. You link the GPO to the Help Desk OU from the OU. To do so, open the Active Directory Users And Computers console, right-click the Help Desk OU, and choose Properties. Click the Group Policy tab, then click Add. In the Add A Group Policy Object Link dialog box select the GPO you want to link to the OU and click OK. In this case, click the All tab, select the Test Support GPO, and click OK. Then, click OK to close the Help Desk Properties sheet.
Deleting links and GPOs
There will no doubt come a time when you need to either delete a link to a GPO or delete the GPO itself, and it’s important to understand that the two actions are quite different. I’ll use a desktop shortcut as an analogy. Say that you create a shortcut on your desktop to an application. When you delete the shortcut, the application is unaffected. Go to the application’s folder and delete its executable, and the program is gone. Its remnants, however, are still floating around the registry because you didn’t remove it properly.
The same is true for GPOs and links. When you delete a link, the associated GPO is unaffected. Delete the GPO itself, however, and it’s gone.
As with other GP processes, you can delete links and GPOs through the properties for the object to which the GPO is linked. For example, assume you now need to remove the link between the Test Support GPO and the Help Desk OU because you need to apply a different set of policies. In that case, open the Active Directory Users And Computers console, right-click the Help Desk OU, and choose Properties. On the Group Policy tab, select the GPO link from the list and click Delete. Windows displays a dialog box that gives you two options:
- Remove the link from the list
- Remove the link and delete the Group Policy Object permanently
Select the desired action and click OK.
Exercise some care when you delete GPOs. Windows provides no warning if a GPO you’re deleting is linked to other objects. Delete the Test Support GPO from the Help Desk OU, for example, and it’s gone from the Support OU as well.
Configuring local group policy
You’ve read previously that Windows Server 2003 applies the local group policy first and then applies GPOs at the site, domain, and OU levels. So in addition to modifying GPOs for the upper levels, you might also want to modify the local GPO. Each computer has only one local GPO.
As with other GPOs, you get to the local GPO through the group policy snap-in. Open the MMC and add the group policy snap-in, and when prompted for the location of the GPO, retain the default Local Computer focus and click Finish.
You also can open the local GPO of other computers across the network. Rather than accept the Local Computer default, click Browse, then click the Computers tab. Select the Another Computer option, then type the computer name in the field provided or click Browse to locate it.