Group Policy |
Local Group Policy objects exist on stand-alone computers, however it consists of only the Group Policy template portion of a Group Policy object. The location of the local Group Policy object is
Table 22.6 indicates whether or not each Group Policy
Table 22.6 When Group Policy Snap-in Loads
Group Policy |
Loads when Group Policy |
---|---|
Security Settings | Yes |
Administrative Templates | Yes |
Software Installation | No |
Scripts | Yes |
Internet Explorer Maintenance | Yes |
Remote Installation Services | No |
Folder Redirection | No |
Windows 2000 Professional does not provide a preconfigured MMC console for accessing non-local Group Policy directly, except for Security Settings, which can be accessed from Control Panel. However, you can create your own custom Group Policy console by taking the following steps:
To start the Group Policy
Note
To use the Group Policy
The Group Policy object seen at the root node of the Group Policy console is said to have "focus." The console can be focused on any computer's local Group Policy object, or any Active Directory–based Group Policy object.
Note
Focusing the Group Policy
To add Group Policy to an MMC console focused on a specific remote computer
The supported computer name formats are:
ThisComputer
ThisComputer.Reskit.com
You can start the Group Policy
/gpcomputer:<machinename>
Where <machinename> can be either a NetBIOS or a DNS-style name.
For example:
gpedit.msc /gpcomputer:"ThisComputer"
or
gpedit.msc /gpcomputer:"ThisComputer.Reskit.com"
Note that there is no space following
/gpcomputer:
Also, the quotes are necessary, not optional.
/gpobject:"<ADSI path>"
For example:
/gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Reskit,DC=com"
in which the GUID for the Group Policy object is a made-up example.
For these command line options to function with a saved console file, you must select the check box titled "Allow the focus of the Group Policy
Note:
The Security Settings extension does not support remote management for local policy in Windows 2000.
The local Group Policy object is processed even when the Block Policy Inheritance option has been specified on a domain or organizational unit.
Local Group Policy objects are always processed first, and then non-local (that is, Active Directory–based) policy is processed. If a computer is participating in a domain, and a conflict occurs between non-local and local computer policy, then by default, non-local policy prevails by overwriting local policy. If a computer withdraws from a domain, local Group Policy object policy settings are still applied and assume greater importance because they can no longer be overwritten.
If the Computer Account object and User Account object are both managed by Windows NT 4.0 domain controllers and are therefore not in Active Directory, then no local Group Policy object will be processed. For details about other interoperability situations that can arise during migration, see "Migration Issues Pertaining to Group Policy" later in this chapter.