Group Policy Processing In Windows Server 2003 Part VI

If your network contains a single domain and a couple of DCs, and all computers are on the same network, you really don’t have to concern yourself with indicating the correct target DC when making changes to the group policy. However, if you have multiple domains, DCs, and users with the ability to change the group policy, getting the target right for group policy edits is important. In addition, you could have more than one DC receiving edits, causing edits at other DCs to be lost during replication.

You have two possibilities for specifying options for controlling DC group policy changes:

• Dynamically through the Group Policy Editor console
• Dynamically through policies defined in the Administrative Templates branch

To configure the options through the console, open the properties for the domain, click the Group Policy tab, and edit the Default Domain Policy object. Select the root of the object, then choose View | DC Options to display the Options For Domain Controller Selection dialog box.

Options you’ll find on this screen include the following:

• The One With The Operations Master Token For The PDC Emulator: This option causes Windows Server 2003 to use the same DC as the target for all group policy creation and editing, with all other DCs receiving updates through replication. This ensures that you don’t experience editing collisions caused by multiple concurrent policy changes on different DCs. With this option selected, the Group Policy console automatically focuses on the specified DC. Typically, the DC with the Operations Master token is the first DC created in the domain, although this can change.
• The One Used By Active Directory Snap-Ins: This option enables you to select a DC when using the Group Policy console snap-ins. As long as you select the right one, edits happen on the selected DC. Selecting the DC, however, is a conscious, manual process, inviting error. If you forget to change the focus and inadvertently make changes on the wrong DC, those edits could be lost during replication or cause other problems, so use this option with care.
• Use Any Available Domain Controller: This option allows changes to be made on any DC, making it the least desirable option. If you have only a few DCs and only one person making policy changes, then this option is acceptable.

If you prefer to establish these options through a policy (a better method as it then applies to all administrators), configure the policy settings at the domain level. Open the Default Domain Controller GPO and modify the policy User Configuration/Administrative Templates/System/Group Policy/Group Policy Domain Controller Selection as desired. The available options are the similar to those discussed above and include:

• Use the Primary Domain Controller
• Inherit from Active Directory Snap-ins
• Use any available domain controller

At this point, you should have a relatively good understanding of what group policy objects are and how they enable you to apply policies, at least in a general sense. You also should have enough information to start planning a group policy implementation.

Tags: group policies, group policy, windows server 2003