MCSA/MCSE 70-290 Exam Prep: Managing and Maintaining a Microsoft Windows Server 2003 Environment (2nd Edition)

2017-07-07 02:10:07

There are two types of GPOs, Local and Domain. Local GPOs are applied to the computer first. However, as we said earlier, the last GPO applied always wins. The exception is if the settings that you configured on the local GPO are not present in any of the other GPOs applied, the local GPO settings are left in place.

Local GPOs are typically used on standalone machines such as those in workgroups. Local computer policies are stored in the %SystemRoot%\System32\GroupPolicy directory because they apply only to the computer on which they're stored and they need not be replicated. Local policies are also more limited in scope and ability compared to domain GPOs.

The Group Policy Object Editor snap-in is used to work with local GPOs. You have the option of adding the snap-in to an existing console or creating a new one. To create a new Group Policy Object Editor console, follow the procedure in Step by Step 9.1.

Note: Local Policy

Perform the following exercises on your member server.

Step by Step

9.1 Creating a Group Policy Object Editor MMC

1.	Click Start, Run, and then type in MMC. Click OK.
2.	Click Console; then from the pop-up menu, select Add/Remove Snap-In. Click Add.
3.	The Add Standalone Snap-In window appears. Scroll down and select the Group Policy Object Editor snap-in, and then click Add.
4.	This starts the Group Policy Wizard, as shown in Figure 9.3. Accept the default for Local Computer, and then click the Finish button. Figure 9.3. Select the Local Computer option.
5.	If this is the only snap-in that you will be adding, click Close.
6.	Click OK to finish.
7.	From the Console window select Console, and then click Save As. The Save As window appears.
8.	Type in `Group Policy Object Editor` for the filename, and then click Save.

Note: Don't Accept the Default!

When you accept the default save location for an MMC, it gets saved in your user profile. To add it to the Administrative Tools folder for all users, back up a couple of levels and save it to the All Users profile.

Now that we have a console to use to work with the Local Group policies, let's implement and test one. In Windows Server 2003, you can't delete the Guest account, but you can rename it. Let's rename the Guest account to something that can't be guessed by a hacker.

To rename the Guest account using a Local Policy, follow the procedure in Step by Step 9.2.

Step by Step

9.2 Creating a Local Policy

1.	Select Start, All Programs, Administrative Tools, Group Policy Object Editor.
2.	From the Group Policy Object Editor console, click Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
3.	The Security Options folder opens, and displays the definable security options, as shown in Figure 9.4. Figure 9.4. The Group Policy Object Editor MMC, showing the available security options.
4.	Double-click the Rename Guest Account entry. The Properties dialog box appears.
5.	Type in an appropriate name for the Guest account, and then click OK.
6.	Close the Group Policy Object Editor MMC.
7.	Select Start, All Programs, Administrative Tools, Computer Management.
8.	In the Computer Management console, click System Tools, Local Users and Groups, Users.

9.	The renamed account will be displayed in the right pane, as shown in Figure 9.5. Figure 9.5. Using Local Policy to rename the Guest account.

Step by Step

Figure 9.3. Select the Local Computer option.

Step by Step

Figure 9.4. The Group Policy Object Editor MMC, showing the available security options.

Figure 9.5. Using Local Policy to rename the Guest account.

Категории