There are many moving parts with regard to Group Policy, which can make it difficult to know which areas of Group Policy you should focus on. In this blog, we’ll focus on linked and unlinked Group Policy Objects (GPOs).
GPOs can be linked to the domain node, organizational units (OUs), and sites. As soon as a GPO is linked to one of these AD locations, the settings in the GPO immediately affect the objects (users and/or computers) under the scope of that GPO.
I often get questions around unlinked GPOs (GPOs that are not linked to the domain node, OU, or site). If the GPO isn’t linked, why worry about it? The reason is that GPOs are created and configured, but not used. Often, it is unknown which settings are configured, so the GPO could have some configured settings that could cause issues if it were linked to an AD location.
There are a few things you can do to protect from these unlinked GPOs from suddenly being linked and causing issues.
- Delete the GPOs that are not linked.
- Disable both the user and computer portions of the GPO, so that if it is linked, it does not affect any objects.
These tasks can be done using the Group Policy Management Console (GPMC), but trying to discover the unlinked GPOs can be time-consuming, because the GPMC does not do a good job of reporting across all GPOs for linked or unlinked GPOs. Therefore, you might want to consider using a tool designed to manage and report on your GPOs. ADManager Plus is designed not just for GPO management, but also for reporting. Figure 1 below illustrates how you can get a list of all GPOs that are not linked in ADManager Plus.
Figure 1. Report of unlinked GPOs using ADManager Plus
All of the tasks that you can perform to manage the GPOs can also be performed using ADManager Plus, such as disabling the user and/or computer portions of the GPO or deleting the GPO (see Figure 2).
Figure 2. Disabling GPO user and/or computer portions can in ADManager Plus
As you can see, you can streamline GPO management and reporting by using a tool designed to perform these tasks. Now that you know what tools you need to make it easy to generate and read reports of unlinked GPOs, you can take action to secure these GPOs.
If you want to see ADManager Plus in action in your environment, you can download it here.