There are many moving parts with regard to Group Policy. With so many concepts, it can be difficult to know which areas of Group Policy you should focus on. Here we are going to focus on linked and unlinked Group Policy Objects (GPOs).
GPOs can be linked to the domain node, organizational units (OUs), and sites. As soon as a GPO is linked to one of these Active Directory (AD) locations, the settings in the GPO immediately affect the objects (users and/or computers) under the scope of that GPO.
I often get questions around unlinked GPOs. These are GPOs that are not linked to the domain node, OU, or site. If the GPO isn’t linked, why worry about the GPO? The reason is that GPOs are created and configured, but not used. Often, it is unknown which settings are configured, so the GPO could have some configured settings which could cause issues if it were linked to an AD location.
There are a few things you can do to protect from these unlinked GPOs suddenly being linked and causing issues.
- Delete the GPOs that are not linked.
- Disable both the user and computer portions of the GPO, so that if it is linked, it does not affect any objects.
These tasks can be done using the Group Policy Management Console (GPMC), but trying to discover the unlinked GPOs can be time-consuming, as the GPMC does not do a good job of reporting across all GPOs for linked or unlinked GPOs. Therefore, you might want to consider using a tool which is better designed to manage and report on your GPOs. ADManager Plus is designed not just for GPO management, but also for reporting. Figure 1 illustrates how you can get a list of all GPOs that are not linked in ADManager Plus.
Figure 1. Report of unlinked GPOs using ADManager Plus.
All of the tasks that you can perform to manage the GPOs can also be performed using ADManager Plus, such as disabling the user and/or computer portions of the GPO, and also deleting the GPO, which you can see in Figure 2.
Figure 2. GPO user and/or computer portions can be disabled in ADManager Plus.
As you can see, you can streamline GPO management and reporting by using a tool that was designed to perform these tasks. Now that you have a tool that can give you easy to generate and read reports of unlinked GPOs, you can take action to secure these GPOs.
If you want to see ADManager Plus in action in your environment, you can download it here.