SharePoint 2013 - Creating and Configuring MySite

SharePoint 2013 has many new social media features where people can interact, discuss, search etc etc etc with each other. Creating MySite is not just creating a web application and site collection within it. It has more steps and more concepts revolve around it. In this post I will explain how to create and configure the MySite in SharePoint 2013.

Create Web Application

1. It is always recommended to have a separate Web Application for MySite. Go to Central Administration and selectManage web Applications.

2. Select New and create a new web application.

3. I have created web application http://goazrapp19:2000/.

Create Site Collection

1. Now create a new site collection under the new Web Application by selecting experience version as 2013 andtemplate as My Site Host.

Configure Web Application that will host MySite

1. Select the Manage Path button for the MySite's hosting web application

2. Add new managed path with wild card inclusion and my as path.

3. Select the Service Connections button

4. Make sure User Profile Service Application, Managed Metadata Service, and Search Service Application are running.

5. Select the Self Service Site Creation button for the web application

6. Select On for Site Collections and Prompt users to create a team site under: for Start a Site. Also provide the managed path created earlier.

7. Select the Permission Policy button for the web application that will host MySite to grant permissions to the users to create their own MySite

8.  Select Add Permission Policy Level

9. Provide the name MySite Creation and under Site Permissions select Create Subsites


10. Now add users to the newly created policy by selecting the User Policy button for the web application.

11. Select Add Users

Setup MySites for the Search Center

1. From Central Admin select Application Management ->  Manage Service Applications (under Service Applications) -> User Profile Service Application

2. Then select Setup My Sites

3. Here you specify the Search Center. If you don't have the search center then you can skip this step. I am setting up MySites on a single server farm and am not using Search Center.

Enable the User Profile Service Application - Activity Feed Job

1. Go to Central Administration -> Monitoring -> Timer Job -> Review job definitions

2. Look for User Profile Service Application.
   Note: If the Service list does not display User Profile Service, in Service drop down (on right top), click No selection, then click Change Service. On the Select Service Webpage Dialog, use the arrows in the upper-right corner to locateUser Profile Service, and then click it.


3. Select the interval according to your requirement and click Run Now. I will leave it as Minutes.
 

Step-by-Step Guide to Adding and Managing Additional Servers in a Windows Small Business Server Network?

The Microsoft® Windows® Small Business Server 2003 server software (Windows SBS) is designed to be the core of the IT solution for a small business. Windows SBS provides the basics for any company that has up to 75 users or devices and that is looking to build a solid infrastructure at an affordable cost. But the server that is running Windows SBS does not have to be the only server in a network. You can add other servers to the network, and Windows SBS can manage them. This paper describes how to add additional servers to your Windows SBS network and how to manage them after they are installed.

Before You Begin

• To complete the steps in this document, you must have a general knowledge of how to install, configure, and update Windows SBS and the Microsoft Windows Server™ 2003 operating system for use on a network.
• You cannot join a server that is running the Microsoft Windows NT® Server 4.0 operating system to a Windows SBS domain because Windows°NT Server°4.0 does not support the Active Directory® directory service. Instead, you must either migrate the server to the Windows® 2000 Server operating system or back up your application data and restore it on a new installation of Windows Server 2003.
• It is possible to install Windows SBS into an existing Active Directory domain, but this is not recommended unless you are experienced with installing and configuring Active Directory. If you need to perform this procedure, see the article "How to install Small Business Server 2003 in an existing Active Directory domain" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=58906) for more information.
• This document does not cover adding an additional domain controller to your Windows SBS network. You can always add additional domain controllers to your Windows SBS network, especially if you have remote offices or require redundant Active Directory services on your local network.

Process Steps to Add a Server to the Network

To add a server to your Windows SBS network, complete the following steps:

1. Determine your server's IP addressing method. You should determine whether to use static or dynamic IP addresses for servers on your network. It is easier for Windows SBS to manage your network using dynamic addressing, but you can use either type on your network.
2. Verify the hardware requirements. Ensure that your new server has sufficient hardware and capacity to perform the tasks and to run the software that you need on your network.
3. Verify that your software is up-to-date. Download and install the latest drivers, service packs, and hotfixes for all of your hardware and software.
4. Add a server to the Windows SBS network. Use the Windows SBS wizards to quickly and easily add the new server to your Windows SBS network.

Step 1: Determine Your Server's IP Addressing Method

Small networks, such as those in home offices, might already have routers and firewalls that provide IP addresses and routing information to computers on the network. This consumer solution is ideal for home networks, but for businesses that have more sophisticated IT needs, these entry-level devices are not sufficient.

Windows SBS is designed to be the core of a small-business network, and for good reason. When it manages DHCP, DNS, and Active Directory, it makes system and network administration easier for all users, no matter whether they are casual or sophisticated users. After you add Windows SBS to a network, it uses the information provided by DHCP, DNS, and Active Directory to maintain a record of which users, computers, and services are on the network. This information is not provided by the type of DHCP server you find in entry-level routers or firewalls. Because Windows SBS provides a powerful, integrated solution, it is strongly recommended that you disable the DHCP functions on other devices and let Windows SBS provide DHCP services.

Important
Do not disable the existing DHCP server on your router or firewall device until you are prompted to by the Configure E-mail and Internet Connection Wizard. This allows the wizard to determine the range of IP addresses that are already in use on your network.

If another device provides DHCP services on your network, you need to configure DHCP scopes for computers and devices that use DHCP addressing. You also need to configure exclusion lists or reservations for servers, gateways, routers, and other devices such as printers that require static IP addresses. By convention, the xxx.xxx.xxx.1 address is assigned to the router's local interface, and it is excluded from a DHCP address scope. Exclude the Windows SBS local network adapter's address from the scope as well.

Note
For more information about working with DHCP and configuring DHCP scopes and exclusions, open the Help and Support Center and search for "Network Configuration Settings: Getting Started."

For the purpose of setting up an additional server on your network, decide whether the additional server should use dynamic or static IP addresses, and use the same configuration for all other servers that you add to the network. It is strongly recommended that you use static IP addressing for all of the servers on your network, especially if any of the client computers are running operating systems other than Windows. This provides a known, stable environment for any services that are provided to client computers on the network.

Step 2: Verify the Hardware Requirements

Your hardware should be able to do all of the following:

• Run Windows Server. Make sure the hardware for your additional server can run Windows Server. Your hardware should surpass the recommended system requirements and should be listed in the Windows Server Catalog at the Microsoft Web site(http://go.microsoft.com/fwlink/?LinkId=58908).
• Perform specific roles. File and print servers have different requirements for CPU, RAM, disk space, disk performance, network throughput, and fault tolerance than do terminal servers or application servers. Make sure your new server has appropriate hardware to support the server roles that you want to run on it.
• Run your applications. If you have specific line-of-business applications that you want to run on the new server, check the application's Web site for both minimum and recommended hardware requirements. You can also check message boards to get additional information from other users.

Step 3: Verify that Your Software is Up-to-Date

The next step is to ensure that your server's firmware and device drivers are up-to-date. Check for updates to your BIOS, SCSI drivers, network adapter, and tape backup or external hard drive. Download any updates and device drivers for your hardware.

Also, download service packs and hotfixes for Windows 2000 Server or for Windows Server 2003. You can't always depend on an Internet connection being available when you first install an operating system; before you start a new installation, have the operating-system updates available.

Lastly, make sure you download the service packs or patches for all of your server applications, including anti-virus software, line-of-business software and any third-party administration tools. As with the hardware, check message boards to find out if there are specific recommendations from other users about the updates.

Note
Best practice. Create a CD that has all of the latest hardware, firmware, and software updates for each server. This makes it easy to locate the proper updates for each server without having to guess at what hardware is installed. Create a new CD every six months as part of your ongoing network maintenance.

Step 4: Add a Server to the Windows SBS Network

Add a server to the Windows SBS network by completing the following tasks:

1. Set up the additional server in Windows SBS.
2. Configure the operating system on the additional server.
3. Run the Connect Computer Wizard.
4. Synchronize the new server's time clock with Windows SBS.
5. Configure the server's roles (optional).
6. Install additional software (optional).

When you finish these steps, you have an additional server that is ready to use on the network.

Set Up the Additional Server in Windows SBS

The Windows SBS network must be set up with your new server's name in Active Directory. When you run the Set Up Server Wizard, it makes the necessary changes to Windows SBS.

Caution
When you add a server name to Windows SBS, you should use all lowercase letters for the server name. Otherwise, you might encounter some name and addressing issues when you are setting up the server. For more information about uppercase letters in server names, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=59778).

To set up an additional server in Windows SBS

1. Open the Server Management console. To do so, click Start, and then click Server Management.
2. In the console tree, click Server Computers.
3. In the details pane, click Set Up Server Computers.
4. When the Set Up Server Wizard begins, click Next.
5. Type the server name in the Server Name text box. The server name must follow standard naming conventions: no more than 15 alphanumeric characters and no spaces or other reserved characters. Create a name that other users can recognize. For example, acctsrv is a great name for a server that is running your accounting software.
6. Click Next.
7. In the IP Address Configuration dialog box, select the method that the new server uses to obtain IP addresses. If you select Use the following Static IP address, make sure your address is excluded from the DHCP scope that is used on your network.
8. Click Next.
9. Review the Completing the Set Up Server Wizard page. It contains a summary of the configuration of your new server, including a link to the Connect Computer Wizard on the Windows SBS Web site. To print, save, or e-mail the configuration details, click the link at the bottom of the page.
10. After you have recorded the information about the new server, click Finish.

Configure the operating system on the additional server

After you have added the name of the additional server to Windows SBS, there are two ways to set up the additional server for the Windows SBS network, depending on how you arrived at the configuration for your new server.

Note
You cannot run Windows NT Server 4.0 on a member server unless you first upgrade to Windows 2000 Server. You can then upgrade from Windows 2000 Server to Windows Server 2003, if you choose to.

If you perform a clean installation of Windows Server 2003, you need to make four configuration changes during the Setup process:

• Configure licensing. You must do this so that Windows SBS client-access licenses (CALs) can be used to access the new server. Windows SBS CALs allow users to access any additional Windows–based servers on your network. Other applications must be licensed separately, such as line-of-business applications or anti-virus software.
• Configure the additional server computer name. You must use the name that you added to Windows SBS.
• Configure the IP addressing method. Set up Windows Server 2003 to use the correct addressing method.
• Connect to a workgroup. This is an intermediate step, until you join the server to the Windows SBS domain in a later task.

Caution

If your new server has multiple network adapters and you are using static IP addresses, disable any adapters that are not connected to the network, otherwise your server might receive a dynamic IP address. For more information, see KB article 887307 "A new server that you connect to your domain does not receive the static IP address that you assigned in Windows Small Business Server 2003" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=59779).

To configure the operating system on the additional server

1. Begin the setup process for Windows Server 2003 on the additional server.
2. On the Licensing Modes page, select Per Device or Per User, and then click Next. This mode is used whether your Windows SBS CALs are per device or per user. The number of licenses must equal the total number of Windows SBS CALs on the server running Windows SBS.
3. On the Computer Name and Administrator Password page, type the name of the additional server in Computer name. You must use the same name that you added to the Manage Server Computers dialog in Windows SBS. Click Next.
4. Continue with the setup process. On the Network Settings page, if you want the additional server to use DHCP with Windows SBS or with another DHCP server, click Typical Settings. If you want to use a static IP address, click Custom Settings. Click Next.
5. If you chose Custom Settings, the Networking Components page appears. Click Internet Protocol (TCP/IP), and then click Properties. On the General tab, type the static IP information for the adapter. If you use static IP addresses on your servers, the gateway address is the address for either your router or for your Windows SBS local adapter. The DNS server is the Windows SBS local adapter. Click OK.
6. On the Workgroup or Computer Domain page, click Workgroup. The Windows SBS Connect Computer Wizard joins your additional server to the domain, makes the necessary changes to Active Directory on both computers, and ensures that the additional server is properly configured for the network.
7. Continue with the rest of the setup process.
8. Once the setup process is complete, log on to the additional server as Administrator. You can then install new device drivers, service packs, and hotfixes.

You can also reconfigure an existing Windows Server 2003 installation to join a Windows SBS network. You must make the same changes to your existing server as you make for a clean installation, but you make all of changes through Control Panel. You do not need to run the setup process again.

To reconfigure an existing Windows Server 2003 installation

1. Log on to your existing server using an account that has local administrator rights.
2. Open Control Panel. To do this, click Start, and then click Control Panel.
3. To change the licensing mode, click Licensing. Make sure Windows Server is selected in the Product drop-down list. Click Per Device or Per User, and then click OK. This mode is used whether your Windows SBS CALs are per device or per user. The number of licenses must equal the total number of Windows SBS CALs on the server that is running Windows SBS.
4. To change the computer name, click System, click the Computer Name tab, and then click Change. Type the new name of the server in Computer name. You must use the same name that you added to Manage Server Computers in Windows SBS.
5. To join a workgroup, in the Member of section, click Workgroup. Type a new workgroup name (such as WORKGROUP), and then click OK.
6. To change the network settings, click Network Connections, right-click the name of your connection (usually Local Area Connection), and then click Properties.
7. Click Internet Protocol (TCP/IP), making sure the checkbox is selected, and then click Properties.
8. If you want the server to use DHCP, click Obtain an IP address automatically. If instead you want the server to use a static IP address, click Use the following IP address. If you use static IP addresses on your servers, the gateway address is the address of either your router or your Windows SBS local adapter. The DNS server address must be that of the Windows SBS local adapter. Do not point your DNS address at an external DNS server, because this prevents your names from resolving. Click OK twice.
9. You might need to reboot the server for your changes to take effect.

Run the Connect Computer Wizard

After you install the operating system on your additional server, you can join it to the Windows SBS domain by running the Connect Computer Wizard.

To run the Connect Computer Wizard

1. On your additional server, open Internet Explorer.
2. Click Tools, click Internet Options, and then click the Security tab.
3. Click Trusted Sites, click Sites, and then in Add this Web site to the zone, type http://SBSServerName, where SBSServerName is the name of your server that is running Windows SBS. Click Add.
4. Make sure that the Require Server Verification (https:) for all sites in this zone check box is clear, and then click Close.
5. Click OK.
6. In the address bar for Internet Explorer, type http://SBSServerName/ConnectComputer, where SBSServerName is the name of your server that is running Windows SBS. Press Enter.
7. Click Connect to the network now. Your server might need to be restarted.

When the configuration is complete, your new server is a member of the Windows SBS domain.

Synchronize the new server's time clock with Windows SBS

In order to synchronize your new server's time clock with Windows SBS, the new server uses the Windows Time Service (WTS). WTS in turn uses Network Time Service (NTS) to connect across the Internet to other synchronized time servers. The correct time data is retrieved and then used to set the new server's internal clock. When this is finished, your new server's internal clock is typically accurate to within a tenth of a second.

In theory, the root domain controller acts as the authoritative time server for a domain, and other computers, including servers, look to the authoritative server for synchronization. In practice, the service sometimes doesn't synchronize when scheduled, such as when an Internet connection is unavailable or a server is offline for maintenance. In those situations, it helps to have a backup plan for synchronizing with your server that is running Windows SBS. This helps ensures that computer communications, especially Active Directory data replication, function smoothly.

Note
By default, Windows SBS receives its time clock information from time.microsoft.com. You can find a list of other time servers that are available on the Internet at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=60499).

In order to synchronize your servers, you must perform these tasks:

1. Configure Windows SBS to synchronize with an Internet time clock.
2. Restart the time service in Windows SBS.
3. Edit the logon script for Windows SBS.

Caution
Do not configure Windows SBS to use the server's internal clock as the synchronization source. This generates numerous error messages in the event log and it causes the time service to fail.

To configure Windows SBS to synchronize with an Internet time clock

1. Click Start, Run, type gpedit.msc, and then click OK.
2. In the tree pane, click Computer Configuration, Administrative Templates, System, and then Windows Time Service.
3. In the details pane, double-click Global Configuration Settings. Click Enabled, and then click OK.
4. In the details pane, double-click Time Providers,. double-click Enable Windows NTP Client, click Enabled, and then click OK.
5. Double-click Configure Windows NTP Client, and then click Enabled. In the NtpServer text box, type the IP address or fully-qualified domain name of the Internet time provider you want to use. You must append ,0x1 without any spaces to the end of the time provider, otherwise the time service fails (example: time.windows.com,0x1).
6. Ensure the Type drop-down list is set to NT5DS.
7. Click OK.
8. Double-click Enable Windows NTP Server, click Enabled, and then click OK. Close Group Policy Object Editor.

Once the external time resource is configured, you must restart the Windows Time Service.

To restart the Windows Time Service

1. Click Start, click Run, type services.msc, and then click OK.
2. In the details pane, click Windows Time. In the toolbar, click the Restart Service button.
3. Double-click Windows Time. Verify that the startup type is set to Automatic. Click OK.

When Windows SBS is configured as the authoritative time source for your network, other servers and clients use the Windows Time Service to synchronize their internal clocks. If you want to ensure that your servers and client computers synchronize with Windows SBS, you must edit the logon script for Windows SBS.

To edit the logon script for Windows SBS

1. Open Windows Explorer on your server that is running Windows SBS. To do this, click Start, and then click Windows Explorer.
2. Browse to %SystemRoot%\SYSVOL\sysvol\%DomainName%\scripts, where %SystemRoot% is your installation directory for Windows SBS and %DomainName% is the NetBIOS domain name for your Windows SBS network.
3. Right-click SBS_LOGIN_SCRIPT.bat, and then click Edit.
4. At the end of the file, type net time \\SBSServerName /set /y, where SBSServerName is the NetBIOS name of your server that is running Windows SBS. Be sure to include the spaces where the example indicates.
5. Save your changes to the batch file.

When users log on to the domain, the logon script runs and synchronizes the time with Windows SBS.

For more information about configuring the Windows Time Service, see "How to configure an authoritative time server in Windows Server 2003" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=60402).

Configure the Server's Roles (optional)

You can configure Windows Server 2003 to support particular server roles, where the operating system is optimized for the type of services that the server provides to the network. Windows Server also creates specific access control lists and applies them to the server. These lists help to prevent unauthorized access and to limit potentially harmful events from affecting end users.

The roles are typical Windows Server networking functions, such as domain controllers, terminal servers, or application servers. There are no specific roles for database servers or line-of-business servers, although depending on the application you might be able to use one of the existing Windows Server roles as a foundation. When you select roles, limit the server to the one or two functions that you need for your network.

Important
If you are configuring your new server as a terminal server, do not configure the new server as a domain controller. This increases your security risk, so these two roles should not be configured on the same server.

To configure a role on your new server

1. Click Start.
2. Click Manage Your Server.
3. For more information about the roles your server can provide, click Read about server roles.
4. Click Add or remove a role.
5. Read the Preliminary Steps and verify that your server is ready for configuring.
6. Click Next.
7. On the Server Role page, select the role that you want to configure on your server. For more information about each role, click Read about.
8. After you have selected a role, click Next. The server copies and installs files, and you might need to reboot the server, depending on the role you have chosen. After this is complete, your server can perform its role on the network.

You can add only one role at a time, but you can complete this procedure more than once if you want to configure more roles on the server.

Note
If you want your new server to be a domain controller on your Windows SBS network, open Help and Support Center and search for "Create an Additional Domain Controller: Active Directory."

Install Additional Software (optional)

You can now install additional software that the business needs. This software can be anti-virus software, line-of-business software, accounting software, inventory applications, or other services. Follow the manufacturer's instructions for installing the software.

Note
Best Practice. Before you install additional software, back up your new server. That way you have a known good image that you can restore if needed.

Manage Your Servers

Windows SBS excels at centralized server management. By using server management tools, you can provide remote administration and support, which in turn reduces the number of site visits that you might need to make.

The two primary server-management tools are the Computer Management snap-in for the Microsoft Management Console (MMC) and the Remote Administration desktop. Both are found in the Server Management console for Windows SBS. This section shows you where the tools are and how to start them; it does not describe in depth how to use each tool. For more information about particular tools, open Help and Support Center and search for the tool in question.

Open the Computer Management snap-in

The Computer Management snap-in is a versatile tool. You can use it to connect to any computer on the network and to manage many of the hardware and software settings for your new server, including starting and stopping services on the remote machine. It is a good place to start when you need to check on server settings or to view messages in the event logs.

To open the Computer Management snap-in

1. Open the Server Management console. To do so, click Start, and then click Server Management.
2. In the console tree, click Server Computers.
3. In the details pane, select a server, and then click Manage Computer. You can also right-click a server and then click Manage Computer.

Connect to the Server via Remote Desktop Protocol

When you need to see the server's desktop, you can connect to it by using Remote Desktop Protocol (RDP). With RDP you can see the desktop of the remote server in its own window, and you can interact with the server as if you were using its own keyboard and mouse.

Note

Your server has two administrative sessions available for remote management, which means it is possible for two administrators to be logged on and making changes to the server simultaneously. If both sessions are being used, additional connection attempts receive a notice that no more sessions are available. If you need to log on to the server exclusively, click Start, click Run, and then type mstsc /v:ComputerName /console, where ComputerName is the name of a member server or a desktop client computer. Be sure to include the spaces where the example indicates. This command logs off any other users who are logged on to the server.

To connect to the server via Terminal Services

1. Open the Server Management console. To do so, click Start, and then click Server Management.
2. In the console tree, click Server Computers.
3. In the details pane, select a server, and then click Connect to Computer via Terminal Services. You can also right-click a server and then click Connect using Terminal Services.
4. The logon screen for the remote server appears. Log on with the user name and password of an account that has local administrator privileges, and then click OK.

The desktop of the remote server appears, and you can interact with it remotely.

How to Implement Group Policy Security Filtering?

The most misleading thing about Group Policy is its name—Group Policy is simply not a way of applying policies to groups! Instead, Group Policy is applied to individual user accounts and computer accounts by linking Group Policy Objects (GPOs), which are collections of policy settings, to Active Directory containers (usually OUs but also domains and sites) where these user and computer accounts reside. So the newbie’s question concerning Group Policy is usually, “How can I get this GPO to apply to this group?” The answer to this question is: by implementing security filtering.

Understanding Security Filtering

Security filtering is based on the fact that GPOs have access control lists (ACLs) associated with them. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities), and you can view the default ACL on a typical GPO as follows:

1. Open the Group Policy Management Console (GPMC)
2. Expand the console tree until you see the Group Policy Objects node.
3. Select a particular GPO under the Group Policy Objects node.
4. Select the Delegation tab in the right-hand pane (see Figure 1).

Figure 1: Viewing the ACL for the Vancouver GPO using the Delegation tab

For a more detailed view of the ACEs in this GPO ACL, click the Advanced button to display the familiar ACL Editor (Figure 2):

Figure 2: Viewing the ACL for the Vancouver GPO using the ACL Editor

An obvious difference between these two views is that the ACL Editor displays the Apply Group Policy permission while the Delegation tab doesn’t. This is because the Delegation tab only displays ACEs for security principles that actually process the GPO, and that implicitly means those security principals have the Apply Group Policy permission set to Allow. More specifically, if you want a GPO to be processed by a security principal in a container linked to the GPO, the security principal requires at a minimum the following permissions:

• Allow Read
• Allow Apply Group Policy

The actual details of the default ACEs for a newly created GPO are somewhat complex if you include advanced permissions, but here are the essentials as far as security filtering is concerned:

Security Principal	Read	Apply Group Policy
Authenticated Users	Allow	Allow
CREATOR OWNER	Allow (implicit)
Domain Admins	Allow
Enterprise Admins	Allow
ENTERPRISE DOMAIN CONTROLLERS	Allow
SYSTEM	Allow

Note that Domain Admins, Enterprise Admins and the SYSTEM built-in identity have additional permissions (Write, Create, Delete) that let these users create and manage the GPO. But since these additional permissions are not relevant as far as security filtering is concerned, we’ll ignore them for now.

The fact that Authenticated Users have both Read and Apply Group Policy permission means that the settings in the GPO are applied to them when the GPO is processed, that is, if they reside in a container to which the GPO is linked. But who exactly are Authenticated Users? The membership of this special identity is all security principals that have been authenticated by Active Directory. In other words, Authenticated Users includes all domain user accounts and computer accounts that have been authenticated by a domain controller on the network. So what this means is that by default the settings in a GPO apply to all user and computer accounts residing in the container linked to the GPO.

Using Security Filtering

Let’s now look at a simple scenario where you might use security filtering to resolve an issue in Group Policy design. Figure 3 below shows an OU structure I developed in a previous article. Note that the Vancouver top-level OU has three departments under it defined as second-level OUs, with user and computer accounts stored below these departments in third-level OUs:

Figure 3: Sample OU structure for Vancouver office

Let’s say that of the fifteen users who work in the Sales and Marketing Department in Vancouver, three of them are senior people who have special requirements, for example access to certain software that other people in the department shouldn’t have access to. Such software could be provided to them by publishing it in Add or Remove Programs using a user policy-based software installation GPO. The trouble is, if you link this GPO to the Sales and Marketing Users OU then all fifteen users in the department will have access to it through Add or Remove Programs. But you only want this special group of three users to be able to access the software, so what do you do? 

You could create another OU beneath the Sales and Marketing Users OU and call this new OU the Senior Sales and Marketing Users OU. Then you could move the user accounts for the three senior employees to this new OU and create your software installation GPO and link it to the new OU. While this approach will work, it has several disadvantages:

• It makes your OU structure deeper and more complicated, making it harder to understand.
• It disperses user accounts into more containers making them more difficult to manage.

A better solution is to leave your existing OU structure intact and all fifteen Sales and Marketing users in the Sales and Marketing Users OU, create your software installation GPO and link it to the Sales and Marketing Users OU (see Figure 4), and then use security filtering to configure the ACL on the software installation GPO to ensure that only the three senior users receive the policy.

Figure 4: Senior Sales and Marketing Users Software Installation GPO

To filter the software installation GPO so that only users Bob Smith, Mary Jones, and Tom Lee receive it during policy processing, let’s first use Active Directory Users and Computers to create a global group called Senior Sales and Marketing Users that has only these three users as members (see Figure 5):

Figure 5: Membership of the Senior Sales and Marketing Users global group

Note that you can store this security group in any container in the domain, but for simplicity you’ll probably want to store it in the Sales and Marketing Users GPO since that’s where its members reside.

Now go back to the GPMC with the software installation GPO selected in the left-hand pane, and on the Scope tab of the right-hand pane, remove the Authenticated Users special identity from the Security Filtering section and then add the Senior Sales and Marketing Users global group (Figure 6):

Figure 6: Filtering the GPO so it only targets the Senior Sales and Marketing Users group

That’s it, we’re done! Now when policy is processed for a user account residing in the Sales and Marketing Users OU, the Group Policy engine on the client will first determine which GPOs need to be applied to the user. If the user is a member of the Senior Sales and Marketing Users security group, the following GPOs will be applied in the following order (assuming we haven’t used blocking or enforcement anywhere):

1. Default Domain Policy
2. Vancouver GPO
3. Sales and Marketing GPO
4. Sales and Marketing Users GPO
5. Senior Sales and Marketing Users GPO

The Power of Security Filtering

The power of security filtering is that it allows us to simplify our OU structure while still ensuring that Group Policy is processed as designed. For example, in my original OU structure for Vancouver (see Figure 3 above) I created separate OUs for three departments in that location, namely the IT Department, Management, and Sales and Marketing. In Toronto however I could have taken a different approach and lump all my users and computers together like this (Figure 7):

Figure 7: Toronto has a simpler OU structure than Vancouver

Then I could group user and computer accounts in Toronto into global groups like this:

• IT Department Users
• IT Department Computers
• Management Users
• Management Computers
• Sales and Marketing Users
• Sales and Marketing Computers

I could then create GPOs for each group of users and computers in Toronto, link these GPOs to the appropriate container, and use security filtering to ensure they are applied only to the desired security principals (Figure 8):

Figure 8: Using Group Policy to manage users in Toronto

The main downside of this approach is that as you flatten your OU structure you can end up with lots of GPOs linked to each OU, which can make it harder at first glance to figure out which policies are processed by each user or computer unless you examine in detail the security filtering setup.

Exclusion for a Group Policy Object

I have seen numarous post for a simple GPO query that how do I exclude some users/computers for a Group Policy object.
I have given every screenshot for excluding a GPO.

You have to install the GPMC for 2003 but in 2008 GPMC is available in any DC.

Open the GPMC



Select the GPO


Click on the delegation tab


Click on Advance


Add the user , you want to exclude from that GPO and click on OK



Check the read "Deny" and Apply Group Polcy "Deny" and click on apply.


Click Yes


Click OK


Now that GPO will be not appilied on Harry.

Same thing you can do for computer exclusion

How to exclude individual users or computers from a Group Policy Object?

One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

 

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.