To change the settings of a GPO within GPA, you must first check out the GPO from the GP Repository. When you have modified the GPO, you check the GPO back into the GP Repository. The check out and check in process prevents many users from editing the same GPO at the same time.
NOTE:To see the effect of the GPO changes in Active Directory, you need to export the GPO after approving it. For more information about approving a GPO, see Section 5.8.3, Managing GPOs for Export. For more information about exporting a GPO, see Section 5.8.5, Exporting GPOs to AD Domains.
When you check out a GPO, no other user can modify it. You cannot make modifications to a GPO in GPA until you check out the GPO.
To check out a GPO from the GP Repository:
Log on to a GPA Console computer with an account that has permissions to check in and check out GPOs and modify GPO settings.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to check out.
On the Action menu, click Check Out. Group Policy Administrator launches the NetIQ Group Policy Management Editor so you can modify the GPO policy or preference settings.
NOTE:When you check out an approved GPO, its approval status remains set to Approved. But when you check the GPO back in, the GPA console changes the GPO’s approval status to Not Approved. You must approve the GPO again to change its approval status back to Approved. For more information about approving a GPO, see Section 5.8.3, Managing GPOs for Export.
To learn how to further restrict what others can do with GPOs that you have checked out, see Section 4.4, Increasing File Security of a GPO after Checking It Out.
After you check out the GPO, you can edit the policy settings, preferences and properties of a GPO. When you check out a GPO, GPA opens the NetIQ Group Policy Management Editor, which you can use to add or modify any Group Policy setting. By editing these settings in the GP Repository, GPA only makes changes to the GPO in the GP Repository. Your edits do not change the Active Directory instance of the GPO until you export the GPO from the GP Repository to Active Directory.
To edit GPO settings:
Log on to a GPA Console computer with an account that has permissions to check in and check out GPOs and modify GPO settings. To add or modify preferences, log on to a GPA Console computer that supports preference management.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to check out.
If the GPO is not already checked out, on the Action menu, click Check Out. Group Policy Administrator launches the NetIQ Group Policy Management Editor.
If the GPO is already checked out, on the Action menu, click Edit GPO.
In the left pane of the NetIQ Group Policy Management Editor, expand the GPO to the level of the Group Policy setting you want to modify or to the Group Policy Preference extension for the preference you want to add or edit.
Complete one of the following steps, based on what you want to configure or add:
To edit policy settings, click the specific Group Policy setting you want to modify in the right pane. Then, click Properties on the Action menu. For more information about modifying policy settings, see your Microsoft Windows documentation.
To add a preference, click New on the Action menu, then select the Group Policy Preference type. For more information about GPO preferences, see Setting Preferences.
To edit a preference, click the preference in the right pane, then click Properties on the Action menu. For more information about GPO preferences, see Setting Preferences.
To edit GPO properties, click Properties on the Action menu. For more information about GPO properties, see Setting Properties.
Configure or modify the settings as needed, click Apply, and then click OK.
Close the NetIQ Group Policy Management Editor.
To save your changes, select the GPO and then, on the Action menu, click Check In.
After you check out the GPO, you can add or edit Group Policy Preferences (preferences).
Unlike policy extensions, preference extensions typically do not include preferences. You can add one or more preferences to a preference extension. While adding a preference, you can edit the preference settings. You can also change the settings for a preference you added previously.
In addition to editing the policy and preference settings within a GPO, you can also modify the following properties of a GPO:
Disabling either Computer Configuration Settings or User Configuration Settings
Editing, adding, and removing Active Directory links
Modifying the GPO link order
Viewing and Editing GPO comments
Setting a GPO as the master GPO
Adding WMI filters
Setting security filters
Setting the block inheritance option
NOTE:You can use the NqGPASyncLinkOrder.exe file to synchronize the block inheritance settings in the GP Repository to match the block inheritance settings in Active Directory during the upgrade process. For more information about this tool, see Section A.10.24, Synchronize GPO Link Order.
When you undo a check out, GPA reverts the GPO and the GPO settings remain as they were before you checked out the GPO.
To undo a GPO check out:
Log on to a GPA Console computer with an account that has permissions to modify GPO settings.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to revert.
On the Action menu, click Undo Check Out.
To confirm you want to undo the check out, click Yes.
When you have finished making changes to a GPO, check the GPO back into the GP Repository. When you check in a GPO, GPA saves the changes you made to the GPO in the GP Repository, and not in Active Directory. GPA also releases the GPO to make it available to other GPA users.
NOTE:You cannot save modifications to a GPO in GPA until you check the GPO back in. A check in operation creates a new version of the GPO in the GP Repository.
To check in a GPO:
Log on to a GPA Console computer with an account that has permissions to check in and check out GPOs.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to check in.
On the Action menu, click Check In.
You can modify an existing GPO by pasting settings, Active Directory links, WMI filters, and security information from a different GPO. When you perform a copy and paste operation on a GPO, you paste the contents of the source GPO into another GPO. Modifying a GPO by pasting contents from another GPO is useful if you want to overwrite the contents of one GPO with another.
The contents you paste from one GPO into another depends on the paste options you configure on the GP Repository. For more information about configuring paste options, see Section 3.1.2, GPO Paste Options.
If you select the option to paste the GPO name, GPA renames the target GPO with the source GPO name. The GUID of the target GPO does not change.
To modify a GPO using copy and paste:
Log on to a GPA Console computer with an account that has permissions to modify GPOs.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository to the category level and select the GPO you want to copy.
On the Action menu, click Copy.
Select the GPO you want to update with the settings from the copied GPO.
On the Action menu, click Paste GPO. GPA displays the GPO Paste Options window.
If you want to use the default paste options, click OK.
If you do not want to use the default settings, perform the following steps:
Clear Use Default Settings.
Select the specific GPO settings you want to copy.
If you want to save the paste options for future use, click Save.
Click OK.
NOTE:If you configure the GP Repository to enforce the default settings, you cannot clear the Use Default Settings check box. For more information, see Section 3.1.2, GPO Paste Options.