Welcome to a series of seven short posts that will lay out all aspects of the GPO aka Group Policy Object – Microsoft’s framework for automated configuration of the Windows operating system. Show
Read the full article here or skip to the previous or next article using the link at the bottom of this post. How To Configure a GPOTo create, edit and delete GPO’s you’ll typically be using the Group Policy Management Console (GPMC). GPMC is available by default on domain controllers but it can also be installed on servers using the Install-WindowsFeature command. On clients you need to install RSAT to manage GPO’s via the GPMC tool. When you open up the GPMC tool you’ll be able to see the OU structure of your domain which makes good sense: In order to apply a group policy you must link it with an OU. Once the GPO is linked it will start applying to the users and/or clients in the linked OU and any sub OU’s (see the next section for more details on this). To create a new GPO right click the OU where you want to link it and select “Create a GPO in this domain, and Link it here…”:  This will create a new GPO object which you can then open up and configure with the desired settings: Notice that this action will create two things: The GPO itself and the GPO link which ensures the GPO is applied to users and/or computers in the OU (and sub-OU’s). It makes a big difference if you delete the GPO link or the GPO itself so make sure you understand the difference! A GPO can be linked to multiple OU’s and editing the GPO will affect all GPO links! A GPO can also be linked to a site object. This feature is not used very often but may be useful when you want to configure devices according to their network location. At the bottom section of the GPMC tool you’ll find an overview of all the GPO’s in the domain. This is the place to look for a specific GPO if you don’t really know where it’s linked: Group Policy is an Active Directory management technology for Windows that provides centralized management of configuration settings. While it isn’t the only available management solution — PowerShell Desired State Configuration (DSC) and Mobile Device Management (MDM) can also be used — Group Policy is the recommended technology for domain-joined client devices because it provides more granular control than other solutions. Group Policy Management ConsoleGroup Policy settings are configured in Group Policy objects (GPOs). You can link GPOs to domains, sites and organizational units (OUs). For even more control, GPOs can be applied according to the results of Windows Management Instrumentation (WMI) filters, although WMI filters should be used sparingly because they can significantly increase policy processing time. The Group Policy Management Console (GPMC) is a built-in Windows administration tool that enables administrators to manage Group Policy in an Active Directory forest and obtain data for troubleshooting Group Policy. You can find the Group Policy Management Console in the Tools menu of Microsoft Windows Server Manager. It is not a best practice to use domain controllers for everyday management tasks, so you should install the Remote Server Administration Tools (RSAT) for your version of Windows. Installing the Group Policy Management ConsoleIf you are using Windows 10 version 1809 or later, you can install GPMC using the Settings app:
Figure 1. Installing the Group Policy Management Console using the Setting app interface If you are using an older version of Windows, you’ll need to download the right version of RSAT from Microsoft’s website. For convenience, you might want to also install Server Manager. But if you choose not to, you can add GPMC to a Microsoft Management Console (MMC) and save the console. Using the Group Policy Management ConsoleEvery AD domain has two default GPOs:
You can see all the GPOs in a domain by clicking the Group Policy Objects container in the left pane of GPMC.
Figure 2. Interface of the Group Policy Management Console Create a New Group Policy ObjectDon’t change either the Default Domain Controllers Policy or the Default Domain Policy. The best way to add your own settings is to create a new GPO. There are two ways to create a new GPO:
Regardless of how you create a new GPO, in the New GPO dialog you must give the GPO a name, and you can choose to base it on an existing GPO. See the next section for information about the other options. Edit a Group Policy ObjectTo edit a GPO, right click it in GPMC and select Edit from the menu. The Active Directory Group Policy Management Editor will open in a separate window.
Figure 3. Interface of the Group Policy Management Editor GPOs are divided into computer and user settings. Computer settings are applied when Windows starts, and user settings are applied when a user logs in. Group Policy background processing applies settings periodically if a change is detected in a GPO. Policies vs PreferencesUser and computer settings are further divided into Policies and Preferences:
You can expand Policies or Preferences to configure their settings. These settings will then be applied to computer and user objects that fall into the GPO’s scope. For example, if you link your new GPO to the domain controller’s OU, the settings will be applied to computer and user objects located in that OU and any child OUs. You can use the Block Inheritance setting on a site, domain or OU to stop GPOs that are linked to parent objects from being applied to child objects. You can also set the Enforced flag on individual GPOs, which overrides the Block Inheritance setting and any configuration items in GPOs that have higher precedence. GPO PrecedenceMultiple GPOs can be linked to domains, sites and OUs. When you click on one of these objects in GPMC, a list of linked GPOs will appear on the right on the Linked Group Policy Objects tab. If there is more than one linked GPO, GPOs with a higher link order number take priority over settings configured in GPOs with a lower number. You can change the link order number by clicking on a GPO and using the arrows on the left to move it up or down. The Group Policy Inheritance tab will show all applied GPOs, including those inherited from parent objects.
Figure 4. Information about all applied GPOs in GPMC Advanced Group Policy ManagementAdvanced Group Policy Management (AGPM) is available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customers. Unlike GPMC, AGPM is a client/server application where the server component stores GPOs offline, including a history for each GPO. GPOs managed by AGPM are called controlled GPOs because they are managed by the AGPM service and administrators can check them in and out, much like you might check files or code in and out of GitHub or a document management system. AGPM provides greater control over GPOs than is possible with GPMC. In addition to providing version control, it enables you to assign roles like Reviewer, Editor and Approver to Group Policy administrators, which helps you implement strict change control throughout the entire GPO lifecycle. AGPM auditing also gives greater insight into Group Policy changes. IT consultant and author specializing in management and security technologies. Russell has more than 15 years of experience in IT, he has written a book on Windows security, and he coauthored a text for Microsoft’s Official Academic Course (MOAC) series.
How do I link a GPO to a domain?Right-click YourDomainName, and then click Link an Existing GPO. In the Select GPO dialog box, select the GPO that you want to deploy, and then click OK. The GPO appears in the Linked Group Policy Objects tab in the details pane and as a linked item under the domain container in the navigation pane.
What does it mean to link a GPO?A GPO can be associated (linked) to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one GPO linked to it.
Do you need to link a GPO?After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
|
