Professional Documents
Culture Documents
Group Policy The Ultimate Guide - Active Directory Pro
Group Policy The Ultimate Guide - Active Directory Pro
com/group-policy-guide/#group-policy-basics
GROUP POLICY
In this guide, you will learn the basics of group policy. I’ll demonstrate several
examples of how to properly create and manage group policy objects.
You will also learn how to filter and quickly troubleshoot GPOs.
Contents
In this lesson, you will learn the basics of group policy, how it works and the
difference between local GPOs and domain GPOs.
Learn about the four levels of group policy processing (Local, Site, Domain, and
OU). This is very important to understand.
In this lesson, I’ll walk through how to properly create a group policy object and
an overview of the management console.
Group Policy Preferences allows you to deploy a default configuration with the
option for users to alter the settings.
Learn how to filter group policy objects and exclude or include specific users and
groups from a GPO.
Learn how to troubleshoot group policy and use various client commands to
verify and check GPO policies.
Lesson 1
Group Policy Basics
Example Policies:
• Password Policy
• Screen Lock
• Power Settings
• Map Network Drives
• Install printers, software, desktop shortcuts, etc.
• Software restrictions (blocking access to programs)
Local Group Policy = Local group policies are policies that apply to a single
computer and are managed locally on a computer. You can access the local GPO with
the gpedit.msc console. These policies apply to only the computer you edit them on.
Domain policies take precedence over local policies.
Domain Group Policy (DGP) = Domain group policies are managed centrally and can
be applied to multiple computers and users. DGPs will be the focus of this guide.
User Configuration Policies = Each GPO has a user configuration and computer
configuration section. The User configuration policies only apply to users.
Below is a typical use case for using group policy and how group policy works. You
are an administrator and you need to ensure all computer screens lock after 15
minutes of inactivity.
1. The administrator uses the Group Policy Management Console to create a new
GPO. The GPO has policies to lock the computer screen after 15 minutes of use.
2. The administrator applies the new GPO to the entire domain. This means all
computers in the domain will get the policy.
3. The computer checks and applies new GPOs on startup and when users log on.
Computers also check for new GPOs every 90 minutes.
4. The GPO policy is downloaded and applied to the computer or user.
If you want to follow along with this guide you might want to build a test
environment. This will allow you to create, modify and delete GPOs without breaking
your production environment. Refer to my article on building an Active Directory test
environment for step-by-step instructions.
Lesson 2
Group Policy Process Order
It is very important to understand the order in which group policies are applied. It is
even more important to understand the order of precedence. This will be critical in
group policy design and troubleshooting.
I have two GPOs, the name and policy settings are below.
1. User – Chrome Settings = This GPO sets the home page to google.com. This
It will be bing.com.
The “User – Chrome Settings 2” GPO has the most precedence because it was applied
last.
So remember, for any GPOs that have conflicting policy settings, the GPO with the
most precedence will win.
Domain group policy objects will always overwrite any local policies because they
have more precedence.
Lesson 3
Managing Group Policies
In this lesson, you will learn how to create group policies. I’ll demonstrate how to
create a GPO that applies to users and a separate GPO that applies to computers.
I’ll go over the basics of the GPMC. (Refer to the picture below).
1. Domains = This will list your domains and OU structure. Notice it does not list
any Active Directory containers, that is because GPOs can only be linked to the
domain and OUs.
2. Linked GPOs = If any OU has a linked OU it will be listed under the OU. For
example, you can see my “ADPRO Computers” ou has a PsExec Allow policy
linked.
3. Group Policy Objects = This section will list all GPOs, linked and unlinked.
When you select a GPO you will get the GPO details on the right side of the screen.
• Scope = The scope shows you all the locations the GPO is located in. Below is the
Security filtering (covered in section 5)
• Details = Shows basic details on the GPO like when it was created and last
modified.
• Settings = Displays what policies are configured for the GPO
• Delegation = Lists the permissions of the GPO. You typically do not need to
modify these settings.
That really covers the most common settings you need to manage group policy. Next,
I’ll walk through creating a new GPO.
Find the organizational unit that contains your user accounts, for me, this is my
“ADPRO Users” OU.
Right-click the OU and select “Create a GPO in this domain, and Link it here“
Give the new GPO a name. For example, User – Block Control Panel.
At this point, there is a new GPO linked to all the users but the GPO has no policies
set. Right-click on the GPO and select edit.
Browse to User Configuration -> Policies -> Administrative Templates -> Control
Panel
To verify the GPO is working, reboot a computer and log in with a domain user
account.
When you try to open the control panel you should get a pop up message like the
one below.
Remember this was a user configuration and only applies when a user logs into the
computer. In the next example, I’ll go over a computer GPO.
First, determine the OU that contains the computers you want the policy applied to. In
my domain, all computers are located in the “ADPRO Computers” OU, all sub-OUs will
inherit this policy.
Right-click the OU and select Create a GPO in this domain, and link it here.
Give the new GPO a name, for example Computer – Logon Banner.
Browse to Computer Configuration -> Policies -> Windows Settings -> Security
Settings -> Local Policies – > Security Options.
On the right open the policy “Interactive logon: Message title for users attempting to
log on”.
Now select “Define this policy setting” and enter your message. This message is
often provided by HR or your legal department.
Next, open the policy “Interactive logon: Message title for users attempting to log
on” and enter a title for the banner.
Next, reboot a computer, and when you logon you should be prompted with the GPO
logon banner message.
Nice Work!
If you followed this lesson then you just created two GPOs, one for users and one for
computers.
Open GPMC, to go Group Policy objects, select the GPO and look at the scope
settings. This will tell you where in the domain the GPO is linked to (what objects it
applies to).
In the screenshot below, you can see the Logon Banner GPO is linked to my ADPRO
Computers OU. So this GPO will apply to all devices in this OU and any sub-OU.
For more group policy examples refer to the article Most Useful GPO Examples for
Security. This article lists 23 GPO examples that help to improve security in any
network.
Lesson 4
Group Policy Preferences
Group policy preferences are used to set an initial configuration but allows users to
change them. For example, a GPO preference can create a shortcut on the user’s
desktop but allow the user to delete it.
GPO preferences differ from policy settings because users cannot modify the policy
settings. For example, in lesson 4 we created a logon banner, this was a policy setting
Item-Level Targeting
GPO preferences include a filtering option called “Item-level targeting”. Item-level
targeting gives you granular control over what objects (which users or computers) the
GPO is applied to.
Edit the GPO and browse to User Configuration -> Preferences -> Windows
Settings
I linked this GPO to all users, if a user logged in they will see a shortcut on the
desktop.
But what if you don’t want the shortcut on all user’s desktops?
With GPO preferences you can use item-level targeting to limit which users the GPO
is applied to.
For this example, I’m going to limit the desktop shortcut to a security group.
I created a group called “gpo_desktop_shortcut” and added a few users from various
departments.
Click on “New Item” from the drop-down menu select “security group”.
That is it!
Now the GPO will only apply to the users in the security group.
Remember item level targeting only works with GPO preferences. To filter other GPOs
you can use security filtering which I’ll cover in the next lesson.
Lesson 5
Group Policy Filtering
Group policy security filtering is something that doesn’t get enough attention.
Group policy security filtering lets you control what users and computers a GPO is
applied to. For example, if you don’t want certain computers to have a screen lock
policy you can use security filtering.
Each GPO has a security filtering section and by default, all authenticated users have
the right to apply the GPO.
I have the “User – Block Control Panel” policy that is applied to all domain users.
Some users called the helpdesk and are very upset they can’t access the power
options from the control panel.
The boss approved the access so I need a way to exclude these users from the policy.
No problem.
I’ll create a security group, add the approved users and use security filtering to deny
the group access to the GPO.
All done.
Now any member of this group will be denied the GPO. In this example, the user will
be denied the group policy that blocks access to the control panel which enables the
user to access it.
First, create a security group for the users or computers you want the GPO applied to.
For “Authenticated Users” uncheck “Apply group policy”. But make sure “read” is still
checked.
Done.
Now the GPO will only be applied to the added security group.
That completes lesson 5. In the last lesson, I’ll show you how to troubleshoot group
policy.
Lesson 6
34 από 42 25/1/2023, 2:10 μ.μ.
Group Policy: The Ultimate Guide - Active Directory Pro https://activedirectorypro.com/group-policy-guide/#group-policy-basics
First, here are some quick tips that often lead to group policy issues.
Don’t make group policy complicated, keep it simple and you can avoid most GPO
issues. For more tips refer to my GPO best practices guide.
On a computer that has GPO issues, log in and run the gpupdate /force command.
The /force command reapplies all policy settings.
The command should return with no errors. Sometimes running this command can
resolve or force a GPO to apply. Depending on the policy it may prompt you to
reboot before the policy goes into effect.
Click on start then type in the UNC path to your domain controller. My domain
controller hostname is DC1 so the UNC path is \\DC1. Click on SYSVOL, your domain
and then policies. You should see a list of folders with random numbers and letters,
these are the GPOs.
If you don’t see or cannot access this folder then that will prevent GPOs from working.
Learn
Make sure you test the sysvol access by hostname and not IP address.
Group Policy
3: Check event logs
Best Practice Guides
On the client computer check the system event logs. The event logs can provide
DNS & DHCP
details as to why a GPO failed. The below example is an error from a GPO that tried to
Office
install the365
chrome browser.
PowerShell
Domain Services
Tools
AD Cleanup Tool
AD User Creation
4. GPResult command Tool
Uptime Reporter
The gpresult command will show you which group policies are applied to a user and
computer. This is a great command for GPO troubleshooting, it is the best option to
Support
determine which GPOs are being applied. You will need to know which GPOs you are
expecting to see, which you can determine from the GPMC.
Home
To see computer policy GPOs you must run the command prompt as
About
administrator.
Contact
From the command prompt run gpresult /r.
TheMy
command
Account should return the computer settings and the applied group policy
objects.
Documentation
Connect
© 2023 Active Directory Pro. All Rights Reserved | Terms and Conditions | Privacy Policy
In the screenshot above you can see 4 GPOs are applied to the computer.
Now close the command prompt and run it as a regular user. For example, I’m logged
in as user “Adam.Reed”.
In the screenshot above you can see 3 GPOs are applied to the user Adam Reed but
one was not applied due to security filtering.
Only use this command if you have verified the GPOs are applied with the gpresult
command.
This command will show you what policy changes are being made from the applied
GPOs. So again it’s not going to help you if the GPOs are not even being applied.
There are several steps to using this command, you can refer to my RSoP guide for
complete instructions.
Maybe you have no errors, all GPOs are applied as expected but the policy is still
wrong.
Did you check the GPO order of precedence in the management console?
Remember the last GPO applied takes precedence. Another way to think of it is the
GPO that is closest to the object (user or computer) wins.
I hope you enjoyed this group policy guide. If you have comments or questions post
them below in the comment section.
Recommended Reading:
This FREE tool lets you get instant visibility into user and group permissions and
allows you to quickly check user or group permissions for files, network, and folder
shares.
You can analyze user permissions based on an individual user or group membership.
Leave a Comment
Name *
Email *
Post Comment