ADDS and Group Policy (SYS 255) - Chromosom3/TechNotes GitHub Wiki
The two tools you need to work on group policy are:
- Active Directory Users and Computers
- Group Policy Management
You will use Active Directory Users and Computers to make user accounts, security groups, and organizational units (OU). Once you have your domain set up and are ready to start applying policy to the domain open Group Policy Management. Once you have Group Policy Management open you will be able to start creating and applying group policy objects (GPOs).
Active Directory Users and Computers
This section will focus on the first of the two above-mentioned tools, Active Directory Users and Computers. Once you open Active Directory Users and Computers you should see a screen similar to the one below, just note the domain name and OUs will be different and they may not be expanded.
To create a new user, group, OU, or computer right-click the OU or folder you want to create the object in and select new and then the object you wish to create.
Depending on what type of object you are attempting to create a new dialog will appear to create that object. Be sure to keep consistent naming conventions and put objects in the correct locations.
Group Policy Management
This section will focus on the second of the two tools mentioned above, Group Policy Management. This is the tool that will allow you to create GPOs and apply them to objects. When you open Group Policy Management you should see a screen similar to this one.
To create a new GPO you can select the OU you wish to apply it to, right-click and select "Create A GPO in this Domain, and Link it here...".
This will open a new dialog that will ask for the GPO name and if you want to use a starter GPO. A starter GPO is a template with policy settings. You need to create starter GPOs in the appropriate section to have them be listed. If you want to link an existing GPO you would select "Link an Existing GPO ..." and then a new dialog will appear asking you what GPO you want to link.
GPO Security Filtering and Delegation
At some point, you will want to restrict what GPOs apply to objects. To do this you can use the Security Filtering section or the delegation tab when you have the GPO selected.
From the image above you can see that the GPO "sys255-desktop" is only applied to users in the custom-desktop group. Below you see the delegation settings for the same GPO showing that the policy will not apply to Domain Computers. You do not see that Domain Computers still have read access to the GPO.
Editing GPO settings
To edit a GPO right-click the GPO and select "Edit". This will open the following dialog.
From here you can go through and configure the options as you see fit. When you set a Computer Configuration that setting will apply to the computer regardless of the user account. These settings are applied when the computer powers on. User configuration settings will be applied to the user account regardless of the system they are on. This is applied to the user at logon.
Testing Group Policy
When you create GPOs and link them you are going to want to make sure that the policies are being applied to the systems and working. Below are some commands that you can run to help test Group Policy.
Commands:
gpupdate /force: Will force the computer to fetch the latest Group Policy information. You can add/bootto have the computer auto-restart if necessary.gpresult /r: This will show the current Group Policy Objects that are being applied to the system. You can specify/scope computeror/scope userto filter for policies that are specific to the computer or the user.
Studying for the Exam
To prepare for this week's exam I will be reviewing my Tech Journal and updating it where I see fit to ensure it contains all the proper information and covers everything I need to know. I will also attempt to rebuild my environment to get more practice.