In this page I detail how I Created an OU and configured group policies

Notes

First I booted up ad01-firstname and opened Server Manager > clicked Local Server > clicked "Tools" > clicked "Active Directory Users and Computers"

These next steps can be confusing, go slow and double check along the way, if a check box is not mentioned leave it blank if you can

Then I right-clicked on "Firstname.local" and selected New > Organizational Unit > Name it "SYS255".

Then I right-clicked on "SYS255" and selected New > Organizational Unit > Name it "Accounts".

I repeated this step two times but replaced "Accounts" with "Computers" and "Groups".

I then right-clicked "Accounts" and selected New > User > Name it "bob".

I used "bob" for the Logon information as well, if creating the password is causing trouble use a password generator set to >=7 characters with Uppercase and lowercase plus numbers

I repeated this step two times but replaced "bob" with "alice" and "charlie".

The end result should look like this:

Then I dragged "WKS01-firstname" from firstname.local > Computers to SYS255 > Computers.

I then right clicked "Groups" in SYS255 and selected Groups, and used the name "custom-desktop" as the group name, Group scope as global, and Group type as Security.

I then doubled clicked on "custom-desktop" > clicked "Members" > clicked Add > in the writing field entered "bob" > clicked ok

I would repeat the process in members but change "bob" with "alice", I WOULD THEN CLICK APPLY

From here I went back to server manager > Tools > Group Policy Management

In the manager I would click the dropdowns for "Forest: firstname.local" > "Domains" > "firstname.local"

Here I right clicked "SYS255" > clicked Create a GPO > call it "sys255-desktop"

Then I double clicked the newly created GPO, "sys255-desktop", and did the following:

The following steps can be confusing, take caution and go slow

1. click Add > write "custom-desktop" into the writable field > ok
2. click on "Authenticated Users" > Remove > read the message and click ok
3. click Add > write "Domain Computers" into the writable field > ok
4. click the tab "Delegation" > click "Advanced"
5. Click on "Domain Computers" > set "Apply group policy" to deny > click apply then ok

After this I, as an example, got rid of the Recycle bin for "custom-desktop" users

Example: Death of a Recycle Bin

In this section I detail how I removed the recycling bin for "custom-desktop" users

First I went into the Group Policy manager and found the SYS255 OU and right clicked on "sys255-desktop" and selected edit.

In the editor I would go down the dropdown as follows: User Configuration > Policies > Administrative Templates > click "Desktop"

Here I would find the option "Remove Recycle Bin from desktop" > right click and select edit > on the left side will be 3 options, to have the setting be on click "Enabled" > Apply

If all works if you login as a "custom-desktop" user, like alice or bob, you will not have access to the recycle bin.