Active Directory on a Windows Server 2003 Network

Active Directory is the information hub of the Windows Server 2003 operating system. The
following figure shows Active Directory as the focal point of the Windows Server 2003 network
used to manage identities and broker relationships between distributed resources so they can
work together.

Active Directory on a Windows Server 2003 Network

Active Directory provides:

• A central location for network administration and delegation of administrative authority. You have access to objects
representing all network users, devices, and resources and the ability to group objects for ease of management and
application of security and Group Policy.
• Information security and single sign-on for user access to network resources. Tight integration with security
eliminates costly tracking of accounts for authentication and authorization between systems. A single user name and
password combination can identify each network user, and this identity follows the user throughout the network.
• Scalability. Active Directory includes one or more domains, each with one or more domain controllers, enabling you
to scale the directory to meet any network requirements.
• Flexible and global searching. Users and administrators can use desktop tools to search Active Directory. By default,
searches are directed to the global catalog, which provides forest-wide search capabilities.
• Storage for application data. Active Directory provides a central location to store data that is shared between
applications and with applications that need to distribute their data across entire Windows networks.
• Systematic synchronization of directory updates. Updates are distributed throughout the network through secure and
cost-efficient replication between domain controllers.
• Remote administration. You can connect to any domain controller remotely from any Windows-based computer that
has administrative tools installed.
• Single, modifiable, and extensible schema. The schema is a set of objects and rules that provide the structure
requirements for Active Directory objects. You can modify the schema to implement new types of objects or object
properties.
• Integration of object names with Domain Name System (DNS), the Internet-standard computer location system.
Active Directory uses DNS to implement an IP-based naming system so that Active Directory services and domain
controllers are locatable over standard IP both on intranets and the Internet.
• Lightweight Directory Access Protocol (LDAP) support. LDAP is the industry standard directory access protocol,
making Active Directory widely accessible to management and query applications. Active Directory supports
LDAPv3 and LDAPv2.

WHAT IS ACTIVE DIRECTORY?

Active Directory is a directory service. The term directory service refers to two things — a
directory where information about users and resources is stored and a service or services that
let you access and manipulate those resources. Active Directory is a way to manage all
elements of your network, including computers, groups, users, domains, security policies, and
any type of user-defined objects. It melds several NT services and tools that have functioned
separately so far — User Manager for Domains, Server Manager, Domain Name Server —
and provides additional functions beyond these services and tools.

Active Directory is built around Domain Name System (DNS) and lightweight directory access
protocol (LDAP) — DNS because it is the standard on the Internet and is familiar, LDAP
because most vendors support it. Active Directory clients use DNS and LDAP to locate and
access any type of resource on the network. Because these are platform-independent
protocols, Unix, Macintosh, and other clients can access resources in the same fashion as
Windows clients.

WHY ACTIVE DIRECTORY?

While NT 4.0 was a pretty good networking operating system, it wasn't entirely
equipped for enterprise networking. The network neighborhood was a great tool
until you had a huge network, then browsing problems would begin and finding a
particular printer or server could become a nightmare especially if you didn't
know the name of it. Furthermore, in order to even accomodate such a network,
you would most likely have to partition it into several domains connected with
trust relationships. AD solves many of these problems and offers a new level of
scalability and orginization for enterprise computing. The directory of each
domain can store as many as 10 million objects which is enough to accommodate
millions of users per domain.

DIRECTORY ARCHITECTURE:
First let's introduce the concept of "Sites". Sites are used to define the boundaries
of high-speed links on a network containing Active Directory Servers. Sites are
based on IP subnets and are defined as a "well-connected subnet or subnets". Do
not confuse this term with the concept of domains which are discussed next.

One thing that hasn't changed from NT 4.0 is the use of domains. A domain is still
the centerpiece of a Windows 2000 network, however, it is set up differently.
Domain controllers are no longer separated into PDCs and BDCs. Now there are
simply DCs(Domain Controllers). By default, all Win2K servers are installed as
Standalone Member Servers. DCPROMO.EXE is the Active Directory Installation
Wizard and is used to promote a non-domain controller to a DC and vice versa.
The wizard prompts for all of the required information to install Active Directory
under the conditions that you have asked it to run Knowledge Consistency
Checker(KCC) - This is a service created in order to ensure that the Active
Directory service in the Windows 2000 operating system can replicate properly,
runs on all DCs and automatically establishes connections between individual
computers in the same site. These are known as Active Directory connection
objects. An administrator can establish additional connection objects or remove
connection objects, but at any point where replication within a site becomes
impossible or has a single point of failure, the KCC steps in and establishes as
many new connection objects as necessary to resume Active Directory replication.

Each domain controller in a domain is capable of accepting requests for changes

to the domain database and replicating that information with the other DCs in the
domain. The first domain that is created is referred to as the "root domain" and is
at the top of the directory tree. All subsequent domains will live beneath the root
domain and are referred to as child domains. The child domain names must be
unique. As you are viewing the items below, pay attention to how Windows 2000
now supports internet naming conventions.

When a root domain and at least 1 child domain have been created, a "tree" is
formed. Remember and understand this term as you will hear it often when
working with a directory service.
You can see that the structure begins to take the shape of a tree with branches
and sub-branches. Now what if we are a company like Microsoft or DuPont that
owns several other corporations. Typically, each company would have its own
tree and these would be aggregated together via trusts to create a "forest". Let's
look at an example using our site.

So let's say that our company owns techtutorials.net(actually that is true) and
xyzabc. You can see that the individual trees are organized just like the root
domain(mcmcse).

TRUSTS OVERVIEW:
Trusts are much more easily managed in Windows 2000 than in NT 4.0. There are
2 main reasons that this is the case.

1. When a new domain is added, trust relationships are automatically

configured.
2. Trusts are now commutative 2-way trusts. This means that if domain A
trusts domain B then the reverse is automatically true. In Windows NT 4.0
trusts had to be administered as a series of 1 way trusts and could be
quite cumbersome.
3. Trusts are automatically transitive which means that if domain A trusts
domain B and domain B trusts domain C, then domain A trusts domain C
and vice versa.

These changes save an adminstrator some of the time consuming administration

efforts spent creating and maintaining trusts that were required in NT 4.0. 1-way
trusts can still be created when necessary.

DIRECTORY COMPONENTS:
Now that we have looked at the big picture, it is time to take a look at what
happens inside a domain. To get started, the first concept that you will need to
understand what the directory is made of. A common analogy for a directory is a
phonebook. Both contain listings of various objects and information and
properties about them. Within the directory are several other terms that you
must know to gain even an entry level understanding as to how it all works.

• Objects - Objects in the database can include printers, users, servers,

clients, shares, services, etc. and are the most basic component of the
directory.
 • Attributes - An attribute describes an object. For example, passwords
and names are attributes of user objects. Different objects will have a
different set of attributes that define them, however, different objects may
also share attributes. For example, a printer and Windows 2000
Professional Workstation may both have an IP address as an attribute.
• Schema - A schema defines the list of attributes that describe a given
type of object. For example, let's say that all printer objects are defined by
name, PDL type and speed attributes. This list of attributes comprises the
schema for the object class "printers". The schema is customizable,
meaning that the attributes that define an object class can be modified.
• Containers - A container is very similar to the folder concept in Windows.
A folder contains files and other folders. In Active Directory, a container
holds objects and other containers. Containers have attributes just like
objects even though they do not represent a real entity like an object. The
3 types of containers are Domains, Sites and Organizational Units and are
explained in more detail below.
o Domains - We have already discussed this concept in the preceding
paragraphs.
o Sites - A site is a location. Specifically, sites are used to distinguish
between local and remote locations. For example, company XYZ
has its headquarters in San Fransisco, a branch office in Denver
and an office that uses DUN to connect to the main network from
Portland. These are 3 different sites.
o Organizational Units - Organizational units are containers into
which you can place users, groups, computers, and other
organizational units. An organizational unit cannot contain objects
from other domains. The fact that organizational units can contain
other OUs, a hierarchy of containers can be created to model your
organization's structure and hierarchy within a domain.
Organizational units should be used to help minimize the number of
domains required for a network.

Now that we know what these concepts mean, let's take a visual look at what is
going on inside a domain.

The folder symbols represent Organizational Unit(OU) containers and within each
of these we find objects such as printers, servers, computers, users, etc. Instead
of objects directly located inside these OUs, there could be more OU containers.
OBJECT NAMES:
Most of us are used to the 15 character NetBIOS naming conventions of NT 4.0.
Things are quite different now as Windows 2000 uses Lightweight Directory
Access Protocol(LDAP) to supply the naming convention. This is a fairly
complicated naming system for those of you without experience with Novell's
context concept. The 2 basic concepts that you need to know are distiguished
names and common names. Distinguished names are the complete "path"
through the hierarchical tree structure to a specific object. This is similar to
specifying the complete path to a file from a DOS prompt. This "path" points to
the location of an object in the hierarchy. Let's take a look in more detail.

The following are the components that make up a distinguished name:

• OU - Organizational Unit. This attribute is used to divide a namespace

based on organizational structure as previously discussed. An OU usually
is associated with an Active Directory container or folder.
• DC - Domain Component. Domain components . A distinguished name
that uses DC attributes will have one DC for every domain level below
root. Another way of thinking of this would be that there would be a DC
attribute for every item separated by a dot in the domain name.
• CN - Common Name. This attribute represents the object itself within the
directory service.

NOTE: Contrary to information that is currently posted online(even on Microsoft's

site), AD doesn't support C= and O= objects as Novell has. The information that
you may see posted refers to NT 5 development.

Here is an example of a distinguished name:

/DC=COM/DC=mcmcse/CN=Users/CN=Jason Sprague.
Now lets say that I was a member of the sales.mcmcse.com domain. My new DN
would be:
/DC=COM/DC=mcmcse/DC=sales/CN=Users/CN=Jason Sprague.
And what about my computer called WOPR? It would be:
/DC=COM/DC=mcmcse/CN=Computers/CN=WOPR.

Windows 2000 also supports several other naming conventions in addition to

distinguished names as listed in the table below.
Naming Convention Example
Friendly name/RFC 822 jsprague@mcmcse.com
LDAP://mcmcse.com/CN=jsprague,
LDAP URL
OU=sales,O=MCMCSE,C=US
Universal Naming
\\mcmcse.com\documents\webpages\index.shtml
Convention(UNC)

REPLICATION:
Windows 2000 networks will rely heavily on AD, and thus, it will be very
important that the service is running, fast and accessible at all times. In order to
accomplish this, the AD database must exist on multiple servers so that if one
server fails, a client can contact a server with duplicate services and information.
This not only creates redundancy, but reduces the load on individual servers. All
that needs to be done for a domain controller to become a replication partner is
to add it to the AD domain.
One of the most complex parts of making redundant servers work properly is
replicating the information and ensuring that all servers have the most up-to-date
content. Active Directory uses multimaster replication, which is another way of
stating that updates can occur on any Active Directory server. This also means
that there is not a master domain controller and all DCs work together in a peer
relationship. Each server keeps track of which updates it has received from which
servers, and can intelligently request only necessary updates in case of a failure.
This is accomplished via the use of unique sequence numbers(USN). Every time
an update is made, it is assigned a unique sequence number from a counter that
is incremented whenever a change is made.

SECURITY:
There are now three types of groups in Windows 2000:
• Domain Local(similar to a local group)
• Global
• Universal groups

The rules remain the same for Local and Global groups, except that you can now
nest groups in Native mode. Universal groups can have membership from any
domain and can be used to assign access to any resource in any domain.
Accounts go into Global Groups which then go into local groups that are assigned
permissions to use a resource.

Each group can have one of two functions in Native mode - distribution or
security. Security groups are the ones we are familiar with in NT4 while
distribution groups will be used primarily with Exchange 2000 or any other Active
Directory mail application.

GROUP POLICY:
Group Policy in Windows 2000 is one of it's largest administrative enhancements
and is designed to enable administrators to control the environment with minimal
effort. Group Policy is administered through the Group Policy Microsoft
Management Console(MMC) snap-in. Group policies are not applied to "groups",
but we can apply them to OUs. There are five major categories that group policies
can be configured for:

• Folder redirection: Store users' folders (my documents, my pictures) on the

network.
• Security: Similar to account policies under user manager in NT4 - includes
settings for the local computer, the domain, and network security.
• Administrative Templates - NT4 administrators will recognize this section as
system policies - in a much more convenient and flexible configuration. Included
are desktop, application, and system settings.
• Software Installation - Completely new - enables an administrator to have
software installed automatically at the client machine - or removed automatically.
• Scripts - similar to logon scripts in NT4, but we can now specify a startup and a
shutdown script for the computer as well as a logon and a logoff script for the
user.
2.3.1 Problem

You want to create a new domain that may be part of an existing domain tree or the
root of a new domain tree.

2.3.2 Solution

2.3.2.1 Using a graphical user interface

Run dcpromo from a command line or Start Run.

On a Windows 2000 domain controller, select "Domain controller for a new domain"
and then you can select one of the following:

• Create a new domain tree Place this new domain tree in an existing forest
• Create a new child domain in an existing domain tree

On a Windows Server 2003 domain controller, select "Domain controller for a new
domain" and then you can select one of the following:

• Domain in a new forest

• Child domain in an existing domain tree
• Domain tree in an existing forest

2.3.2.2 Using a command-line interface

dcpromo can also be run in unattended mode. See Recipe 3.4 for more details.

2.3.3 Discussion

The two options dcpromo offers to create a new domain are adding the domain to an
existing domain tree or starting a new domain tree. If you want to create a new
domain that is a subdomain (contained within the same namespace) of a parent
domain, you are creating a domain in an existing domain tree. If you are creating the
first domain in a forest or a domain outside the namespace of the forest root, you are
creating a domain in a new domain tree.

Each domain increases the support costs of Active Directory due to the need for
maintaining additional domain controllers and time spent configuring and maintaining
the domain. When designing an Active Directory forest, your goal should be to keep
the number of domains that are necessary to a minimum.
Creating a Trust Between a Windows NT Domain and an AD
Domain

2.15.1 Problem

You want to create a one-way or two-way nontransitive trust from an AD domain to a

Windows NT domain.

2.15.2 Solution

2.15.2.1 Using a graphical user interface

1. Open the Active Directory Domains and Trusts snap-in.

2. In the left pane, right-click the domain you want to add a trust for and select
Properties.
3. Click on the Trusts tab.
4. Click the New Trust button.
5. After the New Trust Wizard opens, click Next.
6. Type the NetBIOS name of the NT domain and click Next.
7. Assuming the NT domain was resolvable via its NetBIOS name, the next
screen will ask for the Direction of Trust. Select Two-way, One-way
incoming, or One-way outgoing, and click Next.
8. If you selected Two-way or One-way Outgoing, you'll need to select the scope
of authentication, which can be either Domain-wide or Selective, and click
Next.
9. Enter and re-type the trust password and click Next.
10. Click Next twice to finish.

Promoting a server to be a domain controller

3.1.1 Problem

You want to promote a server to a domain controller. You may need to promote a
domain controller to either initially create a domain in an Active Directory forest or
add additional domain controllers to the domain for load balancing and failover.

3.1.2 Solution

Run dcpromo.exe from a command line or via Start Run and answer the
questions according to the forest and domain you want to promote the server into.

3.1.3 Discussion

Promoting a server to a domain controller is the process where the server becomes
authoritative for an Active Directory domain. When you run the dcpromo program, a
wizard interface walks you through a series of screens that collects information about
the forest and domain to promote the server into. There are several options for
promoting a server:

Organisational Units

Introduction

An LDAP directory, such as Active Directory, stores data in a hierarchy of containers

and leaf nodes called the directory information tree (DIT). Leaf nodes are end points
in the tree, while containers can store other containers and leaf nodes. In Active
Directory, the two most common types of containers are organizational units (OUs)
and container objects. The container objects are generic containers that do not have
any special properties about them other than that they can contain objects.
Organizational units, on the other hand, have some special properties, such as being
able to be linked to a group policy. In most cases, when designing a hierarchy of
objects in Active Directory, especially users and computers, you should use OUs
instead of containers. There is nothing you can do with a container that you can't do
with an OU, but the reverse is not true.

Creating an OU

5.1.1 Problem

You want to create an OU.

5.1.2 Solution

5.1.2.1 Using a graphical user interface

1. Open the Active Directory Users and Computers (ADUC) snap-in.

2. If you need to change domains, right-click on the Active Directory Users and
Computers label in the left pane, select Connect to Domain, enter the domain
name, and click OK.
3. In the left pane, browse to the parent container of the new OU, right-click on

it, and select New Organizational Unit.

4. Enter the name of the OU and click OK.
5. To enter a description for the new OU, right-click on the OU in the left pane
and select Properties.
6. Click OK after you are done.

Moving an OU

5.7.1 Problem
You want to move an OU and all its child objects to a different location in the
directory tree.

5.7.2 Solution

5.7.2.1 Using a graphical user interface

1. Open the Active Directory Users and Computers snap-in.

2. If you need to change domains, right-click on "Active Directory Users and
Computers" in the left pane, select Connect to Domain, enter the domain
name, and click OK.
3. In the left pane, browse to the OU you want to move.
4. Right-click on the OU and select Move.
5. Select the new parent container for the OU and click OK.

User Accounts

Introduction

User accounts are one of the most frequently used types of objects in Active
Directory. Because Windows 2000 and Windows 2003 systems manage users through
Active Directory, many key issues that system administrators have to deal with are
covered in this chapter. In particular, Active Directory manages all the information
regarding passwords, group membership, the disabling or expiration of accounts, and
when users have logged in.

Creating a User

6.1.1 Problem

You want to create a user object.

6.1.2 Solution

6.1.2.1 Using a graphical user interface

1. Open the Active Directory Users and Computers (ADUC) snap-in.

2. If you need to change domains, right-click on "Active Directory Users and
Computers" in the left pane, select Connect to Domain, enter the domain
name, and click OK.
3. In the left pane, browse to the parent container of the new user, right-click on

it, and select New User.

4. Enter the values for the first name, last name, full name, and user logon name
fields as appropriate and click Next.
5. Enter and confirm password, set any of the password flags, and click Next.
6. Click Finish.
Moving a User

6.5.1 Problem

You want to move a user object to a different container or OU.

6.5.2 Solution

6.5.2.1 Using a graphical user interface

1. Open the Active Directory Users and Computers snap-in.

2. If you need to change domains, right-click on "Active Directory Users and
Computers" in the left pane, select Connect to Domain, enter the domain
name, and click OK.
3. In the left pane, right-click on the domain and select Find.
4. Type the name of the user and click Find Now.
5. In the Search Results, right-click on the user and select Move.
6. Browse to the new parent container or OU and click on it.
7. Click OK.

Determining a User's Last Logon Time

This recipe requires the Windows Server 2003 forest functional
level.

6.27.1 Problem

You want to determine the last time a user logged into a domain.

6.27.2 Solution

6.27.2.1 Using a graphical user interface

If you install the AcctInfo.dll extension to Active Directory Users and Computers,
you can view the last logon timestamp.

1. Open the Active Directory Users and Computers snap-in.

2. In the left pane, right-click on the domain and select Find.
3. Select the appropriate domain beside In.
4. Beside Name, type the name of the user you want to modify and click Find
Now.
5. In the Search Results, double-click on the user.
6. Click the Additional Account Info tab.
7. View the value for Last-Logon-Timestamp.

Finding Users Who Have Not Logged On Recently

This recipe requires the Windows Server 2003 domain functional
level.
6.28.1 Problem

You want to determine which users have not logged on recently.

6.28.2 Solution

6.28.2.1 Using a graphical user interface

1. Open the Active Directory Users and Computers snap-in.

2. In the left pane, right-click on the domain and select Find.
3. Beside Find, select Common Queries.
4. Select the number of days beside Days since last logon.
5. Click the Find Now button.

Groups

Introduction

A group is a simple concept that has been used in many different types of systems
over the years. In generic terms, a group is just a collection of things. Groups are used
most frequently in a security context whereby you set up a group of users and apply
certain permissions or rights to that group. Using a group is much easier when
applying security than using individual users because you have to apply the security
only once instead of once per user.

In Active Directory, groups are flexible objects that can contain virtually any other
type of object as a member. Active Directory groups can be used for many different
purposes including controlling access to resources, defining a filter for the application
of group policies, and as an email distribution list.

The scope and type of a group defines how the group can be used in a forest. The type
of a group can be either security or distribution. Security groups can be used to restrict
access to resources whereas distribution groups can be used only as a simple grouping
mechanism. Both group types can be used as email lists. The scope of a group
determines where members of the group can be located in the forest and where in the
forest you can use the group in ACLs. The supported group scopes include universal,
global, and domain local. Universal groups and domain local groups can have
members that are part of any domain in the forest. Global groups can only have
members that are part of the same domain the group is in.

Creating a Group

7.1.1 Problem

You want to create a group.

7.1.2 Solution

7.1.2.1 Using a graphical user interface

 1. Open the Active Directory Users and Computers (ADUC) snap-in.
2. If you need to change domains, right-click on Active Directory Users and
Computers in the left pane, select Connect to Domain, enter the domain name
and click OK.
3. In the left pane, browse to the parent container of the new group, right-click on

it, and select New Group.

4. Enter the name of the group and select the group scope (global, domain local,
or universal) and group type (security or distribution).
5. Click OK.

Introduction

As far as Active Directory is concerned, computers are very similar to users. In fact,
computer objects inherit directly from the user object class, which is used to
represent user accounts. That means computer objects have all of the attributes of
user objects and then some. Computers need to be represented in Active Directory
for many of the same reasons users do, including the need to access resources
securely, utilize GPOs, and have permissions granted or restricted on them.

To participate in a domain, computers need a secure channel to a domain controller. A

secure channel is an authenticated connection that can transmit encrypted data. To set
up the secure channel, a computer has to present a password to a domain controller.
The domain controller then verifies that password against the password stored in
Active Directory with the computer's account. Without the computer object, and
subsequently, the password stored with it, there would be no way for the domain
controller to verify a computer is what it claims to be.

Creating a Computer

8.1.1 Problem

You want to create a computer account.

8.1.2 Solution

8.1.2.1 Using a graphical user interface

1. Open the Active Directory Users and Computers snap-in.

2. If you need to change domains, right-click on Active Directory Users and
Computers in the left pane, select Connect to Domain, enter the domain name
and click OK.
3. In the left pane, browse to the parent container for the computer, right-click on

it, and select New Computer.

4. Enter the name of the computer and click OK.
Joining a Computer to a Domain

8.3.1 Problem

You want to join a computer to a domain after the computer object has already been
created in Active Directory.

8.3.2 Solution

8.3.2.1 Using a graphical user interface

1. Log onto the computer you want to join and open the Control Panel.
2. Open the System applet.
3. Click the Computer Name tab.
4. Click the Change button.
5. Under Member of, select Domain.
6. Enter the domain you want to join and click OK.
7. You may be prompted to enter credentials that have permission to join the
computer.
8. Reboot the computer.
9. Note that the tabs in the System applet vary between Windows 2000,
Windows XP, and Windows Server 2003.

Group Policy

Introduction

Active Directory group policy objects (GPOs) can customize virtually any aspect of a
computer or user's desktop. They can also install applications, secure a computer, run
logon/logoff or startup/shutdown scripts, and much more. You can assign a GPO to a
specific security group, Organizational units (OU), site, or domain. This is called
scope of management (SOM for short) because only the users or computers that fall
under the scope of the group, OU, site, or domain will process the GPO. Assigning a
GPO to a SOM is referred to as linking the GPO.

With Windows Server 2003, you can also use a WMI filter to restrict the application
of a GPO. A WMI filter is simply a WMI query that can search against any
information on a client's computer. If the WMI filter returns a true value (i.e.,
something is returned from the query), the GPO will be processed; otherwise, it will
not. So not only do you have all of the SOM options for applying GPOs, you can now
use any WMI information available on the client's computer to determine whether
GPOs should be applied. For more on the capabilities of GPOs, I recommend reading
Chapter 7 of Active Directory, Second Edition (O'Reilly).

GPOs consist of two parts. groupPolicyContainer (GPC) objects are stored in

Active Directory for each GPO, which reside in the
cn=Policies,cn=System,<DomainDN> container. These objects store information
related to software deployment and are used for linking to OUs, sites, and domains.
The guts of GPOs are stored on the file system of each domain controller in group
policy template (GPT) files. These can be found in the
%SystemRoot%\SYSVOL\sysvol\<DomainDNSName>\Policies directory.

So why are there two storage points for GPOs? The need for the Active Directory
object is obvious: to be able to link GPOs to other types of objects, the GPOs need to
be represented in Active Directory. It is necessary to store GPOs on the file system
because clients currently use a file-based mechanism to process and store GPOs, and
to provide legacy support for the NETLOGON share.

Creating a GPO

9.2.1 Problem

You want to create a GPO to force users to have a particular desktop configuration or
provision configuration settings on workstations or servers.

9.2.2 Solution

9.2.2.1 Using a graphical user interface

1. Open the GPMC snap-in.

2. In the left pane, expand the Forest container, expand the Domains container,
and browse to the domain of the target GPO.
3. Right-click on the Group Policy Objects container and select New.
4. Enter the name of the GPO and click OK.