Scribd Logo
Upload

Welcome to Scribd!

  • Group Policy Management

    Uploaded by

    Ayushman Sahu
    205 views9 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    205 views9 pages

    Group Policy Management

    Uploaded by

    Ayushman Sahu

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    GROUP POLICY

    MANAGEMENT
    Table of content:

    Group Policy is an Active Directory management technology for Windows that provides


    centralized management of configuration settings. While it isn’t the only available
    management solution — PowerShell Desired State Configuration (DSC) and Mobile Device
    Management (MDM) can also be used — Group Policy is the recommended technology for
    domain-joined client devices because it provides more granular control than other
    solutions.

    Group Policy Management Console


    Group Policy settings are configured in Group Policy objects (GPOs). You can link
    GPOs to domains, sites and organizational units (OUs). For even more control,
    GPOs can be applied according to the results of Windows Management
    Instrumentation (WMI) filters, although WMI filters should be used sparingly
    because they can significantly increase policy processing time.

    The Group Policy Management Console (GPMC) is a built-in Windows


    administration tool that enables administrators to manage Group Policy in an
    Active Directory forest and obtain data for troubleshooting Group Policy. You can
    find the Group Policy Management Console in the Tools menu of Microsoft
    Windows Server Manager. It is not a best practice to use domain controllers for
    everyday management tasks, so you should install the Remote Server
    Administration Tools (RSAT) for your version of Windows.

    1|Page
    Installing the Group Policy
    Management Console
    If you are using Windows 10 version 1809 or later, you can install GPMC using the
    Settings app:

    1. Open the Settings app by pressing WIN+I.


    2. Click Apps under Windows Settings.
    3. Click Manage optional features.
    4. Click + Add a feature.
    5. Click RSAT: Group Policy Management Tools and then click Install.

    2|Page
    Figure 1. Installing the Group Policy Management Console using the Setting app
    interface

    If you are using an older version of Windows, you’ll need to download the right
    version of RSAT from Microsoft’s website.

    For convenience, you might want to also install Server Manager. But if you choose
    not to, you can add GPMC to a Microsoft Management Console (MMC) and save the
    console.

    Using the Group Policy Management


    Console
    Every AD domain has two default GPOs:

     Default Domain Policy, which is linked to the domain


     Default Domain Controllers Policy, which is linked to the domain
    controller’s OU
    You can see all the GPOs in a domain by clicking the Group Policy Objects container
    in the left pane of GPMC.

    3|Page
    Figure 2. Interface of the Group Policy Management Console

    Create a New Group Policy Object


    Don’t change either the Default Domain Controllers Policy or the Default Domain
    Policy.  The best way to add your own settings is to create a new GPO. There are two
    ways to create a new GPO:

     Right-click the domain, site or OU to which you want to link the new GPO and
    select Create a GPO in this domain, and Link it here… When you save the new
    GPO, it will be linked and enabled immediately.
     Right-click the Group Policy Objects container and select New from the menu. You
    will need to manually link the new GPO by right-click a domain, site or OU and
    selecting Link an Existing GPO. You can do this at any time.
    Regardless of how you create a new GPO, in the New GPO dialog you must give the
    GPO a name, and you can choose to base it on an existing GPO. See the next
    section for information about the other options.

    4|Page
    Edit a Group Policy Object
    To edit a GPO, right click it in GPMC and select Edit from the menu. The Active
    Directory Group Policy Management Editor will open in a separate window.

    Figure 3. Interface of the Group Policy Management Editor

    GPOs are divided into computer and user settings. Computer settings are applied
    when Windows starts, and user settings are applied when a user logs in. Group
    Policy background processing applies settings periodically if a change is detected in
    a GPO.

    Policies vs Preferences

    User and computer settings are further divided into Policies and Preferences:

     Policies do not tattoo the registry — when a setting in a GPO is changed or the GPO
    falls out of scope, the policy setting is removed and the original value is used
    instead. Policy settings always supersede an application’s configuration settings and
    will be greyed out so that users cannot modify them.
     Preferences tattoo the registry by default, but this behavior is configurable for each
    preference setting. Preferences overwrite an application’s configuration settings but

    5|Page
    always allow users to change the configuration items. Many of the configurable
    items in Group Policy Preferences are those that might have been previously
    configured using a login script, such as drive mappings and printer configuration.
    You can expand Policies or Preferences to configure their settings. These settings
    will then be applied to computer and user objects that fall into the GPO’s scope. For
    example, if you link your new GPO to the domain controller’s OU, the settings will
    be applied to computer and user objects located in that OU and any child OUs. You
    can use the Block Inheritance setting on a site, domain or OU to stop GPOs that are
    linked to parent objects from being applied to child objects. You can also set the
    Enforced flag on individual GPOs, which overrides the Block Inheritance setting and
    any configuration items in GPOs that have higher precedence.

    GPO Precedence
    Multiple GPOs can be linked to domains, sites and OUs. When you click on one of
    these objects in GPMC, a list of linked GPOs will appear on the right on the Linked
    Group Policy Objects tab. If there is more than one linked GPO, GPOs with a higher
    link order number take priority over settings configured in GPOs with a lower
    number.

    You can change the link order number by clicking on a GPO and using the arrows on the
    left to move it up or down. The Group Policy Inheritance tab will show all applied GPOs,
    including those inherited from parent objects.

    6|Page
    Figure 4. Information about all applied GPOs in GPMC

    Advanced Group Policy Management


    Advanced Group Policy Management (AGPM) is available as part of the Microsoft
    Desktop Optimization Pack (MDOP) for Software Assurance customers. Unlike
    GPMC, AGPM is a client/server application where the server component stores
    GPOs offline, including a history for each GPO. GPOs managed by AGPM are called
    controlled GPOs because they are managed by the AGPM service and
    administrators can check them in and out, much like you might check files or code
    in and out of GitHub or a document management system.

    AGPM provides greater control over GPOs than is possible with GPMC. In addition
    to providing version control, it enables you to assign roles like Reviewer, Editor and
    Approver to Group Policy administrators, which helps you implement strict change
    control throughout the entire GPO lifecycle. AGPM auditing also gives greater
    insight into Group Policy changes.

    7|Page
    8|Page

    You might also like