Professional Documents
Culture Documents
MANAGEMENT
Table of content:
1|Page
Installing the Group Policy
Management Console
If you are using Windows 10 version 1809 or later, you can install GPMC using the
Settings app:
2|Page
Figure 1. Installing the Group Policy Management Console using the Setting app
interface
If you are using an older version of Windows, you’ll need to download the right
version of RSAT from Microsoft’s website.
For convenience, you might want to also install Server Manager. But if you choose
not to, you can add GPMC to a Microsoft Management Console (MMC) and save the
console.
3|Page
Figure 2. Interface of the Group Policy Management Console
Right-click the domain, site or OU to which you want to link the new GPO and
select Create a GPO in this domain, and Link it here… When you save the new
GPO, it will be linked and enabled immediately.
Right-click the Group Policy Objects container and select New from the menu. You
will need to manually link the new GPO by right-click a domain, site or OU and
selecting Link an Existing GPO. You can do this at any time.
Regardless of how you create a new GPO, in the New GPO dialog you must give the
GPO a name, and you can choose to base it on an existing GPO. See the next
section for information about the other options.
4|Page
Edit a Group Policy Object
To edit a GPO, right click it in GPMC and select Edit from the menu. The Active
Directory Group Policy Management Editor will open in a separate window.
GPOs are divided into computer and user settings. Computer settings are applied
when Windows starts, and user settings are applied when a user logs in. Group
Policy background processing applies settings periodically if a change is detected in
a GPO.
Policies vs Preferences
User and computer settings are further divided into Policies and Preferences:
Policies do not tattoo the registry — when a setting in a GPO is changed or the GPO
falls out of scope, the policy setting is removed and the original value is used
instead. Policy settings always supersede an application’s configuration settings and
will be greyed out so that users cannot modify them.
Preferences tattoo the registry by default, but this behavior is configurable for each
preference setting. Preferences overwrite an application’s configuration settings but
5|Page
always allow users to change the configuration items. Many of the configurable
items in Group Policy Preferences are those that might have been previously
configured using a login script, such as drive mappings and printer configuration.
You can expand Policies or Preferences to configure their settings. These settings
will then be applied to computer and user objects that fall into the GPO’s scope. For
example, if you link your new GPO to the domain controller’s OU, the settings will
be applied to computer and user objects located in that OU and any child OUs. You
can use the Block Inheritance setting on a site, domain or OU to stop GPOs that are
linked to parent objects from being applied to child objects. You can also set the
Enforced flag on individual GPOs, which overrides the Block Inheritance setting and
any configuration items in GPOs that have higher precedence.
GPO Precedence
Multiple GPOs can be linked to domains, sites and OUs. When you click on one of
these objects in GPMC, a list of linked GPOs will appear on the right on the Linked
Group Policy Objects tab. If there is more than one linked GPO, GPOs with a higher
link order number take priority over settings configured in GPOs with a lower
number.
You can change the link order number by clicking on a GPO and using the arrows on the
left to move it up or down. The Group Policy Inheritance tab will show all applied GPOs,
including those inherited from parent objects.
6|Page
Figure 4. Information about all applied GPOs in GPMC
AGPM provides greater control over GPOs than is possible with GPMC. In addition
to providing version control, it enables you to assign roles like Reviewer, Editor and
Approver to Group Policy administrators, which helps you implement strict change
control throughout the entire GPO lifecycle. AGPM auditing also gives greater
insight into Group Policy changes.
7|Page
8|Page