Групповые политики Active Directory позволяют централизованно применять одинаковые настройки ко множеству компьютеров и/или пользователей домена и существенно упрощают управление конфигурацией в доменной среде. Консоль Group Policy Management Console (GPMC.msc) – это основной инструмент для управления групповыми политиками (Group Policy Object, GPO) в Active Directory.
Содержание:
- Установка консоли GPMC в Windows
- Управление групповыми политиками Active Directory с помощью консоли Group Policy Management
Установка консоли GPMC в Windows
В Windows 10 и 11 консоль GPMC входит в состав RSAT, и вы можете установить ее через панель Settings. Перейдите Settings -> Apps -> Optional Features -> Add an optional feature -> выберите в списке RSAT: Group Policy Management Tools и нажмите Install.
Также вы можете установить консоль управления групповыми политиками в Windows 10 и 11 с помощью PowerShell:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Или с помощью DISM:
DISM.exe /Online /add-capability /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Обратите внимание, что в современных версиях Windows 10 и 11 для установки инструментов управления RSAT, ваш компьютер должен быть подключен к Интернету. Подробнее про установку инструментов администрирования (RSAT) в Windows описано в статье по ссылке.
В Windows Server 2022/2019/2016/2012R2 вы можете установить консоль управления GPO через Server Manager: Add Roles and Features -> Features -> Group Policy Management.
Также можно установить консоль GPMC в Windows Server с помощью PowerShell командлета Install-WindowsFeature:
Install-WindowsFeature GPMC
После установки, проверьте что ярлык Group Policy Management появится в разделе Administrative Tools в панели управления (Control Panel\System and Security\Administrative Tools). Ярлык ссылается на MMC оснастку
%SystemRoot%\system32\gpmc.msc
.
Управление групповыми политиками Active Directory с помощью консоли Group Policy Management
Консоль GPMC позволяет управлять групповыми политиками на уровне сайтов AD, доменов и организационными подразделениями (Organizational Unit).
Для запуска консоли выполните команду:
gpmc.msc
По умолчанию консоль подключается к контроллеру домена с FSMO ролью Primary Domain Controller Emulator (PDC). Вы можете подключиться к любому другому DC. Для этого щелкните правой кнопкой по имени домена и выберите Change Domain Controller (для комфортной работы рекомендуем подключиться к вашему Logon Server-у).
Разверните Forest -> Domain -> Ваш домен.
На этом скриншоте выделены:
- Имя домена, к которому подключена консоль;
- Групповые политики, которые назначены на различные OU (отображается вся структура OU, которую вы видите в консоли ADUC);
- Полный список политик (GPO) в текущем домене доступен в разделе Group Policy Objects.
Групповые политики Active Directory можно назначить на OU, сайт или весь домен. Чаще всего политики привязываются к OU с компьютерами или пользователями.
Чтобы создать новую GPO и сразу назначить ее на OU, щелкните по нужному контейнеру правой кнопкой и выберите Create a GPO in this domain, and Link it here.
Задайте имя GPO:
В консоли GPMC вы увидите вашу новую GPO, которая сразу назначена на выбранный вами контейнер (OU).
GPO активна (
Link Enabled = True
), это значит что ее настройки будут применяться ко всем объектом в данном OU.
Чтобы изменить настройки GPO выберите Edit.
Для управления параметрами групповой политики на компьютере Windows используется консоль локального редактора GPO – gpedit.msc. Он позволяет настроить параметры Windows с помощью одной или множественных локальных политик (MLGPO).
Перед вами откроется консоль редактора GPO, аналогичная локальному редактору GPO. Все настройки GPO разделены на две секции:
- Computer Configuration — здесь можно настроить параметров компьютера (Windows);
- User Сonfiguration – параметры, которые нужно применить для пользователей AD.
В каждой секции есть три подраздела:
- Software Settings – используется для установки и обновления программ через GPO;
- Windows Settings — здесь расположены основные параметры безопасности Windows: настройки политики паролей, блокировки аккаунтов, политики аудита, назначения прав пользователей и т.д;
- Administrative Templates – содержит параметры различных компонентов Windows. Здесь доступны как стандартные административные шаблоны Windows, так и дополнительно admx шаблоны, установленные администратором (например, admx шаблоны для управления программами Microsoft Office или шаблоны для Google Chrome). Рекомендуем использовать центральное хранилище административных шаблонов GPO для удобства управления.
Также здесь есть отдельный раздел Preferences. Здесь содержится дополнительный набор настроек Group Policy Preferences (GPP), которые вы можете задать для клиентских устройств через GPO.
Закройте редактор политики и вернитесь в консоль GPMC. Все настройки, которые вы изменили в GPO будут применены на клиентах при следующем цикле обновления настроек групповых политик.
Выберите вашу GPO, чтобы вывести ее основные параметры. Здесь доступны 4 вкладки:
- Scope – здесь видно на какие OU назначена эта политики. В разделе Security Filtering можно настроить группы безопасности, для членов которых должна применяться политики (по умолчанию здесь задано Authenticated Users, это значит, что политика применяется ко всем объектам в OU). В параметре WMI filtering можно задать дополнительные правила фильтрации объектов для которых должна применяться GPO (см. WMI фильтры GPO);
- Details – содержится базовая информация о GPO (владелец, когда создана и изменена, версия, GUID);
- Settings – содержится отчет о всех настроенных параметрах GPO (отчет похож на результаты команды gpresult);
- Delegation – выводит текущие разрешения GPO, позволяет изменить их.
Active Directory хранит GPO хранятся в виде набора файлов и папок в каталоге SYSVOL, который реплицируется между DC. Вы можете найти каталог определенной GPO по ее GUID (на вкладке Details). Используйте следующий UNC путь:
\\winitpro.ru\sysvol\winitpro.ru\Policies\{GUID}
Если вы хотите, чтобы политика перестала действовать на клиенты в данном OU, можно либо удалить ссылку (
Delete
, при этом сама объект GPO не будет удален), либо временно отключить ее действие (
Link Enabled = False
).
Обратите внимание, что в домене уже есть две политики, которые действуют на все компьютеры и контроллеры домена соответственно:
- Default Domain Policy
- Default Domain Controller Policy
В большинстве случае не рекомендуется использовать эти GPO для настройки параметров клиентов. Лучше создать новые политики и назначить их на уровень всего домена или контейнера Domain Controllers.
Также консоль Group Policy Management позволяет:
- Импортировать/экспортировать, создавать резервные копии и восстанавливать GPO
- Создавать результирующие отчеты политик — Resultant Set of Policy (RSoP)
- Удаленно обновлять настройки GPO на компьютерах
- Подготавливать GPO к миграции между доменами
В отдельной статье “Почему не применяется групповая политика к компьютеру?” рассмотрены такие основные элементы групповых политик Active Directory как:
- Наследование в групповых полотках
- Область действия и порядок применения GPO (LSDOU)
- Приоритете и управление порядком применения политик
- Замыкание групповых политик (Loopback Processing mode)
- Фильтрация GPO
- Форсирование применения GPO
Рекомендуем внимательно ознакомиться с этой статьей для более эффективного использования возможностей групповых политик и понимания принципов их работы.
Group Policy Management Background
Over the past versions of Windows Server the tools used to manage Group Policy have matured and the names have changed over time. Originally Group Policy was managed with the Active Directory Tools. Next a dedicated Group Policy Management Tool called the Group Policy Management Console (GPMC) was released, this tool replaced the Group Policy functionality in the Active Directory Tools. In Windows Server 2019 the Group Policy Management Tools are simply named Group Policy Management.
Prerequisites for installing Group Policy Management Console (GPMC)
You will require a Windows Server 2019 computer with the “Graphical Management Tools and Infrastructure” installed to install the Active Directory Management Tools using the Server Manager graphical user interface.
Instructions for installing Group Policy Management
To install Group Policy Management Tools (GPMC) on Windows Server 2019 please follow these instructions.
- Open the Windows Server 2019 Server Manager Dashboard. If Server Manager does not start by default press the “Windows + R” keys, Type “servermanager” in the “Open” field and press “Enter” or click the OK button.
- In the Server Manager main window, click “Add roles and features”.
- In the “Add Roles and Features Wizard” under “Installation Type” check the “Role-based or feature-based installation” radio button and click “Next”
- In the “Add Roles and Features Wizard” under “Server Selection” check the “Select a server from the server pool” radio button, select the server you want to install the Group Policy Management Console Tools (GPMC) on and click “Next”
- In the “Add Roles and Features Wizard” under “Server Roles” click “Next”
- In the “Add Roles and Features Wizard” under “Features” scroll down and check “Group Policy Management”. Click “Next” If prompted to install any supporting roles accept the defaults and continue.
- In the “Add Roles and Features Wizard” at the “Confirmation” page click “Install” to begin the installation of the Group Policy Management Tools.
- The installation of the Group Policy Management Tools will begin and the progress will be displayed. This installation should not require a restart of the server.
- The Group Policy Management Tools can now be found under the “Tools” menu in “Server Manager”.
Group Policy Management Console: An Introduction
The Group Policy Management Console (GPMC) is a one-stop solution for performing all the Group Policy functions an administrator has to deal with. This MMC snap-in provides all the information about Group Policies and allows one to view all the settings within a Group Policy Object (GPO). Many of the functions of the GPMC can also be scripted. The GPMC provides viewing, configuring, and analyzing GPO settings to know how they will affect target computers and users.
Here is a partial list of what administrators can do with the GPMC:
- Creating, modifying, deleting, reporting GPOs and controlling their application
- Performing Group Policy searches across the forest and domain(s)
- Check/control status of GPOs
- Linking and unlinking GPOs
- Performing backup, restore and import of GPOs
- Executing GPO modeling sessions to understand the effects of GPOs
- Setting and delegating permissions
The following are some of the highlights of the GPMC which make it such a handy tool:
- Easy user interface with drag-and-drop functionality
- Capability to backup, restore, import and copy GPOs
- Includes programmable interfaces
- Execution of fully scriptable functions
- Manages WMI filtering that helps in selectively applying GPOs
How to install Group Policy Management Console tools
You can install the GPMC using the Server manager. Here’s how you can do it in Windows Server 2016:
- Open the Server Manager Dashboard. You can do this by pressing Windows + R keys to open the Run tool, and then typing servermanager and pressing the Enter button.
- In the Dashboard section, click on Add Roles and Features.
- In the installation wizard window that pops up, under Installation Type select Role-based or feature-based installation. Then, click Next.
- Under Server Selection, select the Select a server from the server pool option. Then, click Next.
- Click Next under Server Roles.
- Under Features, select Group Policy Management. Click Next.If prompted to install any supporting roles, accept the default selection.
- Under Confirmation, click Install.
Once the installation process is complete, you can open the GPMC through Server manager under the Tools section.
Opening the GPMC
Alternatively, you can also use one of the following methods to open the GPMC:
- Go to Start → Run. Type gpmc.msc and click OK.
- Go to Start → Type gpmc.msc in the search bar and hit ENTER.
- Go to Start –> Administrative Tools –> Group Policy Management.
Before diving into working with GPOs using the GPMC, let’s take a look at what a GPO is.
What is a GPO?
A Group Policy in Active Directory is stored in the form of Group Policy Objects (GPOs). GPOs can be created like any other active directory object and are linked to a Site, domain, or OU in which the policy settings have to be applied. Hence, GPOs are how you can manage group policies and configure them as necessary. To learn more about GPOs and GPO management, you can read this article.
Creating an unlinked GPO
- Within the GPMC, right-click Group Policy Objects in the domain where the GPO is to be created and select New. Give it a suitable name.
- Click OK.
Editing a GPO
- In the GPMC, open the Group Policy Objects node.
- Right-click the appropriate GPO, and click Edit.
Deleting a GPO
- In the GPMC, open the Group Policy Objects node.
- Right-click the appropriate GPO, and click Delete.
- Click OK to confirm.
Note that it is best practice not to edit/delete the Default Domain Controllers Policy or the Default Domain Policy.
Let’s take a look at some of the other tasks that can be executed from the console.
Linking a GPO
- In the GPMC, locate the domain or OU to which the GPO is to be linked and right-click.
- To link an existing GPO, select the option Link an Existing GPO. In the Select GPO dialog box that appears, select the GPO that is to be linked and click OK.
- To link a new GPO, select the option Create a GPO in this domain, and link it here. Give a suitable name and click OK.
Disabling a GPO link
- In the GPMC, locate the GPO link which is to be disabled.
- Right click the GPO link and click Link Enabled. A check mark indicates that the link is enabled and the absence of it indicates that the link is disabled.
Managing GPO Backups
- In the GPMC, expand the Group Policy Objects node that contains the GPO that has to be backed up. Right-click the GPO, and then click Back Up.
- To back up all GPOs in the domain, right-click the Group Policy Objects node, and then click Back Up All.
- In the Back Up Group Policy Object dialog box, specify the path to the folder where the backed-up versions of the GPOs will reside. Click Back Up.
- Finally, click OK.
Restoring a GPO
- In the GPMC, expand the Group Policy Objects container. Right-click the GPO and then click Manage Backups.
- In the Manage Backups dialog box that appears, specify the path to locate the backup folder.
- From the list Backed up GPOs, select the GPO that needs to be restored, and click Restore.
- Confirm by clicking OK.
- Finally, click OK and then Close.
Importing settings from a GPO
- In the GPMC, expand the Group Policy Objects node. Right-click the GPO and then click Import Settings. The Import Settings Wizard opens.
- Click Next to continue.
- Backup the existing settings in the GPO by clicking Backup. Then click Next.
- Specify the path to the backup folder from which the settings are to be imported. Click Next.
- Select the GPO from which the settings are to be imported. Click Next.
- The wizard will automatically scan the settings in the backup to check for references needed. After the scan completes, click Next.
- Under Migrating References, select the method for transferring references. Click Next.
- Finally, click Finish to close the wizard.
Group Policy Modeling
Group Policy Modeling can simulate the policy implementation environment and can help administrators get a sense of how the GPOs affect different users and computers, thus helping them to plan before actually applying the policies.
The following steps illustrate how to work with the Group Policy Modeling Wizard:
- In the left pane of the GPMC, click on the forest to expand it.
- Right click the Group Policy Modeling container and click on the Group Policy Modeling Wizard option.
- In the Group Policy Modeling Wizard that is launched, click Next.
- Specify the domain where the GPO is to be analyzed and click Next.
- Specify the user and computer against which the policy settings are to be simulated. Click Next.
- In the page that follows, select a particular site if required, else skip to the final page and click Next.
- In the page that follows, specify an alternate network location if required, else skip to the final page and click Next. An alternate location can help administrators see the effects of the GPOs if the computer were to be moved to a different container in the AD.
- In the page that follows, use the Add/Remove options to simulate changes to all the security groups that the selected user is a member of if required, else skip to the final page and click Next.
- In the page that follows, include the WMI filters in the simulation if required, else skip to the final page and click Next.
- In the page that follows, a summary of all selections made in the wizard is displayed. To process the simulation click Next.
- Finally, click Finish to close the wizard.
This action creates a folder that can be seen in the left pane of the GPMC that bears the name of the user/computer that is tested. Open it to display the outcome of the simulation. These reports give information about the properties and policy settings of GPOs and how the implementation of group policy modeling proceeded/succeeded. The Summary tab gives information about the GPOs that were used to compile the policy. The Settings tab lists the effective policy settings. The Query tab displays the criteria based on which the simulation was carried out.
People also read
Managing GPOs in Active Directory
Group Policy Management Console (GPMC) – Part II
GPO Delegation
Active Directory Group Policies allow you to centrally apply the same settings for multiple computers and/or domain users and greatly simplify configuration management in an AD domain environment. The Group Policy Management Console (GPMC.msc
) is the main tool for managing Group Policy Objects (GPOs) in Active Directory.
Contents:
- How to Install Group Policy Management Console (GPMC) in Windows?
- Managing GPOs in Active Directory via the Group Policy Management Console
How to Install Group Policy Management Console (GPMC) in Windows?
In Windows 10 and 11, the GPMC console comes as part of RSAT, a feature you can install through the Settings panel. Go to Settings -> Apps -> Optional Features -> Add an optional feature -> select RSAT: Group Policy Management Tools and click Install.
You can also install the Group Policy Management Console on Windows 10 and 11 via PowerShell:
Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Or with DISM:
DISM.exe /Online /add-capability /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0
Please note that modern versions of Windows 10 and 11 require your computer to be connected to the internet in order to install the RSAT management tools. See the article at the link for more information on installing RSAT on Windows.
In Windows Server 2022/2019/2016/2012R2, you can install the GPO management console through Server Manager: Add Roles and Features -> Features -> check Group Policy Management.
Another way to install the GPMC on a Windows Server is to use the PowerShell Install-WindowsFeature cmdlet:
Install-WindowsFeature GPMC
After installation, check that the Group Policy Management shortcut appears in Administrative Tools in Control Panel. The shortcut refers to the MMC snap-in %SystemRoot%\system32\gpmc.msc
.
Managing GPOs in Active Directory via the Group Policy Management Console
The GPMC offers various options to manage Group Policies at the AD site, domain, and Organizational Unit levels.
To start the console, type the command:
gpmc.msc
By default, the console connects to a domain controller with the Primary Domain Controller Emulator (PDC) FSMO role. If you want to connect to a different DC, right-click on the domain name and select Change Domain Controller (it is preferable to use a connection to your logon server).
Expand Forest -> Domain -> Your domain.
Here in this screenshot, you can see:
- The name of the domain the console is connected to;
- Group Policies assigned to different OUs (the entire OU structure that you see in the ADUC console is displayed);
- A complete list of policies (GPOs) in the current domain is available under Group Policy Objects.
Active Directory Group Policies can be assigned to a specific OU, a site, or to the entire domain. GPOs are usually linked to OUs with computers or users.
To create a new GPO and immediately assign it to an OU, right-click on the required container and select Create a GPO in this domain, and Link it here.
Now specify a name for the GPO:
Once that’s done, you’ll see your new GPO assigned to the container (OU) you selected in the GPMC console.
Note that the GPO is enabled ( Link Enabled = True
), which means that its settings apply to all objects within a given OU.
Select Edit to change the GPO settings.
To manage Group Policy settings on a standalone Windows computer, use the local GPO Editor console (gpedit.msc). It allows you to configure Windows settings using single or multiple local policies (MLGPO).
This will open the GPO Editor console similar to the local GPO editor. Note that all GPO settings are divided into two sections:
- Computer Configuration – here you can configure the Windows (computer) settings;
- User Configuration – contains settings that apply to the computer user.
There are three subsections in each section::
- Software Settings – used to install and update MSI packages via the GPO;
- Windows Settings — contains the basic Windows security settings: password policy settings, account lockouts, audit policy, user rights assignments, etc.;
- Administrative Templates – contains various Windows components’ parameters for both built-in Windows administrative templates and ADMX templates installed by the administrator (for example, Microsoft Office ADMX templates or Google Chrome administrative templates). We recommend that you use the Group Policy Central Store for ease of administration.
There is also a separate Preferences section. It contains an additional set of Group Policy Preferences (GPP) options that you can configure for client devices via the GPO.
Close the Policy Editor now and go back to the GPMC. Any settings you have configured in the GPO will be applied to the clients the next time the Group Policy settings are updated.
Select your GPO to display its parameters. There are 4 tabs available here:
- Scope – shows the OUs to which the policy is assigned. In the Security Filtering section, you can configure which security groups the policy should apply to (the default setting here is Authenticated Users, which means that the policy applies to all objects in the OU). Under WMI filtering you can set additional rules to filter objects for GPOs to apply (see WMI filters in GPO);
- Details – contains basic information about the GPO (owner when created and modified, version, GUID);
- Settings – provides a report of all configured GPO options similar to the results of the gpresult command;
- Delegation – displays the current GPO permissions and allows you to change them.
Active Directory stores GPOs as a set of files and folders in the SYSVOL directory, which is replicated between DCs. You can find the directory of a particular GPO by its GUID in the Details tab. Use the following UNC path: \\woshub.com\sysvol\woshub.com\Policies\{GUID}
.
If you no longer want the policy to apply to clients in this OU, you can either remove the link (click Delete, note that the GPO itself will not be deleted) or temporarily disable it ( Link Enabled = False ).
Note that there are already two predefined GPOs in the domain that apply to all the computers and to the domain controllers, respectively:
- Default Domain Policy
- Default Domain Controller Policy
In most cases, using these GPOs to configure client settings is not recommended. Instead, you should create new policies and assign them at the level of the entire domain or Domain Controllers container.
Other options offered by the Group Policy Management console include:
- Import/export, backup, and restore GPOs
- Generate Resultant Set of Policy (RSoP) reports
- Remotely update GPO settings on computers
- Prepare GPOs for cross-domain migration
You may also want to read the article “Why can’t I apply group policy to my computer?” which discusses the basic elements of Active Directory Group Policies, such as
- Group Policy Inheritance
- Scope and application of GPOs (LSDOU)
- Policy application management and prioritization
- Group Policy Loopback Processing mode
- GPO filtering
- GPO enforcement
Please look closely at this article to better understand Group Policies and how they work.
Group Policy (GP) is a Windows management feature that allows you to control multiple users’ and computers’ configurations within an Active Directory environment.
With GP, all Organizational Units, sites, or domains can be configured from a single and central place.
This feature helps network admins in large Windows environments to save time by not having to go through every computer to set a new configuration.
Although there are other ways to manage Windows estates, like Desired State Configuration (DSC), System Center Configuration Manager (SCCM), and Mobile Device Management (MDM), nothing allows the fine-grained control that GP provides.
What is the Group Policy Management Console?
A collection of Group Policy (GP) settings, referred to as a Group Policy Object (GPO), determines how a group of users or computers must behave.
GPOs are associated with AD containers, including the local computer, site, domain, and Organizational Unit (OU).
Group Policies within the entire AD forest can be managed via the Group Policy Management Console (GPMC)— a built-in Windows Server 2008 (and beyond) admin tool.
GPMC works via the Microsoft Management Console (MMC) snap-in.
It consolidates the functionality of many tools (snap-ins) into one, including the AD Users and Computers, Resultant Set of Policy, the ACL Editor, and the GMPC Delegation Wizard.
Overall, GPMC gives you the interface to view, control, and troubleshoot GPs from a central place.
But you can also have a fine-control to create GPOs that define policies, security options, software updates, installation, maintenance settings, scripts, folder redirections, and more.
Additionally, you can also backup, restore, and import GPOs.
To open GPMC, go to the Windows Server Manager > Open “Tools Menu” > “Group Policy Management”
How to Install the Group Policy Management Console?
As mentioned before, GMPC is built-in in Windows Server (starting from 2008), so installing it is a very straightforward process.
In this tutorial, we’ll install the GPMC on a Windows Server 2012 R2.
- Open the Server Manager. By default, the Server Manager application is pinned down at the taskbar. But if you can’t find it there, you can hold the combination of Win + R keys to open the Run window. Then type “Server Manager” and click “Ok.”
- In Server Manager’s dashboard, click “Add roles and features.”
- The Add Features and Roles Wizard will open.
Leave the “Installation Type” with its default values: “Role-based or Feature-based installation.” - Select a server from your server pool.
Find the server running Windows where you want to install the GPMC. Click “Next.”
- Skip Server Roles and Go to “Features.” In the “Features” section, you should find the “Group Policy Management” tool. Go ahead, tick the box, click “Next,” and click on “Install.”
- The installation process should take a few minutes to complete.
How to use the Group Policy Management Console?
To open GPMC, go again to the Administrator Tools (Win + R and type “Administrator Tools”), find and double-click on the Group Policy Management Console.
As mentioned earlier, the Group Policy Management Console allows you to manage the entire AD forest, including its sites, domains, and Organizational Units.
- To see the inventory of all GPOs configured under a Domain: Go to the left pane of the GPMC.
- Under “Forest”: Select the “Domain” > and go to “Group Policy Objects.”
- Here, you’ll notice two types of default GPOs: The Default Domain Policy and the Default Domain Controllers Policy. One is linked to the domain, and the other to the domain’s controller.
Within this structure, including Domain Controllers and Domains’s policies, you can see the status of their GPOs, linked GPOs, GP Inheritance, and their Delegation.
How to Create a New Group Policy Object (GPO)?
As a best practice, avoid changing Default Domain Policy and Default Domain Controllers Policy, as you can always take GPOs back to their original configuration.
There are a few things you need to consider when creating a new GPO.
- Give your new GPO a name (you can use another GPO’s name as a Source).
- Determine where to link your new GPO, whether OU, domain, or site.
To create a new GPO:
- Right-click on the OU, and click on the option “Create a GPO in this domain, and Link it here…”
- Give your new GPO a Name, and click “Ok.”
- When you save it, your brand new GPO will be instantly enabled and linked to the specified OU.
The second way to create a new GPO is to right-click on the Group Policy Object container and click on “New.” Your new GPO is created but un-linked!
Using this second method, you’ll have to manually link the new GPO to a domain, site, or OU. Right-click where you want to link it, and select “Link an Existing GPO.”
Once you create the new GPO, it will instantly be linked, enabled, and stored in the GPO inventory.
How to Edit a Group Policy Object?
Once you create a new GPO for any domain, site, or OU, it will be automatically generated with default configuration values. These values have no configuration whatsoever, so you’ll need to open the GPO and edit its “default” configuration.
To edit a GPO, go to the GPO inventory and find the GPO that you want to edit, right-click on it and select “Edit.”
The Group Policy Management will automatically open on the editor in a new window.
The Group Policy Management Editor is also an essential Windows admin tool that allows users to change configuration policies on computers and users.
The structure of the editor is divided into two GPO configuration types: “User” and “Computer.”
The user configuration is set when the user logs in, whereas the computer configuration applies to the Windows OS when it starts.
GPO Configuration: Policies and Preferences
The GPM Editor’s structure is further divided into Policies and Preferences, whether you are under User or Computer configurations.
What are their differences?
- Policies:
Started since Windows Server 2000. Policies have been the original method on how we configure settings globally. When a policy is applied to a computer or user, configurations may be changed or removed, but they’ll go back to their value as defined in the Group Policy. These settings have more priority than the application’s configuration settings, and sometimes they even “grayed out.” Within policies, you’ll find Software Settings (apply software configuration to computers/users), Windows Settings (for Windows security or accounting settings), and Administrative Templates (Control of the OS and user).
Policies are checked and applied every 90 minutes through a process called “Background Refresh”
- Preferences:
This setting was included since Windows 2008 with the idea to replace the login custom scripts that were used to add functionality. These settings can be applied, only if desired, and are not “policied” with a background refresh (as policies do). Preferences are set only when a computer starts, or the user logs for the first time, but allow the user more flexibility to change and remove them.
Within Preferences, you can set the Windows settings and Control Panel Settings. Preferences can only be configured within domain GPOs, whereas policies can be set for both domain and local GPOs.
GPO Precedence and Inheritance
As mentioned previously, when you create a new GPO, you also need to link it somewhere, such as domain, site, or OU.
But you can also have multiple GPOs linking to different domains, sites, or OUs. But to allow this, you’ll need to set priorities.
The GPO Precedence allows GPOs to be configured with different levels of priorities.
By default, the GPOs with the most precedence are those linked to the OU. Lesser precedence goes to those linked to the domain and then to the site.
The least amount of precedence is given to local group policies. That means the GPOs linked to an OU in AD’s highest level will be processed first.
- To see the GPOs linked to a specific domain, site, or OU, go to the Linked Group Policy Objects tab.
If there is a single GPO linked, you should see it in this tab. If there are more, you will see all GPOs with their respective Link Order number.
The highest the link number a GPO has, the least precedence it has.
For example, a GPO with a Link Order No. of 1 will always take precedence over a GPO with Link Order No.2.
To adjust the GPO precedence, you can change the Link Order number by moving the GPO up or down.
By default, all group policy settings linked to a parent object (i.e., site, domain, or OU) are inherited to the child objects (domain, OUs, or child OU) within the AD hierarchy.
You can see all the inherited GPOs from the Group Policy Inheritance tab.
Final Words
When configuring group policies, Microsoft’s Group Policy Management Console (GPMC) is a must!
While other third-party Group Policy management tools can also help you control GPs, with extraordinary capabilities, nothing compares to GPMC.
The GPMC is the out-of-the-box Windows Server tool.
It is easy to install and use. GPMC is not only made to create and edit GPOs; you can have exceptional fine-grain control and even automate things.
For example, If you are looking for automation while staying in the Windows environment, GPMC also includes the PowerShell module.
This module will help you automate management tasks for your Group Policies.
Related Post: Best Active Directory Monitoring Tools & Software
Group Policy Management FAQs
How do I access Group Policy Management?
Group Policy Management can be accessed through the Group Policy Management Console (GPMC) on a Windows server running Active Directory. It can also be accessed through the Local Group Policy Editor on a Windows client machine.
What are the benefits of using Group Policy?
Group Policy allows for centralized management of settings and configurations, which can save time and improve security. It also allows for the enforcement of specific settings and configurations, which can help ensure compliance with organizational policies.
How do I create a new Group Policy Object (GPO)?
To create a new GPO, open the Group Policy Management Console and navigate to the appropriate domain or organizational unit. Right-click and select «New» and then «Group Policy Object.»
How do I link a GPO to a domain or organizational unit?
To link a GPO to a domain or organizational unit, open the Group Policy Management Console and navigate to the appropriate domain or organizational unit. Right-click and select «Link an Existing GPO.»
How do I edit an existing GPO?
To edit an existing GPO, open the Group Policy Management Console and navigate to the appropriate GPO. Right-click and select «Edit.»
How do I know if a GPO is being applied to a specific user or computer?
To check the application of a GPO to a specific user or computer, open the Group Policy Management Console and navigate to the appropriate GPO. Right-click and select «Group Policy Results» or «Group Policy Modeling.»
How do I troubleshoot GPO issues?
To troubleshoot GPO issues, you can use the Group Policy Management Console to check the status of GPOs and their links, and to check the event logs for related error messages. Additionally, you can use the GPRESULT command-line tool to check the effective GPO settings for a user or computer.