Windows
Group Policy Fundamentals
1
Professor Howard Burpee
SMCC Information Technology Dept.
Group Policy Foundations
 GPMC (Group Policy Management Console)
• Used to create and link Group Policy Objects (GPO) to
network objects
• Requires:
- A Windows Active Directory Domain Services environment
(ADDS)
- GPOs can only be linked to certain AD objects = Sites,
Domains, and OUs (organizational units)
2
Professor Howard Burpee
SMCC Information Technology Dept.
Group Policy Foundations
 Group Policy Objects (GPO)
• A sort of script containing various settings that runs as
a computer (domain client) boots, or as a domain user
logs in
- Note: Domain client systems actually log in and have a
password
• Managed by the GPMC, edited with the Group Policy
Editor
- The group policy editor is the same tool as GPEDIT.MSC on a
client OS
3
Professor Howard Burpee
SMCC Information Technology Dept.
Default GPOs
 All Windows NT versions have an existing default
single local GPO (LGPO)
 On a Windows Server OS that has been promoted to a
DC, there are two default GPOs
• They are:
- Default domain policy – linked to the domain object
- Default domain controller policy – linked to the Domain
Controllers OU
• The settings in these default GPOs are almost all
security settings for the domain
* EX: Complex Passwords Required; Allow Logon Locally
4
Professor Howard Burpee
SMCC Information Technology Dept.
The GPMC
The GPMC after expanding
all levels
5
Professor Howard Burpee
SMCC Information Technology Dept.
Default GPOs
 The GPMC showing
defaults
• Domain object
• OU (the only default
one created)
• Default GPOs showing
link state
• GPO folder showing
all GPOs
6
Professor Howard Burpee
SMCC Information Technology Dept.
Managing GPOs
 Create and link a GPO
• Make a new OU in
ADUAC
- Staff users
• Right click the OU and
choose Create…..
7
Professor Howard Burpee
SMCC Information Technology Dept.
Managing GPOs
 Name the new GPO
descriptively
• It shows as linked to the
OU, and as a GPO in the
Group Policy Objects
folder
• Note: not all GPOs must be
linked all the time, some are
just used temporarily
• And, the same GPO can be linked
to different objects
8
Professor Howard Burpee
SMCC Information Technology Dept.
Editing GPOs
 Right click on a GPO and choose edit..
• This opens the group policy management editor
9
Professor Howard Burpee
SMCC Information Technology Dept.
Checking GPO settings
 Select any given GPO and click the settings tab on the
right pane of the console
- This runs IE and you should add the web site as trusted
• The settings tab, when expanded, shows all the
settings (RSOP) for that GPO
10
Professor Howard Burpee
SMCC Information Technology Dept.
GPO RSOP
 RSOP (resultant set of policies)
• How many GPOs apply to a user in the Staff users OU?
• How many GPOs apply to a user not in the Staff users
OU?
11
Professor Howard Burpee
SMCC Information Technology Dept.
GPO Structure
 GPOs are applied in order
• L – S – D – OU
- Local, Site, Domain, OU
• If there is a conflict:
- A setting enabled in a Domain GPO, and disabled in an OU
GPO, which one wins?
• GPOs are automatically inherited
• GPOs can be enforced
• GPOs can be blocked
• Enforced wins…
12
Professor Howard Burpee
SMCC Information Technology Dept.
Additional Issues
 Latency:
• GPOs are not refreshed each time a user logs in
• Know how to:
- Run GPUPDATE.EXE /force from the CLI
• And then:
- Run RSOP.MSC to check the resultant set of policies (RSOP)
• Remember: whoami and what am I trying to do now…
13
Professor Howard Burpee
SMCC Information Technology Dept.