Group Policy Objects (GPOs) are commonly used by organizations to implement security policies and other controls on Active Directory user and computer accounts.
This article is a useful guide on what group policies are, their purpose, along with what GPOs are in Active Directory. It will also cover how to install the Group Policy Management Console (GPMC) in Windows as well as some basic GPO tasks, like creating, editing, and linking GPOs.
A GPO is a group of settings that can be customized to define the resources a user or computer can view or access. The scope of a GPO can be just a local computer or extend to organizational units (OUs), domains, or sites. When you assign a GPO to a container, it is called linking the GPO. You can restrict how the GPOs are applied by using security groups to filter out which groups or users the GPO will impact, or you can block the GPO through inheritance. A Windows Management Instrumentation (WMI) filter can also be used to restrict the application of a GPO.
Before the GPMC was introduced, there was no single unified tool for Group Policy management. Users had to use multiple tools like the Active Directory Users and Computers snap-in, the Active Directory Sites and Services snap-in, the Resultant Set of Policy snap-in, the GPMC Delegation Wizard, and the ACL Editor for GPO management. The GPMC does not replace the Active Directory Users and Computers snap-in but instead provides a unified console for managing GPOs.
Capabilities of the GPMC
-
Creating, deleting, managing, backing up, restoring, importing, and copying GPOs
-
Linking and unlinking GPOs and WMI filters
-
Delegating permissions on GPOs and WMI filters
-
Checking and controlling the status of GPOs
-
Searching for GPOs
Tip:
The GPMC is sufficient when it comes to linking one or two GPOs, but when you need to create objects in bulk or want reports on GPOs, you have to resort to scripting.
ADManager Plus can help you create and manage GPOs and generate related reports without scripting.
Installing the GPMC on Windows Server 2012 and later
-
Navigate to Start > Control Panel > Programs and Features > Turn Windows features on or off.
-
In the Add Roles and Features Wizard window, click the Features tab in the left pane, and then select Group Policy Management.
-
Click Next, then click Install.
Installing the GPMC on Windows 8 and later
-
Download and install Remote Server Administration Tools from here for Windows 8, Windows 8.1, and Windows 10.
-
Navigate to Start > Control Panel > Programs and Features > Turn Windows features on or off.
-
Navigate to Remote Server Administration Tools > Feature Administration Tools and select Group Policy Management Tools.
-
Click Install.
Create GPOs with the GPMC
-
Open the GPMC.
-
Expand the domain tree and right-click the container you wish to create the GPO in.
-
Click New
-
In the New GPO window that opens, enter a name for the new GPO, and then click OK.
Edit or delete GPOs with the GPMC
-
Open the GPMC.
-
Expand the domain tree and right-click the GPO you wish to edit or delete.
-
Click Edit or Delete depending on what you?d like to do.
-
Edit the desired settings and click OK. In case of deletion, click OK in the confirmation prompt.
Link a GPO with the GPMC
-
Open the GPMC.
-
In the navigation pane, expand the domain tree and right-click on the domain you wish to link the GPO to. Click Link an Existing GPO.
-
In the Select GPO window, select the GPO that you want to link, and then click OK.
Note:
The order of the linked GPO corresponds to the hierarchy. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest.