Active Directory & Office 365 Reporting Tool

How to Create and Link a GPO in Active Directory (Step by Step). In the dynamic realm of Active Directory management, mastering the art of Group Policy Objects (GPOs) is a pivotal skill for any administrator. This step-by-step guide unveils the seamless process of creating and linking GPOs, providing a comprehensive roadmap to navigate the intricacies of Active Directory. This article ensures that we not only grasp the fundamentals but also gain the confidence to wield GPOs effectively in our network administration journey.

How to Create and Link a GPO in Active Directory (Step by Step)

Brief Overview of Group Policy Objects

Group Policy Objects (GPOs) are the backbone of centralized management in Windows Active Directory environments. Essentially, GPOs are a set of rules, configurations, and settings that administrators define to govern the behaviour of users and computers within a network. By implementing GPOs, administrators enforce security policies, regulate system settings, deploy software, and streamline various aspects of network management.

This powerful tool not only enhances organizational efficiency but also ensures a consistent and secure computing environment by allowing administrators to exert control and enforce policies across a multitude of devices and users.

Working with Group Policy Objects

GPOs are worked in two different ways: either on a local machine by using the Local Group Policy Editor or on our enterprise system by using the Group Policy Management Console (GPMC). To maintain and create a resilient environment, we concentrate on the enterprise scenario in this article since local policies are processed first (before domain policies).

Installing the Group Policy RSAT Tool

One of the components of the classic Remote Server Administration Tool (RSAT) toolkit is the Group Policy Management Console. We may install this MMC-based (Microsoft Management Console) solution on Windows using the current Windows Settings app.

We keep the Group Policy settings in the ‘SYSVOL‘ shared folder on a domain controller (DC), and if necessary, we replicate these settings to every other DC in the domain and forest. This process describes the built-in redundancy of Group Policy infrastructure.

To proceed, we show how to install the Group Policy Management Console tool:

  • First, click the Start button and search with the keyword ‘optional ‘.
  • Click on ‘Manage optional features ‘and the ‘+ Add a feature ‘button at the top.
  • Scroll down, check the ‘RSAT: Group Policy Management Tools’ checkbox and click Install.

From this point, the Group Policy Management console is accessible. To open the Group Policy Management Console (GPMC), follow these steps:

  1. Using the Run Dialog:
    • Press the Windows + R to open the Run dialog box.
    • Type gpmc.msc and press Enter.

2. Via the Start Menu:

    • Click on the Start button.
    • Type “Group Policy Management Console” in the search bar.
    • Click on the relevant result that appears.

3. Through Server Manager (Windows Server):

    • If we use a Windows Server, we open the Server Manager.
    • Inside the Server Manager window, click on the “Tools” in the top-right corner.
    • Select “Group Policy Management” from the list.

Now, we see the Group Policy Management console. Here, we introduce how we lay out the Group Policy and how we target specific logical entities in our organization.

With the Group Policy Management Console, we do multiple following functions. For example, we alter pre-existing Group Policy Objects (GPOs), generate new GPOs, adjust the filtering settings of specific GPOs at a group level, and employ WMI Filtering to pinpoint particular computers. In the next section, we start with creating a new GPO.

Creating a New Group Policy Object

Now, let’s try creating a new Group Policy Object:

  1. Right-click on ‘Domain Windows Computers ‘and select ‘Create a GPO in the domain, and Link it here… ‘

2. Let’s name it ‘Start Menu Cleanup ‘and click OK.

3. Edit the GPO: Right-click on the linked GPO and select Edit.

4. Navigate to the Policy Setting:

    • In the Group Policy Management Editor, navigate to these menus:
    • Computer Configuration -> Policies -> Windows Settings -> Security Setting -> Local Policies -> User Rights Assignment.

5. Modify the Policy Setting:

    • Look for the policy that we want, like the example below: 
    • Double-click on the policy, select “Define these policy settings,” and choose “Enabled.”

6. Save and Close:

    • Click “OK” to apply the changes.
    • Close the Group Policy Management Editor.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Force Update or Wait for Group Policy to Apply

Please note that this setting is active in the environment; upon the next refresh, all computer objects within that OU see it. Group Policy is processed by domain PCs and servers by default every 90 minutes with a random offset of 30 minutes. Nonetheless, the gpresult command is a valuable tool for testing and troubleshooting.

Using our preferred terminal or shell, we use the gpupdate command to compel the computer to update the Group Policy on the system. This command handles all Group Policy modifications for the computer and the logged-in user. Without requesting permission, the changes we can enforce using the ‘/force‘ switch.

					gpupdate /force

To verify, we observe that our system now hides the objects by right-clicking the Start button and selecting the Shut Down or Sign out menu.

We prevent the users from restarting or shutting down their machines by this relatively simple modification. These kinds of settings have a lot of variables and applications. 

Linking a Group Policy Object

  1. Link the GPO to an Organizational Unit (OU) or Domain:
    • Navigate to the target OU or domain where we want to link the GPO.
    • Right-click on the OU or domain, select “Link an Existing GPO,” and choose “Domain Controller Security Lockdown.

2. Confirm the Link:

    • A dialog box appears. Confirm our selection by clicking “Yes.”

3. Verify the Link:

    • In the GPMC, under the target OU or domain, confirm that the “Domain Controller Security Lockdown” GPO is now listed as linked.

4. Force Update or Wait for Group Policy to Apply:

    • Force a group policy update on the domain controllers using gpupdate /force in the command prompt or wait for the policy to apply during the next refresh.

Now that the GPOs and domain controllers are connected. Our DCs handles the settings in that GPO the next time they check for modifications to Group Policies. After creating and crafting a collection of settings once, swiftly link or deploy them to a container within our environment.

Modify an Existing Group Policy Object

We anticipate finding hundreds or thousands of GPOs in a single domain in larger businesses. Dealing with child OUs, local GPOs, and local policies in the mix, as well as the intricacy of inheriting specific GPOs and utilizing WMI to target particular OS systems is intimidating. Furthermore, there are general performance penalties when PCs start-up and users log in due to the sheer amount of GPOs in our domain.

Group Policy Object Scope

The domain’s root is where we locate most of our GPOs. Because of this procedure, every machine and server object within the domain views and uses this GPO by default. Once more, there are techniques to exclude particular people, machines, organizational units, and security groups.

This process allows us to display the Authenticated Users group in the Security Filtering section. This filtering effectively says, “Everyone“: this GPO is visible to any account authenticated with the domain.

Edit the Group Policy Object

Now, let’s try editing a current GPO:

  • Right-click on the targeted GPO and select ‘Edit‘ to initiate the modification process.
  • Navigate through the logical layout, which includes the Computer Configuration and User Configuration trees.
  • To locate and adjust WSUS settings within Computer Configuration, expand -> Policies -> Administrative Templates -> Windows Components -> Windows Update.
  • Identify the specific setting we want to modify, such as ‘Configure Automatic Updates.’
  • Delve into the properties of the chosen setting to access and analyze the configuration options.
  • Make necessary adjustments to align the GPO with our desired policy modifications.

This process is a more involved setting. These are the settings for how we update Windows Updates to my domain. But the point here is we manage all our computers (or a subset) centrally.

This process illustrates how Group Policy Objects (GPOs) enforce restrictions on computer settings. Suppose we examine the Advanced options under Windows Update on this workstation. In that case, we observe that the initial setting, ‘Receive updates for other Microsoft products when we update Windows,’ is now governed by Group Policy.

Technically, it states that we apply some Group Policies to this computer, but we can’t adjust these settings.

Managing the Group Policy Objects

Upon creating a new domain, our Windows Server generates two GPOs as the default configuration – namely, the ‘Default Domain Policy‘ and the ‘Default Domain Controllers Policy.‘ These GPOs, at a minimum, determine the parameters for domain password policies, account lockout policies, Kerberos policies, fundamental security options, and various other network security configurations.

For decades, there has been a practice that we should not modify these two policies – we should create new GPOs instead. There are several reasons for this, but the most fundamental is that when troubleshooting our domain, we must know that we should not change these default configurations.

Disable a Group Policy Object

To deactivate a GPO and block its settings from affecting upcoming computers, right-click on the GPO and select Disable Link. This action will detach the link and transition the GPO into an inactive or dormant.

Delete a Group Policy Object

During cleanup and troubleshooting tasks, removing a GPO is accomplished by right-clicking on it and selecting Delete. For a comprehensive and streamlined approach, navigate to the Group Policy Objects view in the tree and initiate the deletion process.

Thank you for reading How to Create and Link a GPO in Active Directory (Step by Step). We shall conclude the article.

How to Create and Link a GPO in Active Directory Conclusion

In conclusion, mastering the creation and linking of Group Policy Objects (GPOs) in Active Directory is an indispensable skill for administrators navigating the intricate landscape of network management. This step-by-step guide has equipped us with the knowledge and confidence to seamlessly implement GPOs, offering a hands-on approach that demystifies the process. As we embark on our journey in Active Directory administration, the ability to harness GPOs effectively not only optimizes system configurations but also empower us to maintain a secures computing environment across our network.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *