Group Policy allows administrators to define options for what users can do on a network – including what files, folders and applications they can access. The collections of user and computer settings are referred to as Group Policy Objects (GPOs), which are administered from a central interface called the Group Policy Management Console. Group Policy can also be managed with command-line tools such as gpresult and gpupdate.
To open Group policy management console, go to server manager then tools then goup policy management
Under Group policy objects there will be two default GPO’s
Default Domain Controller Policy :- This GPO will apply on all domain controller.
Default Domain Policy :- This GPO will apply on entire domain.
As you can see in the below screen shot my Organisational unit is present in the group policy management console, for example lets create and link a GPO in OU ( HR under India)
Right click on group policy object and select new
Specify the name of GPO , like “HR GPO” and click OK to create new GPO
we can link this newly created GPO to site, Domain or OU , currently this GPO is not linked with any other container.
When you make any changes in GPO the version number will increase base on user and computer configuration setting.
In active directory, every GPO has a unique ID number to identify the GPO
Note : By default all GPO of active directory stored in folder (C:\Windows\Sysvol) and also this folder is shared so user/computer can get GPO from shared location.
Now lets link our “HR GPO” to HR organisation unit under INDIA
Right click on HR and click on “Link to existing GPO”
select the GPO name and click OK
we can see that HR GPO is successfully linked to HR organisational unit
Click on setting tab to check which setting are configured/enabled.
As per the below screen shot , right now there is no setting attached to the GPO
let’s go and apply
Right click on “HR GPO” and click on edit
In the below group policy management editor there are two types configuration and both part have similar settings
- Computer Configuration : – These settings are applied on computer accounts , when computer start/restart.
- User Configuration :- These setting will apply on user accounts when user log on to computer account.
For example : to day we are going to restrict the control panel for the HR users
Go to user configuration in group policy management editor and then go to Administrative template then click on control panel then go to right panel and click on “Prohibit access to control panel and PC settings”
Double click on Prohibit access to control panel and PC settings then click on enable and then apply
Group policy applied on the users of HR organisational unit.
Now login the client computer with HR user and we will not be able to open the control panel because we have restricted the control panel using GPO.