loading...

Windows Server 2016 – Creating and assigning a new Group Policy Object

How to Install Windows Server 2019

In order to start using Group Policy, we first need to create a Group Policy Object. Most commonly referred to as a GPO, this object contains the settings that we want to deploy. It also contains the information necessary for domain joined systems to know which machines and users get these settings and which ones do not. It is critical that you plan GPO assignment carefully. It is easy to create a policy that applies to every domain-joined system in your entire network but, depending on what settings you configure in that policy, this can be detrimental to some of your servers. Often I find that admins who are only somewhat familiar with Group Policy are making use of a built-in GPO called Default Domain Policy. This, by default, applies to everything in your network. Sometimes this is actually what you want to accomplish. Most of the time, it is not!

We are going to use this section to detail the process of creating a new GPO, and use some assignment sections called Links and Security Filters, which will give us complete control over which objects receive these systems, and more importantly, which do not.

Getting ready

Our work today will be accomplished from a Server 2016 domain controller server. If you are running the Domain Services role, you already have the items installed that are necessary to manage Group Policy.

How to do it…

Follow these steps to create and assign a new GPO:

  1. Open Server Manager, click on the Tools menu and choose to open the Group Policy Management Console.
  2. Expand your domain name and click on the folder called Group Policy Objects. This shows you a list of your current GPOs.
  3. Right-click on the Group Policy Objects folder and click on New.
  4. Insert a name for your New GPO. I am going to call mine Map Network Drives. We will end up using this GPO in a later recipe:
  1. Click OK, and then expand your Group Policy Objects folder if it isn’t already. You should see the new GPO on this list. Go ahead and click on the new GPO in order to see its settings.
  1. We want this new GPO to apply only to a specific group of users that we have established. This assignment of the GPO is handled at the lowest level by the Security Filtering section, which you see on the following screen. You can see that, by default, Authenticated Users is in the list. This means that, if we created a link between this GPO and an Organizational Unit (OU) in the domain, the policy settings would immediately start applying to any user account:
  1. Since we want to make absolutely sure that only specific user accounts get these drive mappings, we are going to modify the Security Filtering section and list only the user group that we have created to house these user accounts. Under the Security Filtering section, click on the Remove button in order to remove Authenticated User s from this list. It should now be empty.
  2. Now click on the Add… button, also listed under the Security Filtering section.
  3. Type the name of your group for which you want to filter this GPO. My group is called Sales Group. Click OK.
  4. Now this GPO will only apply to users we place into the group called Sales Group, but at this point in time, the GPO isn’t going to apply anywhere because we have not yet established any links. This is the top section of your Scope tab, which is currently blank:
  1. We need to link this GPO to some place in our domain structure. This is essentially telling it, apply this policy from here down in our OU structure. By creating a link with no security filtering, the GPO will apply to everything under that link. However, since we do have security filtering enabled and specified down to a particular group, the security filtering will be the final authority in saying that these GPO settings will only apply to members of our Sales group. For this Map Network Drives policy, we want it to apply to the OU called US Laptops.
  1. Right-click on the OU called US Laptops and then click on the option for Link an Existing GPO…:
  1. Choose the name of our new GPO, Map Network Drives, and click OK:

Our new GPO is now linked to the US Laptops OU, so at this level, any system placed inside that OU would get the settings if we hadn’t paired it down a step further with the Security Filtering section. Since we populated this with only the name of our specific Sales Group, this means that this new drive mapping policy will only apply to those users added into this group.

How it works…

In our example recipe, we created a new Group Policy Object and took the necessary steps in order to restrict this GPO to the computers and users that we deemed necessary inside our domain. Each network is different, and you may find yourself relying only on the Links to keep GPOs sorted according to your needs, or you may need to enforce some combination of both Links and Security Filtering. In any case, whichever works best for you, make sure that you are confident in the configuration of these fields so that you can know beyond a shadow of a doubt where your GPO is being applied. You may have noticed that, in our recipe here, we didn’t actually configure any settings inside the GPO, so at this point, it still isn’t doing anything to those in the Sales Group. Continue reading to navigate the actual settings portion of Group Policy.

Comments are closed.

loading...