Group Policy (GP) is a Windows management feature that allows you to control multiple users’ and computers’ configurations within an Active Directory environment.
With GP, all Organizational Units, sites, or domains can be configured from a single and central place.
This feature helps network admins in large Windows environments to save time by not having to go through every computer to set a new configuration.
Although there are other ways to manage Windows estates, like Desired State Configuration (DSC), System Center Configuration Manager (SCCM), and Mobile Device Management (MDM), nothing allows the fine-grained control that GP provides.
What is the Group Policy Management Console?
A collection of Group Policy (GP) settings, referred to as a Group Policy Object (GPO), determines how a group of users or computers must behave.
GPOs are associated with AD containers, including the local computer, site, domain, and Organizational Unit (OU).
Group Policies within the entire AD forest can be managed via the Group Policy Management Console (GPMC)— a built-in Windows Server 2008 (and beyond) admin tool.
GPMC works via the Microsoft Management Console (MMC) snap-in.
It consolidates the functionality of many tools (snap-ins) into one, including the AD Users and Computers, Resultant Set of Policy, the ACL Editor, and the GMPC Delegation Wizard.
Overall, GPMC gives you the interface to view, control, and troubleshoot GPs from a central place.
But you can also have a fine-control to create GPOs that define policies, security options, software updates, installation, maintenance settings, scripts, folder redirections, and more.
Additionally, you can also backup, restore, and import GPOs.
To open GPMC, go to the Windows Server Manager > Open “Tools Menu” > “Group Policy Management”
How to Install the Group Policy Management Console?
As mentioned before, GMPC is built-in in Windows Server (starting from 2008), so installing it is a very straightforward process.
In this tutorial, we’ll install the GPMC on a Windows Server 2012 R2.
- Open the Server Manager. By default, the Server Manager application is pinned down at the taskbar. But if you can’t find it there, you can hold the combination of Win + R keys to open the Run window. Then type “Server Manager” and click “Ok.”
- In Server Manager’s dashboard, click “Add roles and features.”
- The Add Features and Roles Wizard will open.
Leave the “Installation Type” with its default values: “Role-based or Feature-based installation.”
- Select a server from your server pool.
Find the server running Windows where you want to install the GPMC. Click “Next.”
- Skip Server Roles and Go to “Features.” In the “Features” section, you should find the “Group Policy Management” tool. Go ahead, tick the box, click “Next,” and click on “Install.”
- The installation process should take a few minutes to complete.
How to use the Group Policy Management Console?
To open GPMC, go again to the Administrator Tools (Win + R and type “Administrator Tools”), find and double-click on the Group Policy Management Console.
As mentioned earlier, the Group Policy Management Console allows you to manage the entire AD forest, including its sites, domains, and Organizational Units.
- To see the inventory of all GPOs configured under a Domain: Go to the left pane of the GPMC.
- Under “Forest”: Select the “Domain” > and go to “Group Policy Objects.”
- Here, you’ll notice two types of default GPOs: The Default Domain Policy and the Default Domain Controllers Policy. One is linked to the domain, and the other to the domain’s controller.
Within this structure, including Domain Controllers and Domains’s policies, you can see the status of their GPOs, linked GPOs, GP Inheritance, and their Delegation.
How to Create a New Group Policy Object (GPO)?
As a best practice, avoid changing Default Domain Policy and Default Domain Controllers Policy, as you can always take GPOs back to their original configuration.
There are a few things you need to consider when creating a new GPO.
- Give your new GPO a name (you can use another GPO’s name as a Source).
- Determine where to link your new GPO, whether OU, domain, or site.
To create a new GPO:
- Right-click on the OU, and click on the option “Create a GPO in this domain, and Link it here…”
- Give your new GPO a Name, and click “Ok.”
- When you save it, your brand new GPO will be instantly enabled and linked to the specified OU.
The second way to create a new GPO is to right-click on the Group Policy Object container and click on “New.” Your new GPO is created but un-linked!
Using this second method, you’ll have to manually link the new GPO to a domain, site, or OU. Right-click where you want to link it, and select “Link an Existing GPO.”
Once you create the new GPO, it will instantly be linked, enabled, and stored in the GPO inventory.
How to Edit a Group Policy Object?
Once you create a new GPO for any domain, site, or OU, it will be automatically generated with default configuration values. These values have no configuration whatsoever, so you’ll need to open the GPO and edit its “default” configuration.
To edit a GPO, go to the GPO inventory and find the GPO that you want to edit, right-click on it and select “Edit.”
The Group Policy Management will automatically open on the editor in a new window.
The Group Policy Management Editor is also an essential Windows admin tool that allows users to change configuration policies on computers and users.
The structure of the editor is divided into two GPO configuration types: “User” and “Computer.”
The user configuration is set when the user logs in, whereas the computer configuration applies to the Windows OS when it starts.
GPO Configuration: Policies and Preferences
The GPM Editor’s structure is further divided into Policies and Preferences, whether you are under User or Computer configurations.
What are their differences?
Started since Windows Server 2000. Policies have been the original method on how we configure settings globally. When a policy is applied to a computer or user, configurations may be changed or removed, but they’ll go back to their value as defined in the Group Policy. These settings have more priority than the application’s configuration settings, and sometimes they even “grayed out.” Within policies, you’ll find Software Settings (apply software configuration to computers/users), Windows Settings (for Windows security or accounting settings), and Administrative Templates (Control of the OS and user).
Policies are checked and applied every 90 minutes through a process called “Background Refresh”
This setting was included since Windows 2008 with the idea to replace the login custom scripts that were used to add functionality. These settings can be applied, only if desired, and are not “policied” with a background refresh (as policies do). Preferences are set only when a computer starts, or the user logs for the first time, but allow the user more flexibility to change and remove them.
Within Preferences, you can set the Windows settings and Control Panel Settings. Preferences can only be configured within domain GPOs, whereas policies can be set for both domain and local GPOs.
GPO Precedence and Inheritance
As mentioned previously, when you create a new GPO, you also need to link it somewhere, such as domain, site, or OU.
But you can also have multiple GPOs linking to different domains, sites, or OUs. But to allow this, you’ll need to set priorities.
The GPO Precedence allows GPOs to be configured with different levels of priorities.
By default, the GPOs with the most precedence are those linked to the OU. Lesser precedence goes to those linked to the domain and then to the site.
The least amount of precedence is given to local group policies. That means the GPOs linked to an OU in AD’s highest level will be processed first.
- To see the GPOs linked to a specific domain, site, or OU, go to the Linked Group Policy Objects tab.
If there is a single GPO linked, you should see it in this tab. If there are more, you will see all GPOs with their respective Link Order number.
The highest the link number a GPO has, the least precedence it has.
For example, a GPO with a Link Order No. of 1 will always take precedence over a GPO with Link Order No.2.
To adjust the GPO precedence, you can change the Link Order number by moving the GPO up or down.
By default, all group policy settings linked to a parent object (i.e., site, domain, or OU) are inherited to the child objects (domain, OUs, or child OU) within the AD hierarchy.
You can see all the inherited GPOs from the Group Policy Inheritance tab.
When configuring group policies, Microsoft’s Group Policy Management Console (GPMC) is a must!
While other third-party Group Policy management tools can also help you control GPs, with extraordinary capabilities, nothing compares to GPMC.
The GPMC is the out-of-the-box Windows Server tool.
It is easy to install and use. GPMC is not only made to create and edit GPOs; you can have exceptional fine-grain control and even automate things.
For example, If you are looking for automation while staying in the Windows environment, GPMC also includes the PowerShell module.
This module will help you automate management tasks for your Group Policies.