NIST's guidance for a Zero Trust Architecture

Active Directory Policies

Managing GPOs in Active Directory

What you will learn:

Managing an Active Directory (AD) network can become a little cumbersome once the number of resources in the network becomes larger. There is a myriad of things that need to be controlled such as security permissions, software installation, desktop settings for users and computers, administrator privileges, and many more. This is where Group Policies and Group Policy objects come into play. In this article, we will look at what AD Group Policy objects (GPO) are, what are its types are, and how you can implement the group policies using GPOs.

What is Active Directory Group Policy?

AD Group Policies are critical pieces of instructions in an AD environment that an IT administrator can configure. AD group policies will determine the behavior and privileges for users and computers. Group Policies are primarily a security solution for the AD network. Administrators can configure these settings and then implement sets of these settings on sites, domains, or OUs containing users and computers.

What is a Group Policy Object?

Multiple group policy settings are bundled together in a set called a Group Policy object (GPO). Once an administrator configures the Group Policies in the GPO as necessary, he/she can then link the GPO to the container objects. The objects within the containers in question will then act within the boundaries and rules set by the policies in the GPO it was assigned. GPOs can be created and managed using the Group Policy Management Console (GPMC).

A GPO stores its configuration information in two locations:

1. Group Policy Container (GPC)

2. Group Policy Template (GPT)

A GPC is an object which contains information like GPO’s name, ACL, version information, and enable/disable status. It is stored in the CN=Policies, CN=System container of the domain. A GPT is stored as files on the SYSVOL directory on every domain controller in the domain. It contains the administrative templates and scripts related to the GPO. The contents of the SYSVOL folder are replicated between all the domain controllers in the domain.

Managing GPOs in Active Directory

Now that we have understood what are Group Policies and GPOs, let’s see how we can create a GPO, and then view, edit, and back up a GPO.

How to create, edit, and link a Group Policy Object in Windows Active Directory

How to create a GPO in Active Directory?

GPOs can be created and managed using the Group Policy Management Console (GPMC). The configuration settings can be edited using the Group Policy Object Editor (gpedit) console. The following steps illustrate how to create a GPO:

  • Open the GPMC snap-in. To do that, go to Start MenuAdministrative ToolsGroup Policy Management Console.
  • In the left pane, expand the Forest container and then the domain container.
  • Select the domain for which the policy settings have to created and applied.
  • Double-click on the domain to see a list of OUs and other containers in the domain.
  • Right-click on the Group Policy Objects container and select New.
  • Enter the name of the GPO and click OK.
Creating a new GPO in Active Directory
Creating a new GPO

How to edit a GPO in Active Directory?  

The following steps illustrate how to view the various settings configured under a GPO:

  • Open the GPMC snap-in. To do that, go to Start Menu → Administrative ToolsGroup Policy Management Console.
  • Right-click on the Group Policy Objects container and select a GPO.
  • In the right pane, select the Settings Tab and click Show all.
  • If the policy settings are not defined for a GPO, both Computer configuration and User configuration sections will show “No settings defined”.
  • To configure policy settings for the GPO, right-click anywhere on the right pane or on the GPO and select Edit.
  • The Group Policy Object Editor will open. Browse through the Computer configuration and User configuration settings and define them as necessary.
Group Policy Management Editor Wizard in Active Directory
Group Policy Management Editor Wizard

How to link a GPO to an object in Active Directory?

Creating a GPO and defining settings for that GPO will not apply them to the target users and computers. To apply the configuration policy settings in a GPO, it has to be linked to a site or a domain, or an OU. The following steps illustrate how to link a GPO:

  • Open the GPMC snap-in. To do that, go to Start Menu → Administrative ToolsGroup Policy Management Console.
  • In the left pane, expand the Forest container and then the domain container. Browse to the target domain.
  • Right-click on the domain or site or an OU and select Link an existing GPO.
  • In the Select GPO dialog box, under Group Policy Objects, select the GPO and click OK.

Now all the policy settings configured for that GPO will be applied to all users and computers present in the site, domain, or OU to which the GPO is linked.

Linking a GPO to an Active Directory object
Linking a GPO to an AD object

How to backup and restore GPOs in Active Directory?

Backing up and restoring GPOs in Active Directory can be done using the GPMC. Here are the steps you need to follow:

  • Go to Start, and navigate to Administrative tools. Then, navigate to Group Policy Management and click on it.
  • In the GPMC window that opens, expand the Group Policy Objects folder that contains the GPO which you want to be backed up.
  • Right-click the GPO, and then click Back Up.
  • This will open the Backup Group Policy Object window. Specify the path to the folder where you want the backed-up version of the GPO to reside.
  • Once done, click Back Up.
Backing up a Group Policy Object in Active Directory
Backing up a Group Policy Object

Once the GPO backup operation is done the window will intimate you of successful completion of the GPO backup, click OK. You’ll now have backed up all the GPOs. You can verify if the GPOs have been backed up, by navigating to the folder you specified during the backup process. You should see a list of folders that would contain the GPO backup data. With this data, you can either restore a deleted GPO, or a modified GPO as necessary. To learn more about GPO backup, you can read this article.


People also read

Managing GPOs with Group Policy Management Console

Group Policy Management Console (GPMC) – Part II

Group Policy

Related posts
Active Directory Policies

Group Policy Management Console (GPMC) – Part II

Active Directory Policies

Fine-Grained Password Policy: A Step-by-Step Configuration Guide

Active Directory Policies

Active Directory Account Lockout Policy

Active Directory Policies

Active Directory Password Policy

Leave a Reply

Your email address will not be published. Required fields are marked *