How to configure GPO in Active Directory at Site, Domain and OU levels
Introduction
Active Directory network multiplies over time and it may become incommodious to manage. There is a myriad of things that need to be controlled such as security permissions, software installation, desktop settings for users and computers, administrator privileges, and many more. This is where Group Policies and Group Policy objects come into play. In this article, we will look at Group Policy Management Console (GPMC) and how to configure Group Policy Objects (GPO) using GPMC.
What is Group Policy Management Console?
Active Directory administrators can manage Group Policy Objects (GPOs) from a single console using the Group Policy Management Console (GPMC) interface.
An administrator can control Group Policy in an Active Directory forest and gather information for Group Policy troubleshooting using the Group Policy Management Console (GPMC), a built-in Windows administration tool. The Group Policy Management Console is located in Microsoft Windows Server Manager's Tools menu. The Remote Server Administration Tools (RSAT) for your individual version of Windows should be installed because using domain controllers for routine management activities is not recommended.
The GPMC integrates the existing Group Policy functionality exposed in various tools into a single console, along with the following new capabilities:
- A user interface that makes it easier to use and manage Group Policy objects (GPOs).
- Backup, restore, import, and copy Group Policy objects (GPOs).
- Simplified management of Group Policy-related security
- Reporting for GPO settings and Resultant Set of Policy (RSoP) data.
- Programmatic access to the preceding GPO operations. Note that it is not possible to set individual policy settings within a GPO programmatically
Group Policy Object applications
Now that you have an understanding as to what is GPMC, let’s delve right into how to use it to create GPO and how it can be linked to any levels in the Active Directory. Before going in details, it is crucial to understand how GPO resides in the Active Directory. GPOs resides in their own container and not in any level of the Active Directory directly. If you want a GPO to be applied to any level like site, domain or OU, the GPO in the GPO container will be linked to the desire location. When you are visiting the GPO for the first time, you get a “Group Policy Management Console” message like this.
This message is to remind the administrator that there might be multiple levels in the AD that use the same GPO. It means that if you change the attributes or settings of the GPO, all the levels that are linked to this GPO inherit the change. If you have accidentally clicked on “Do not show this message again”, it can be brought back by choosing, “Show confirmation dialog box to distinguish between GPOs and GPO links” from the View option in the GPMC menu bar.
Now let us discuss how to apply GPO to various levels in the Active Directory – Site level, Domain level and OU level. Let us deploy one change using GPO – Setting a screen saver for the computers in the Active Directory using GPO.
There are two ways you can apply Group Policy to any level in the Active Directory.
- Creating GPO in the Group Policy Objects container and manually linking it to the level of AD.
- While navigating to the intended level in AD, a domain or an OU, create a GPO and linking it there.
Either ways are helpful and there are no different implications or effects between these two methods.
Create a shared folder
- Create a shared folder in your C drive (C:/). Paste your screen saver file inside this folder.
- Take note of the UNC path of the file.
Creating a new Group Policy Object
- Launch the Group Policy Management Console from the start.
- In the left pane, expand Group Policy Management, then Forest, then Domains, then Corp.com, then Group Policy Objects.
- Right-click on the Group Policy Objects folder and click on New. A New GPO dialog box will open.
- Name your GPO with your desired description. For our case, let us name it, “Our Screen Saver”.
- Now your GPO will be listed on the panel. Right click it and choose Edit option. A Group Policy Management Editor dialog box will open.
- Expand User Configuration, then Policies, then Administrative Templates, then Control Panel and click on Personalization.
- Double-click on the Screen saver timeout. Set your timeout value, say 120 seconds, and check Enable. Then click on Apply, and then OK.
- Now double-click on the Force specific screen saver policy. Check the Enable option and then provide the path to your screen saver file in the text box under Screen saver executable name. Click on Apply and then OK.
- Double-click on Enable screen saver. Click on the field Enable. Click Apply and then OK.
- Double-click on Password protect the screen saver. Check the field Enabled. Click Apply and OK.
Applying a Group Policy Object at the Site Level
Before applying a Group Policy Object at the site level, there are a few things that need to b e kept in mind.
- GPO at site level is the least preferred option as it has the largest impact in the Active Directory environment. A minor mistake can have serious implications.
- Site exists in forest level. So there can be many trees or forests with more number of domains. If this is the case, only the Enterprise Administrators (EAs) or the Domain Administrators (DAs) in the root domain can create, modify and manage sites and site links. However, the EA or the root DA can delegate this privilege to another lower-level administrators like an OU administrator.
- Implementation of GPO on the site level poses significant impact on the logon times and the traffic associated with the Wide Area Network (WAN).
- Also after applying GPO at the site level, you will not receive any confirmation or warning dialog box stating the status message. It is because the GPMC is constructed with the inherent trust with the EAs or the root DAs. So any mistake made will have its impact on a grander level. Hence, caution is advised and it is always wise to perform this in a test environment first.
Since we have created a GPO in its container, it is now time to link it to the GPO.
- Open the GPMC snap-in. Expand Group Policy Management folder, then Forest folder, then Site folder.
- If you have only one site, you may find your site as “Default-First-Site-Name”.
- Right click on your site folder and choose the option, “Link an Existing GPO”.
- Now select the GPO created earlier from the list of the GPOs in the GPO container. This will be linked to the site, now.
To test if your GPO has worked, logon to one of your workstations that is within the site domain. Check your machine if it is showing the screen saver after 2 minutes (120 seconds, as specified by your preference in the GPO). If it is not effective, try logging off and then logging in again.
Applying a Group Policy Object at the Domain Level
Now let us see how the GPO can be applied at the Domain level. It can be done the same way as above with the focus on Domain. The ability to create GPO and link it to the domains can only be done by the members of the Domain Administrators or the Enterprise Administrators. However, other members of the Active Directory can enjoy the same privilege if they are delegated the rights.
Now, to apply the GPO at the domain level, follow the steps below:
- In the GPMC snap-in, expand Group Policy Management folder, then Forest, then Corp.com.
- Right-click on your desired Domain and you can choose either “Create a GPO in this domain, and link it here...” and create a GPO as we created earlier here or “Link an Existing GPO...”.
- Create a GPO in this domain, and link it here...
- This option lets an administrator create a GPO in the Group Policy Objects folder and then link the GPO to the level of Active Directory currently chosen. This option is an efficient one. Note: This option cannot be found when working at the site level. It is because of the issues with the bandwidth.
- Now that you are already in the domain level, there will be a message prompting you to create a new name for the GPO.
- Follow the steps 4 through 10 as above, under the heading “Creating a new Group Policy Object”.
- Also note that, you should have your shared folder ready and in place as discussed above, under the heading, “Create a shared folder”.
- Link an Existing GPO...
- This option lets an administrator choose the already existing GPO with the present level of Active Directory.
- In this option, you will be shown the list of already existing GPOs. Choose the GPO created by you and click OK.
To test if your GPO has worked, logon to one of your workstations that is within the domain. Check your machine if it is showing the screen saver after 2 minutes (120 seconds, as specified by your preference in the GPO). If it is not effective, try logging off and then logging in again.
Applying a Group Policy Object at the OU Level
When attempting to apply GPO at OU level, it can be done by two persons - 1. The Domain Administrator and 2. Any staff who is given delegation to create, modify and delete GPO. If you want to know more about delegation, refer to the link embedded.
For this OU level, let us enable another setting that prevents user from changing the screen saver setting. Let us also restrict users from changing mouse pointers.
- Open your GPMC console from start.
- Expand your Active Directory until you reach your desired OU. Right-click on it and select, “Create a GPO in this domain, and Link it here”. A new GPO dialog box will pop up.
- Enter your desired name for the GPO, say “Custom screen saver && Screen saver change prevention && Hide Mouse Pointer Option”. A GPO will be created and linked to the OU automatically.
- Right-click on the new GPO. From the context menu, choose Edit.
- For setting your custom screen saver, create a shared path as above and paste your screen saver file there. Then follow steps 6 through 10 under the heading, “Creating a new Group Policy Object”.
- For preventing users from changing screen saver settings, double-click on “Prevent Changing Screen Saver”. Change the field check from “Not Configured” to “Enabled” and then hit OK.
- For preventing users from changing mouse pointers, expand User Configurations, then Policies, then Administrative Templates, then Control Panel, then Personalization, then double-click on “Prevent changing mouse pointers”. Change the field check from “Not Configured” to “Enabled” and then click OK.
Related Articles
Creating a GPO in Active Directory
GPOs can be created and managed using the Group Policy Management Console (GPMC). The configuration settings can be edited using the Group Policy Object Editor (gpedit) console. The following steps illustrate how to create a GPO: Open the GPMC ...Raise Active Directory Domain and Forest Functional Levels | Step-by-step guide
What are Functional Levels in Active Directory? Active Directory functional levels help to determine the features that available for the domain or forest. There are two types of functional levels in Active Directory; they are the Domain Functional ...Active Directory User Rights Assignement using GPO
User Rights: An Introduction User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. They allow users to perform ...GPO Inheritance
A user or a computer in an OU can have multiple GPOs applied to it. For example, Local Group Policy, GPOs linked to the site, GPOs linked to the domain and GPOs linked to the OU. Also, multiple GPOs can be linked to any of these containers. The ...Framework of Active Directory
The Active Directory structure is built on the domain level. The framework that holds the objects can be viewed at different levels namely forest, domain trees and domains. At the top of the level is the forest. A forest holds all the Active ...