Implementing Group Policy in Windows Server 2016

Group Policy, a feature found in Microsoft Windows NT family of operating systems is deployed to control the working environment of user accounts and computer accounts. This feature provides centralized management and configuration of operating systems, applications and user settings on Active Directory environments. 

A standalone version called Local Group Policy (LGPO or LocalGPO) allows Group Policy Object management in non-domain computers. 

                        Exploring Group Policy Objects

Windows server 2016 installations come with Group Policy Management as default. Perform a search for the console and launch it. Be aware that just like the past lesson on Implementing DNS in Windows Server 2016, there are a lot of components that make up Group Policy implementation and management.

IT engineers and network administrators stand to benefit from understanding the concept to streamline user resource allocations, management and enforcement of security policies across an organization’s domain. Let’s take a closer look at the console.  

Expand the forest to display the Default Domain Policy, Sites, Group Policy Modelling and Group Policy Results. Notice the organizational units we created in earlier lessons appears in this window.

Expand Domains tree and click on your local domain to inspect the tabs associated with the object. The Status tab shows the status of Active Directory and SYSVOL replication for your domain as it relates to Group Policy. If you have other domain controllers on the network, clicking Detect Now will gather information from all those domain controllers.

Any linked Group Policy Objects will be displayed in this tab. Notice the default policy is linked but not currently enforced.

Any Group Policy Inheritance will be displayed here. The tab contains the default domain policy.

The delegation tab displays all users and groups with permissions for containers and all child containers in the domain. You can add or remove more users or groups by clicking the button.

           Creating Group Policy Objects in Server 2016

When the Group Policy Management console is launched, you will see any organizational units available including the Group Policy Object container. Bear in mind that this object is not available in Active Directory and any new policies created will have to be linked to the Domain or Sites as pictured below.

Expand the Group Policy Object Tree to reveal Default Domain Controller Policies and let’s begin.

1. Right Click on the Group Policy Object tab and select New to create a new group policy.

 2. A dialogue box should open prompting you to name the GPO, try choosing self-explanatory names like Printers or Mapped Drives. We’ll settle for New Demo GPO in this example.

3. Notice an option to select Source Starter GPO. Group Policy Manager has starter GPO templates available which could be assigned to any group policy you create. We’ll explore that feature later so just click OK to create the new demo GPO.

4. Once the new GPO is created, you have the option to link containers which correspond to the Organizational Units we created in our previous lesson. Right Click on the container you wish to apply group policies to and select Link an Existing GPO.

5. A dialog box should now open specifying the domain you’re looking to apply policies to at the top. Notice the New Demo GPO we created, listed at the bottom. Select and Click OK to apply policy settings to Users or Computers contained in that particular Organizational Container Unit.

6. Bear in mind, there are two ways of creating GPOs. The first is achieved by Right Clicking Group Policy Objects > New, offering administrators the tool to set all the policies before linking them to a container. 
                               Heimdal PRO, multi-layered protection for your PC

The second method involves Right Clicking the specific OU container and selecting ‘Create a GPO in this domain, and Link it here’. As pictured below, all policies are applied immediately to the OU container.

7. We are now ready to edit our newly created New Demo GPO. Right click on the object and Edit.

8. You should see the Group Policy Management Editor window open with two main settings for Computer Configuration and User Configuration. Any changes made can be applied to either users and or computers in your domain. Notice both configurations have editable Policies and Preferences.

9. Becoming familiar with all the settings and what functionality can be configured, is a good idea. Expand the configuration tree and inspect all the tabs.

Below are elements found in Computer Management > Policies;

Software Settings > Software installation.
Windows Settings > Name Resolution Policy, Scripts (Startup/Shutdown), Deployed Printers, Security Settings, Policy-based QoS.
Administrative Templates > Control Panel, Network, Printers, Server, Start Menu and Taskbar, System, Windows Components, All settings.

Heimdal PRO, multi-layered protection for your PC
10. Expand the tree to inspect elements for Computer Management > Preferences. Various configuration settings can be found as elaborated below;

Windows Settings > Environment, Files, Folders, Ini Files, Registry, Network Shares, Shortcuts.
Control Panel Settings > Data Sources, Devices, Folder Options, Local Users and Groups, Network Options, Power Options, Printers, Scheduled Tasks, Services.

11. Very similar settings tabs can be found under User Configuration, with only a different in naming of Scripts as Logon/Logoff opposed to Startup/Shutdown for Computer Configuration Policies. A Folder Redirection tab can also be found under the User Configuration settings, which is absent from Computer Configuration settings we inspected above.

Expand the User Configuration tree > Policies to reveal settings listed below;

Software Settings > Software installation
Windows Settings > Scripts (Logon/Logoff), Security Settings, Folder Redirection, Policy-based QoS, Deployed Printers.
Administrative Templates > Control Panel, Network, Printers, Server, Start Menu and Taskbar, System, Windows Components, All settings.

Expand the User Configuration tree > Preferences to reveal settings listed below;

Windows Settings > Applications, Drive Maps, Environment, Files, Folders, Ini Files, Registry, Shortcuts.
Control Panel Settings > Data Sources, Devices, Folder Options, Internet Settings, Local Users and Groups, Network Options, Power Options, Printers, Regional Options, Scheduled Tasks, Start Menu.

12. A section of grave importance and worth paying attention to is User Configurations > Administrative Templates, where administrators will spend a lot of time configuring user settings. A ton of information is available in this tab so spend some time to get familiar with them.

Click on Policies > Administrative Templates > System to see a host of settings such as Removable Storage Access, Folder Redirection, Prevent Access to registry editing tools among others.

To see all available settings at your disposal, Click All Settings.

                           A Quick Glance at Starter GPOs

On the main Group Policy Management interface, you will see a tab labelled Starter GPO which may contain pre-set condition policies that may be applied to users and or computers in your domain.

Click on the tab and inspect its properties on the right pane. You may find this folder has not been created yet. Click to Create Starter GPOs Folder.

Depending on the server operating system you’re running, a handful of policies should appear in this window. Further customized policies can be downloaded from Microsoft or third parties, however this lab will focus on creating and setting our own policies to affect domain users and computers. 


                                            Final Thoughts
We hope this introductory article was useful at explaining Group Policy Infrastructure in Windows server, how to access it, the various components and settings that make up the editor.

You may want to pin the icon to your taskbar, as we'll be delving deeper into using Group Policy tools, to implement structured restricted access control over resources on our network. 

Do leave some comments on other ways to perform this task to help other students learn more.

Thank you for investing your time with us.

                                   Get always-on, multi-layered protection for your PC

                  Credits to all organisations and development teams at Microsoft Corporation


Post a Comment