In this video, we gonna take a look at Group Policy this will be part one. First, I’ll introduce you to GPO then we move to Local Group Policy.
What is Group Policy?
-it is simply a nice UI that explains all of the different settings that you have available to you so you don’t have to memorize obscure registry locations of each individual computer and make those changes yourself and it’s even more impractical to go and change the settings on everybody’s computers.
A Group Policy Object is a group of registry settings which in seconds or minutes, could go in and make a change that could affect your entire domain or an Organizational Unit.
Components of a Group Policy Object
- Templates- that allow you to create a drive cell fliers Organizational unit templates that allow you to create a formal business letter or resume that’s sort of thing
- Group Policy Object files in Sysvol
- Go local Drive > Windows > Policy Definitions
- You’ll find the admx files, and under en-US you’ll find adml files
Edit local group policy
- Run local group policy editor by searching for gpedit.msc
The policies made here only applies to this local computer. And not on other domain computers.
The other editing tools that you can use the:
- group policy management console (GPMC) and the
- group policy management editor (GPME).
In this case, In this case, I’m just gonna go and connect directly from the domain controller.
- Go to Tools > Choose group policy management
To apply a GPO to an Organizational Unit, you’ll gonna need to do this:
- Right click on the OU
- Choose Create a GPO in this domain
- However I want to encourage you in practical administration for your daily group policy editing to not create policies that way but I would recommend you to Group Policy Object down here and then you create a policy here
- right click there
- And choose new, create your policy then when you’re ready and you made all the configurations settings that you need then you can link it to one of your Organizational Units.
First, let’s start small w/ Local Group Policy which only applies to the local computer.
Let’s try to limit the access of a certain user to the computer. For example, prohibit access to the control panel.
- Go down to Administrative Templates > Click Control Panel
- Then click on Prohibit access to Control Panel and PC settings
- You may also add some comments here, so im gonna put somebody’s name here
- Then click ok
- It may not take place effect immediately, if so run the command prompt and type gpupdate and it should then take effect.
There are two sides of Local Group Policy:
- Computer configuration – applies to all user of the computer
- User configuration – applies to all unless:
- You set up a local group policy which applies on to an administrator or non – administrator security group
- You set up a user specific policy (not Groups)
- Can be used on any standalone machine (in another words one is not a member of the domain) or a machine that is a domain member. The only exception would be the domain controllers because of the nature of a domain controller itself, you don’t set-up local group policies on domain controllers.
- Local processing of a local group policy can be disabled via a group policy object (GPO)
I’m gonna create another group policy here from the domain level using the group policy management console, which will disable local policy processes, and
- I will name it “disable local policy”.
- right click on this and choose Edit
- and to disable the local group policy processing, click on Policies
- Then Administrative templates
- Then go down to System
- Then go to Group Policy
- I’m gonna look for Turn off Local Group Policy Object processing.
- Enable it and then click OK.
NOTE: This policy right now is not linked, you have to link the policies in order for them to take effect.
So I’m gonna drag and link this to the Organizational Unit that I’ve made right here. Because that’s where the computer account is located. So if I go back to my local client and run gpupdate and once this policy is done processing, it should disable the processing for the local group policies because of the policy that we’ve made from the domain controller.
Note: By doing this, I have given everyone access to the control panel.
Now, if you want to disable/unlink that policy, you may do either of this stuff:
- Go to the Organizational Unit that you’ve linked it to, right click on it, and then uncheck Link Enabled.
- Right click on it, and just delete it. (Note: If you delete it from here, it will still be present in the Group Policy Objects Directory but it’s no longer linked to the OU.)
But then again, that would mean that I wont be able to access the control panel, even as an administrator.
To make an exception for administrators and other users, for them to access the control panel, you’re gonna need to do this:
- Run MMC
- Click on File
- Choose add/ remove snap in
- Look for Group Policy Object editor
- Click add
- Click finish
- Then add the Group Policy Object editor again; this is for the exceptions for the policy
- Click on Browse
- You may click on another computer if you want to do it remotely, but for this case, I’m gonna click on Users. I’m gonna add the Administrators group to this policy.
- Click finish
- Click ok
- Now, drop down the node for the Administrators Policy
- Then go to User Configuration
- Then Administrative Templates
- Then the control panel
- Now to override the existing policy, click on the policy which in this case is the prohibit access to control panel.
- Then disable it
- Then I’d just run a gpupdate to forcibly refresh the policies
- Then after that, the administrators should already have access to the control panel while at the same time, other users that is not part of the Administrators group won’t be able to access the control panel
What we did just now is called the multiple local group policy. In previous versions, there was only on local group policy, you won’t be able to add an exception policy like we did earlier.
And now we’re done with Group Policy Part one.
Thanks for watching and I hope you learned much in this video.