Group Policies Creation and Editing
GPO code example policy. I want to make changes to example policy, but I want to test the changes first to make sure that I don't break production machines. What do I do first
First, I set up a testing OU that contains test machines or user accounts.
There are management interfaces that only show up in
GPMC.
If computer and user objects are in the default containers they can only be targeted with
GPOs that are linked to domains and sites.
For example, the minimum password length policy prevents users from setting passwords that are too short.
I'll right-click on the policy and choose backup. I've created GPO backup for my desktop, but in a real variant, we'd want to create a network for this lock down to only allow domain administrators to access it. I can add a description here too to help me remember why I made the backup. I'll right-click on the policy again but this time, I'm choosing edit. This will open up the default domain policy into the group policy management editor. You can see over in the left-hand pane that the GPO is divided into two sections: computer configuration and user configuration. Each of these is divided into policies and preferences. Inside this tree of policies and preferences is every individual GPO setting that GPMC knows about, whether it's been configured or not, every GPO has accessed the same settings that every other GPO has access to. you might notice that the settings report is laid out in the same hierarchical fashion as the GPO editor. I can see that the account lockout threshold is configured to zero, invalid log on times. I'm going to go ahead and right-click, Default Domain Policy, hit edit. I click computer configuration, then click policies, click Windows settings, want to click security settings, and then account policies because we're interested in the lockout policy. You can see that there are three policies under account lockout policy. The policy column tells us the name of the policy and the policy setting tells us the current configuration of the policy.
something that you might find super useful are the group policy settings reference that
Microsoft releases with each new version of Windows. This reference is a spreadsheet that details the GPO policies and preferences that are available and where to find them.
It's a good practice to organize your user and computer accounts in
OUs so they can be targeted with a more specific group policies.
If I double-click on any of these policies, it will open up the properties dialog for that policy.
The explain tab will tell us what the policy configures. It may also tell us what to expect if the policy is not defined and what the default value of the policy is if it's enabled but not customized.
The default domain policy is
a default GPO that is linked to the domain. It applies to all of the computers and users in the domain.
Under the default domain policies you will find
a settings report
By testing my changes on a copy of the GPO on test machines, I make it much harder to
accidentally break production with machines.
The group policy objects container will hold
all of the GPOs that are defined in the domain.
The name of the policy and the time that it was backed up are listed here, along with
any descriptions that we provided when we did the backup.
before making changes to a GPO, you should always
back it up
If you do use AGPM in your organization, you should follow
best practices for GPO version control using AGPM.
How to set up test OU example.com, finance, computers, test, and put testing machines in the test OU.
click new, click OU, and type in finance and click OK. click on another OU from my computers, and then underneath that, I'm going to go ahead and make a test OU so I can test my GPO, hit OK. Next, I make a copy of the GPO that I want to change and call it something like test example policy. So this is one policy that I have. I'm going to hit copy, go to my group policy objects, hit paste. Now, it say, "Use the default permission for the GPOs," because we want to make a copy, of course, and hit OK. As you can see, its called 'copy of master'. I'm going to rename this to test example policy, enter. Now, I can make the changes that I want to test in test example policy and link it to my test OU, and let me show you how I linked that. "Link an existing GPO," which is going to be my test example policy right here and then hit OK. After I confirmed that my changes work the way that I expected, I can make a backup of the test policy then import the backup of test example policy to the production example policy.
Group policy objects can only be linked to
domain, sites, and OUs.
This GPO is designed to enforce policy decisions that we want to make for the
entire domain
If example policy is usually linked at example.com, finance, then computers, then I can create
example.com, finance, computers, test, and put testing machines in the test OU. This lets the test machines keep all of the existing production GPOs but gives me a place to link a test GPO that'll overwrite production.
The most important tool we'll use for creating and viewing group policy object is called
group policy management console or GPMC.
Group policy result
is a troubleshooting tool that's used to figure out what group policies apply to computer and user in your network. You would use this tool to check on group policies that are already applied to a computer or user.
group policy modeling
is used to predict which group policies will apply to a computer or user in your network. You use this tool if you wanted to test a change to your GPOs, OUs, or WMI Filters before making real changes in your Active Directory.
This wizard remembers the last place that I backed up a GPO
it lists each of the GPO backups that are in the folder that we choose.
If a policy is not defined, then this GPO won't
make any changes to that setting on the computers that it's applied to.
When making changes in the GPO You might need to follow a change management process too in order to
notify others in the organization about the changes that you were about to make.
With specific GPOs for specific solutions, you can link your GPOs to
only the computer or users that need that policy.
the users and computer containers are not
organizational units.
You can see that the layer of GPMC is similar to
other management tools that we've used in Active Directory. On the left, we see the structure of Active Directory.
If you make a mistake in changing the group policy you can
restore the policy from backup and undo this catastrophe waiting to happen.
(To restore the backup made before you made changes) Back in the group policy management console, I'm going to right-click on default domain policy in the group policy objects and then
select restore from backup.
There are thousands of settings that can be controlled with GPO, so it can take some research to find the right
setting to change in a group policy object to make a change that you want.
There are lots of documentation online about group policies and where to find
specific settings
When you need to make changes to a production group policy, you should
test them first.
what's another way I could have prevented this mistake when making changes to the GPO
testing
I'm going to use a settings report as a road map to finding
that policy in the editor.
As soon as you hit apply or OK in a group policy management editor dialog
the changes made in the GPO immediately. Almost right away, computers can receive the update and start applying it.
In a brand new Active Directory domain, they'll be two GPOs that are automatically created:
the default domain controller policy and the default domain policy.
If I click on view settings, it would launch my web browser with
the settings report of the backup
The default domain control policy is linked to the domain control's OU and applies
to the domain controllers.
The WMI Filters container is
used to define powerful targeting roles for your GPOs.
Since you're working with the entire universe of group policy in every GPO, it can be very difficult to tell from the editor
what settings are actually configured in this GPO.
These filters use properties of Windows Management Instrumentation or WMI objects to decide
whether or not a GPO should apply to a specific computer.
AGPM (Advanced Group Policy Management)
which is a set of add-on tools from Microsoft that give you some added provision control abilities in GPMC.
So looking at the explanation of the account lockout threshold policy, I see that by having it set to zero, accounts
will never be disabled for failed log-in attempts.
