In this Ask the Admin, I’ll show you how to create a Group Policy Object (GPO) in Active Directory, and link it to a site, domain or Organizational Unit (OU).
Group Policy was introduced in Windows 2000 as part of Active Directory, replacing Windows NT System Policies. Group Policy is a powerful tool that can reduce total cost of ownership by helping IT to maintain standard configuration settings on servers and clients. Although PowerShell Desired State Configuration (DSC) may usurp Group Policy at some point in the future as the configuration tool of choice, for the time being Group Policy is a key tool for maintaining any AD domain.
Creating a New Group Policy Object
The Group Policy Management Console (GPMC) is present by default on domain controllers, or can be installed as part of the Remote Server Administration Tools (RSAT) on member servers or client devices. For more information on installing RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase.
Once you’ve established from which device you’re going to run GPMC, you’ll need to start GPMC, or log on with a user account that has permission to create new Group Policy Objects (GPOs). While it’s not a best practice, for the purposes of this article, I’ll log on to a Windows Server 2012 R2 domain controller (DC) using a domain administrator account.
- Whether using Windows 8.1 or Windows Server 2012 R2, switch to the Start screen, type group policy management and select Group Policy Management from the search results.
- If you need to start GPMC with alternate user credentials, make sure Group Policy Management is selected in the search results, press CTRL+SHIFT+ENTER and then enter a username and password.
- In the left pane of GPMC, expand your AD forest, Domains, and then the domain in which you want to create the new GPO if you have more than one to choose from.
- Under your domain, right click Group Policy Objects and select New from the menu.
- In the New GPO dialog, give the GPO a name and click OK.
- Expand the Group Policy Objects container in the left pane, right click your new GPO and select Edit from the menu.
The Group Policy Management Editor window will now open. In this example, I’m going to configure the KDC support for claims, compound authentication, and Kerberos armoring setting, which can be located at Computer Configuration > Policies > Administrative Templates > System > KDC, in the left pane of the editor window.
- In the left pane of the Group Policy Management Editor window, navigate to the location of the setting you want to change.
- Once you’ve found the location, double click the setting in the right pane, and then check Enabled in the dialog box.
- Sometimes there are additional options, and in this example I need to select Supported from the drop-down menu in the settings dialog box.
- Once you’re done, click OK and close the Group Policy Management Editor window.
Link a Group Policy Object
Now we have a GPO with a configured setting, let’s link it in the AD hierarchy. I want to apply the setting I’ve configured to all domain controllers in my domain.
- In GPMC, right click the Domain Controllers OU under Domains and select Link an Existing GPO… from the menu.
- In the Select GPO dialog under Group Policy Objects, select the GPO you want to link and click OK.
- Now click the Domain Controllers OU in the left pane.
In the right pane, you’ll see the new GPO listed. GPOs with a higher link order number, i.e. those that appear higher up the list, take priority over those with lower numbers. You can link GPOs to AD sites and domains in the same way that it’s possible to link them to OUs. The GPO settings will be applied to AD objects that fall in scope, i.e. in this example any computer accounts located in the Domain Controllers OU.