Welcome to a series of seven short posts that will lay out all aspects of the GPO aka Group Policy Object – Microsoft’s framework for automated configuration of the Windows operating system.
Read the full article here or skip to the previous or next article using the link at the bottom of this post.
How To Configure a GPO
To create, edit and delete GPO’s you’ll typically be using the Group Policy Management Console (GPMC). GPMC is available by default on domain controllers but it can also be installed on servers using the Install-WindowsFeature command. On clients you need to install RSAT to manage GPO’s via the GPMC tool.
When you open up the GPMC tool you’ll be able to see the OU structure of your domain which makes good sense: In order to apply a group policy you must link it with an OU. Once the GPO is linked it will start applying to the users and/or clients in the linked OU and any sub OU’s (see the next section for more details on this).
To create a new GPO right click the OU where you want to link it and select “Create a GPO in this domain, and Link it here…”:
This will create a new GPO object which you can then open up and configure with the desired settings:
Notice that this action will create two things: The GPO itself and the GPO link which ensures the GPO is applied to users and/or computers in the OU (and sub-OU’s). It makes a big difference if you delete the GPO link or the GPO itself so make sure you understand the difference!
A GPO can be linked to multiple OU’s and editing the GPO will affect all GPO links!
A GPO can also be linked to a site object. This feature is not used very often but may be useful when you want to configure devices according to their network location.
At the bottom section of the GPMC tool you’ll find an overview of all the GPO’s in the domain. This is the place to look for a specific GPO if you don’t really know where it’s linked: