- Windows Server
- 08 October 2021 at 18:51 UTC
-
Through the "Group Policy Management" console, you can create Group Policy Objects as well as Starter GPOs.
In this tutorial, we will create starter GPOs.
The advantage of GPO starter GPOs is that they can be exported to import them on another domain controller, unlike normal GPOs.
By default, the "Starter GPOs" folder is not created, but all you have to do is select it and click on the "Create Starter GPOs Folder" button.
As you can see, by default, 2 starter GPOs are created automatically.
To create a new starter GPO object, right click "New".
Provide a name for your Starter GPO.
The created object appears in the "Starter GPOs in [name of your domain]" list.
To edit it, you just have to right click "Edit" on it.
As you can see, when you edit a Starter GPO object, you only have access to the "Administrative Templates" part of the computer and user configurations.
For the example, we will enable the group policies allowing you to block access to removable disks (USB keys, ...).
We have enabled 3 group policies.
As explained previously, the advantage of creating Starter GPOs is that you can export them so that you can then import them back to another Active Directory infrastructure.
To do this, select the starter GPO you just created and click : Save as Cabinet.
Specify the name of the file under which this object will be exported.
As expected, we now have a CAB file that we can very easily import to another Active Directory infrastructure.
CAB files are compressed files (like zip files, for example), so you can open them from Windows and see that they contain in this case files :
- Machine_Comment.cmtx
- Machine_Registry.pol
- Report.html
- StarterGPO.tmplx
To extract these files, select them inside the CAB file and right click "Extract" on them.
Select the folder where you want to unzip these files.
If you try to open these files with Notepad, you will see that the "cmtx" file is in "XML" format and that you find the "Policies.RemovableStorageAccess" mention which corresponds to the group policies enabled previously for the access to removable disks.
The most interesting file is the "Report.html" file, because once opened, you will be able to see very easily which policies are enabled, as well as their values.
For the "StarterGPO.tmplx" file, it's in XML format and contains information about the Starter GPO object itself.
Right now, our Starter GPO is created and policies are configured there, but this object is not tied to our computers or our users.
However, to use our GPO, we just need to create a new GPO in the "Group Policy Objects" folder.
Then, select the Starter GPO object created previously in the "Source GPO Starter Object" list.
Right click "Edit" on your GPO object.
As you can see, since this new GPO is based on our Starter GPO, the policies defined in the Starter GPO have already been configured here.
Share this tutorial
To see also
-
Windows Server 4/16/2021
Windows Server - AD DS - How Active Directory replication works
-
Windows Server 4/30/2021
Windows Server - AD DS - Overview of Active Directory functional levels
-
Windows Server 4/3/2021
Windows Server - AD DS - The basics of Active Directory
-
Windows Server 5/21/2021
WS 2016 - AD DS - Add a domain controller to an existing AD domain
You must be logged in to post a comment