• Create starter GPOs
• Run scripts from GPOs

When installing Windows Server-based servers and Windows client PCs in an enterprise, it's very common to use Group Policy (or GPO) to manage the configuration and security of all your servers and client PCs.
To do this, the first thing to do is obviously to deploy an Active Directory infrastructure (thanks to Active Directory Domain Services) and then link your servers and client PCs to your Active Directory domain.

1. Benefits of group policies
2. Possible binding
3. Applying and updating Group Policy (GPO)
4. Linking Group Policy Objects (GPOs)
5. Create a new Group Policy Object (GPO)
6. Applying Group Policies and GPO properties
7. Link a GPO object
8. Update client PC Group Policies
9. Display the policies applied on the client PC (RSOP)

1. Benefits of group policies

Group policies (GPO) allow you to :

• manage the configuration and security of your various servers on Windows Server
• manage the configuration and security of your Windows client PCs using policies targeting the computer and others targeting the user
• manage the configuration and security of virtual desktops in a VDI infrastructure
• manage the configuration of the various Windows components, such as : RDS services, Windows Defender, Windows Store, Windows Update, ...
• deploy applications using packages in msi format (which is the format used by Windows Installer)
• to use roaming profiles and manage folders redirection to allow a user to use their documents by connecting to any client PC in a computer room, for example
• and more

2. Possible binding

Although you can configure group policies from your Active Directory infrastructure (which is highly recommended in enterprise), you can also configure some policies locally on a client PC with the "Local Security Policy" (secpol.msc) or "Local Group Policy Editor" (gpedit.msc) program.
In addition, the Group Policy Objects (GPO) that you create on your Active Directory infrastructure can be linked to an Active Directory site, a domain, ...

It's therefore important to know in which order the policies are applied :

1. policies defined locally on the client PC
2. policies defined in a GPO linked to an Active Directory site
3. policies defined in a GPO linked to an Active Directory domain
4. policies defined in GPOs linked to Active Directory organizational units. If you have multiple organizational units nested within each other, the policies of the child OU take precedence over those of the parent.

The 1st element of the list above is therefore the lowest priority and the last element of the list is the highest priority.

Important : it's essential to know that this order is the default one and that it can be altered if you use, for example, the "Enforced" option on one of your GPO object links.

3. Applying and updating Group Policy (GPO)

Group policies are applied and then updated on a regular basis.

• For group policies for the computer, these are applied when the computer is started and updated regularly (the interval between 2 updates being 90 minutes + a random delta time between 0 and 30 min) .
• For group policies for the user, these are applied at the opening of the user's session and updated regularly (the interval being the same as that for the computer section).

In both cases, you can force the update of the computer and user group policies using the commands: gpupdate and Invoke-gpupdate.

Batch

gpupdate

PowerShell

Invoke-gpupdate

Important : when you are on a domain controller, the delay between 2 updates of the group policies is different : the group policies are updated every 5 minutes (and there is no additional delta used).

4. Linking Group Policy Objects (GPOs)

To manage existing Group Policies (GPOs) or create new ones, open the "Group Policy Management" console on a domain controller.
Knowing that you can also install this console on a client PC if you wish thanks to RSAT consoles.

As you can see in this "Group Policy Management" console, by default there are 2 GPOs :

• Default Domain Controllers Policy : the policies configured in this GPO apply only to Active Directory domain controllers in the affected domain. In our case : domain controllers located in the "informatiweb.lan" domain.
• Default Domain Policy : these policies apply to all computers and servers located in your Active Directory domain.

You can also see that we only see one folder to which we could link other policy objects. This is the "Domain Controllers" folder.

In fact, for a "folder" to appear in your Active Directory and in the Group Policy Management Console, it must be an organizational unit (OU) and not a container (CN).
For this tutorial, we opened the "Active Directory Users and Computers" console and created a new "RH_Computers" organizational unit.

As you can see, the "Domain Controllers" and "RH_Computers" folders which are organizational units have a slightly different icon than the other folders which are containers (CNs).

5. Create a new Group Policy Object (GPO)

To create a new Group Policy Object, select the "Group Policy Objects" folder and right click "New" in the list on the right.

Provide a name for this GPO.

Once the GPO is created, right-click "Edit" on it.

As you can see, Active Directory allows you to manage computer configuration, but also user configuration through policies and preferences.
Thanks to the many settings and policies available in these sub-folders, you will be able to configure many settings on the servers and client PCs.

In addition, you will also be able to download administrative templates in ADMX format from the Internet and use them here to configure, for example, Microsoft Office settings via group policies.