Windows group policies are an integral part of Windows system administration. Let's look at examples of working with this tool on VDS running the Windows Server OS family.
Why group policies are needed
In simple terms, Group policy is an Active Directory architecture tool that allows managing the settings of servers and work terminals connected to a domain centrally. Also, using group policies, it’s easy enough to distribute the software. The administrator can specify the policies for the group in one place, and then apply them to the target user group.
In many companies, as a rule, the division into departments is used: the human resources department, accounting, lawyers, system administration department. Suppose that each department needs its own minimum set of software, and workstations must be configured for specific needs and for specific tasks. Thanks to group policies, it is possible to create settings for specific user groups in the domain. Using the Active Directory GPO, an administrator can set up and manage standardized sets of settings, specifically for accounting or human resources.
Setting up workstations (computers and users) is easier and more effective because they are located by the fact that they are located centrally and require duplication on each PC.
GPO Components
There are two components of group policies - client and server, i.e. a “client-server” structure is being formed.
The server component is the Microsoft Management Console (MMC) snap-in, designed to configure group policy. MMC can be used to create policies, as well as to control and manage administrative templates, security settings (software installation, scripts, etc.). The generic name for “features” is called an extension. Each extension can have a child extension that allows adding new or removing old components, as well as updating them.
The client component receives and applies group policy settings. Client extensions are components that run on the client OS that is responsible for interpreting and processing group policy objects.
To administer a GPO, use the MMC snap-ins - Group Policy Management Console (GPMC) and Group Policy Management Editor.
Active Directory GPO usage scenarios:
- Centralized configuration of the Microsoft Office software package.
- Centralized configuration of computer power management.
- Setting up web browsers and printers.
- Installing and updating SOFTWARE.
- Apply specific rules based on the user's location.
- Centralized security settings.
- Directory redirection within the domain.
- Setting access rights to applications and system programs.
Group policy management snap-in
First, install the Active Directory Domain Service (AD DS) server role on the domain controller. After that, the Group Policy Management snap-in will be available, to launch it, call the “Run” window (Windows + R). In the window that opens, enter the command:
Click “OK”.
Perhaps the snap will not be able to open because has not been installed previously. Fix this.
- Open the server manager and select the installation of roles and components.
- At the stage of choosing the type of installation, note the parameter “Installing roles and components”. Click on the button “Next”.
- Since the installation is performed for the current server, click “Next”.
- We skip the installation of server roles by clicking on the button “Next”.
- At the stage of component selection, check the box “Group policy management”. Click on the button “Next”.
We complete the installation of components as usual.
Creating group policy objects
Adding a new group policy object. On the left side, follow the path: Forest → Domains → <Your Domain> → Group policy objects.
In the right part of the window, right-click in an empty place. In the context menu that opens, select “Create”.
In the window that opens, enter the name of the new policy. Click “ OK ”.
The added object will appear in the general list.
Configure the created object
To configure a new object, right-click on it. In the context menu, select “Change”.
The group policy management editor window opens. Let's do a “useful” thing - delete the folder with standard games from the Start menu. To do this, in the menu on the left, we will follow the path User Configuration → Policies → Administrative Templates: Policy definitions (ADMX files) were received from the local computer → Start menu and taskbar.
In the right part of the window, we find the option "Remove the link" Games "from the" Start "menu." For ease of search, you can use sorting by name, at the top of the window.
Right-click on this parameter and select “Change”.
In the window that opens, change the state to “Enabled”. In the comment field, we recommend not to ignore it. To complete the setting, click “OK”.
Creation of objects can be considered finished.
Search for objects
In enterprise environments, a large number of GPO objects are usually created. It would be nice to be able to find the desired object. The console has this functionality. To do this, right-click on the forest in the left part of the window. In the menu that opens, select “Find ...”
In the window that opens, select in which domain to search. You can search for all domains, but this can take a long time.
Let's try to find the object created earlier.
In the “Search element” field, from the drop-down list, select “Group policy object name”. In the condition, we leave the option "Contains". In " Value“, specify the name of the previously created policy. It is for this reason, you should create clear policy names. Click the “Add” button.
Search criteria specified. Click the "Find" button and view the search results.
Deleting a group policy object
If the GPO object is no longer needed, it is better to delete it. We click on the created object with the right mouse button, select “Delete” in the context menu. If you are confident in your decision, you answer “Yes” to the confirmation question.