Logo

Group Policy Components and Settings

In this video from ITFreeTraining I will look at the components of Group Policy as well as how to configure the setting in Group Policy. Group Policy is an incredibly powerful and useful tool that provides the administrator a lot of control over the computers and users in their organization.

<a class="wp-block-button__link"Download PDF handout
Show lesson content
Group Policy Nodes
0:17 –Group Policy is divided up into two parts or two nodes, the user node and the computer node. To have a look at Group Policy, Open Server Manager and from the tools select “Group Policy Management”. All the Group Policy is found under the container “Group Policy Objects”. When the domain is created, a Group Policy is called “Default Domain Policy” is created. To edit a group Policy, right click it and select the option edit.

 

Inside a Group Policy Object there are two nodes called “User Configuration” and “Computer Configuration”. Under the “User Configuration” there is a container called “Polices” and “Preferences”. Under the “Polices” container there is three sub-nodes called “Software Settings” and “Windows Settings” and “Administrative Templates”. “Preferences” was originally developed by a third party company before it was acquired by Microsoft. It is now part of Windows and maintained by Microsoft. If it had been originally developed by Microsoft, most likely it would be under Policies with the others.

 

Computer Configuration containers the same sub-nodes as User Configuration. The names of the subnodes may be the same, but the settings you can configure for users and computers are different from each other. This is because a lot of settings would not make sense applying them at the computer level when they are designed for users and likewise for user settings.

Software Settings
2:19 – The sub-node “Software Settings” is responsible for installing software. Software that has been installed using Group Policy can also be removed when it is no longer required. For example, if the user logged into a computer and needed some software, it could be installed when they log on and uninstalled when they log off. If Software Settings are configured under Computer Configuration, this software will be installed on the computer the Group Policy is applied to. The software is installed on this computer when the computer first starts up and before the user is able to log in. If Software Settings are configured under User Configuration, the software will be installed when the user logs into the computer.

Windows Settings
3:01 –The container “Windows Settings” contains a lot of the security settings for Windows. For example, user account policies and public key policies. It also contains scripts that run when the user logs in, logs off and when the computer starts or is shutdown. Windows Settings also contains settings for application restrictions and folder redirection, plus some other settings.

Administrative Templates
3:26 – The “Administrative Templates” sub-node contains thousands of settings. These are registry based settings which are very good at configuring the user experience. For example, you could remove the recycle bin from the desktop, remove and add start menu items or configure options in the Control Panel. There are a lot of different settings in Group Policy, but I will now have a look at one of the most common ones that you will end up dealing with.

Settings
3:55 – To do this, I will open Administrative Templates and then open the container Control Panel followed by Personalization. On the right hand side are all the Group Policy settings that can be configured in this container. I will select the setting “Prevent changing lock screen image”. In the middle, you can see which operating systems the Group Policy applies to. It is important to check this before configuring Group Policy. In this case, the Group Policy requires Windows 2012, Windows 8 or Windows RT. If this Group Policy is applied to an earlier operating system, the Group Policy settings would be simply ignored. Below this, there is help information about what the Group Policy setting does. It is important to read this information. Often a Group Policy setting will require other Group Policy settings to be configured. If these are not configured, the settings may not have any effect. If I select the option standard, notice that the help information is hidden. This is useful to know when you are attempting to find a Group Policy setting as it gives you more room to see settings. I will now double click the setting “Prevent changing lock screen image” in order to configure it. Notice at the top there is information about the operating system this setting is supported on. Below this is the help information. This is the same information that was on the previous screen. You will find that the Group Policy settings under Administrative Templates will have three options, Not Configured, Enabled and Disabled. The first option, Not Configured, is effectively ignored. If you configure a setting and no longer require it, select Not Configured. This will reverse the effect of configuring the setting in the first place. The next option, Enabled, will as it suggests, enable the setting. Effectively switching it on. The last option, Disabled, will switch the setting off. It is important to know when to use the three settings as they are quite commonly used in Administrative Templates. Let’s have a closer look at how they would be used.

Roll Back
6:12 – Group Policy supports roll back, so when you un-configure a setting or remove the Group Policy, it will roll back to its original setting. So if you have a Group Policy that that is set to enabled and you want to remove that setting, change the setting to Not Configured. The end result is the setting will not be configured and thus will be whatever the default setting is. In later videos, I will look at what happens when multiple Group Policies are applied in detail. In this example, there are two Group Policies. The first is Enabled and then Disabled. If the second Group Policy was changed to Not Configured, notice that the result is now changed to Enabled. This is because the first Group Policy is still being applied. It is important to remember that when changing Group Policy settings, simply changing the setting to Not Configured may not have the desired effect.

 

References
“Installing and Configuring Windows Server 2012 R2 Exam Ref 70-410” pages 323-324
 

Credits
Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Companion Document: Phillip Guld https://philguld.com
Video Production: Kevin Luttman http://www.KevinLuttman.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk

Lesson tags: 70-410-windows-server
Back to: 70-410 Installing and Configuring Windows Server 2012 > Group Policy

Installing and Configuring Windows Server 2012

Modules

DNS

Lessons