In this video from ITFreeTraining, I will look at the basics of how to create and link Group Policy Objects. Understanding the basics of Group Policy will greatly assist you as network and server administrators when you create and apply Group Policy Objects in your domain.
Group Policy Objects (GPO)
0:15 – When using Group Policy, you will come across the term Group Policy Object or GPO mentioned quite frequently. A GPO is essentially a single Group Policy. The GPO is stored within a container, Group Policy Objects. If you look within Group Policy Management, there is a container labeled Group Policy Objects. Within this container, you will see every Group Policy Object that has been created. A GPO will, however, not have any effect on the network until it is tied to an organizational unit (OU).
0:50 – Once a GPO has been created, it can be linked to many, one or zero OUs. It is important to understand how the linking of GPO policies works. Otherwise, your GPO may not have the intended effects or, if deleted, may remain on the system. To better look at Group Policy, we’ll open Group Policy Management. To do this, I will first open Server Manager and then under the Tools menu, select “Group Policy Management”.
1:20 – Once Group Policy Management has opened, expand down until the container “Group Policy Objects” is reached. In this container, you can see the two default Group Policies that are created during the creation of the domain. In order to create a new GPO, right click “Group Policy Objects” and then select the option “New”. For the new GPO, I will enter the name “New York Printer Policy”. With the name entered into the prompt, we’ll press OK to create the new GPO policy.
1:52 – Upon clicking OK, you’ll be brought back and you can see that the GPO has been created and is now being listed along with the others. Currently, the GPO will have no bearing on the domain as it needs to be linked to an organizational unit (OU) after creation. To link a GPO, it is quite simple to drag it to an OU. For example, I could drag “New York Printer Policy” to the OU “New York”. This would link the GPO to the OU. However, in this case I won’t link the GPO this way. To cancel the request, I’ll go ahead and move the mouse back and this will cancel the link being created.
2:30 – The only other way to link a GPO is to right click on the OU. In this case, New York, and select “Link an Existing GPO.” Once select, I can next select the GPO I want to link (In this case “New York Printer Policy”) and press O.K. Now that the GPO has been linked, notice that it now appears in the “New York” OU on the “Linked Group Policy Objects” tab.
2:57 – This method requires the administrator to create the GPO and then link, making it a 2-step process. However, the administrator can create and link a GPO in one step. To do this, right click the OU where you want to create the GPO, in this case I will right click the “New York” OU and then select the option “Create a GPO in this domain, and link it here”.
3:20 – For our example, I’ll call this GPO “New York Lock Down Policy”. Upon pressing OK, the GPO will be created and then linked to the selected OU, New York. In some cases, it might be desirable to apply this GPO to multiple OUs. For example, the policy enacted in New York was so successful that it was decided to implement it in LA. In order to accomplish this, it is a simple matter of right clicking the LA OU and selecting the option “Link an Existing GPO”.
3:52 – From the list of GPOs, we’ll select the GPO “New York Lock Down Policy”. The GPO is now linked, however, it does not well describe its purpose since it still says New York and is now being applied to LA. To correct this, we’ll right click the GPO and select the Rename option. To make the GPO name more descriptive, we’ll change the name to “Lock Down Policy”.
4:18 – If I select the container “Group Policy Objects”, you will notice that the name of the GPO has changed in this area. Group Policy Management has many functions and does a great job (when a change is made to a GPO name) and this change will be propagated throughout all of Group Policy Management.
4:34 – This is not always the case, however, when it comes to other functions within GPO. If we were to select the New York OU, I will right click the GPO “New York Printer Policy” and select Delete. You’ll see Windows prompt you to ensure that you want to delete the link. This is not the same as deleting the GPO, as this is just the link of the GPO to the specific OU. If I press OK, the GPO will disappear from the “Linked Group Policy Objects” tab. However, remember that this is only the link of the GPO to the OU.
5:05 – If I now select the container “Group Policy Objects”, notice that the GPO “New York Printer Policy” still exists. In our example, we know the GPO is not currently being linked to any other OUs. If it were linked to another OU, the GPO would still have applied to all the users and computers within that OU. It’s important to keep in mind that removing a link for a GPO does not remove the GPO itself and that other links might still exist to the GPO.
5:36 – To ensure that a GPO has been removed from the system, we’ll right click it and select the option Delete. Windows will prompt and ask whether you do in fact want to remove the GPO and any links to it. It’s worth noting that if there are links to the GPO in other domains, they will not be removed. The administrator has to manually go to these domains and remove those links. Once I press Yes, and then select OK, the GPO will be removed from Active Directory.
6:10 – In a few cases, the administrator may not be aware which OU a GPO is potentially linked to. If you need to know what OUs the GPOs are linked to, you right click the GPO and select the option “Save Report”. In our example, we’ll save the report to the desktop for ease of access. The report gives a lot of information about the specific GPO in particular. Notice the “Links” section, and you’ll see that there are currently links in existence for this GPO. In this case, the LA and New York OUs are linked with this GPO. If you were considering deleting this GPO, and are not sure what it is linked to, you’d run this report first to have a look at the Links section.
6:52 – This concludes our video on creating and linking GPOs in Active Directory. I hope you found this video useful, and for other videos, please feel free to check out our YouTube channel.