A Group Policy Object (GPO) is a collection of policy settings, security permissions or scopes of management that are linked to OUs, sites or entire domains. Group Policies can be easily created in the Group Policy Editor which uses dropdown menus containing different categories of policies separated between those that are applicable to users and computers. In this post, I will go through the process of creating a GPO and applying it to an OU. I have chosen to create one that denies users access to the Control Panel, however, the process is the same for configuring other permission.
Starting in Server Manager I go to Tools > Group Policy Management
Since I haven't created any GPOs for this domain all I see is the default policies created with the domain & the domain controller.
to create a new GPO I'll right-click on Group Policy Objects > select New
the New GPO pop-up appears allowing us to name the GPO & select a starter GPO if necessary.
After hitting OK, I'll return to the navigation panel & right-click on the newly created GPO > select edit
Here, in the Group Policy Management Editor I can configure the GPO based on the policy settings provided. Windows groups policy settings into "User Configurations" (for user accounts) & "Computer Configurations" (for Computer Accounts). By going in and selecting any of these policies then selecting "edit policy setting" I can configure policy setting to my liking. I will come back to the GPME in a moment to configure the GPOs I outlined in the overview, but first I want to explore linking GPOs to OUs.
GPOs are primarily applied to computer or user accounts by linking them to containers, however, only specific kinds of containers can be linked: Sites, domains & OUs. The scope & precedence is very different when applying GPOs to each of these containers; the process differs only in which of the containers you right-click or drag the GPO onto inside the Group Policy Management Console.
I have set up an OU called "_USERS" I will create a GPO to disable users in this OU from accessing Control Panel.
In the Group Policy Management console I right-click on _USERS & select Create a GPO in this domain, and Link it here and Name it "Disable Control Panel"
Then I right-click on the GPO inside Group Policy Objects & select Edit
Now inside GPME I'll go to User Configuration > Policies > Administrative Templates > Control Panel
Inside the details panel I'll select the Prohibit access to Control Panel and PC settings > then select edit policy settings (to the left of it) > and in the pop-up menu select Enabled > Apply > OK
Now in GPMC when the _USERS OU is expanded the new GPO can be seen, however, when I click on it I notice the details panel shows that it is not being Enforced.
so I right-click on the GPO & switch it from Link Enabled to Enforced
