
close
close
In this Ask the Admin, I’ll show you how to create a Group Policy Object (GPO) in Active Directory, and link it to a site, domain or Organizational Unit (OU).
Group Policy was introduced in Windows 2000 as part of Active Directory, replacing Windows NT System Policies. Group Policy is a powerful tool that can reduce total cost of ownership by helping IT to maintain standard configuration settings on servers and clients. Although PowerShell Desired State Configuration (DSC) may usurp Group Policy at some point in the future as the configuration tool of choice, for the time being Group Policy is a key tool for maintaining any AD domain.
advertisment
The Group Policy Management Console (GPMC) is present by default on domain controllers, or can be installed as part of the Remote Server Administration Tools (RSAT) on member servers or client devices. For more information on installing RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase.
Once you’ve established from which device you’re going to run GPMC, you’ll need to start GPMC, or log on with a user account that has permission to create new Group Policy Objects (GPOs). While it’s not a best practice, for the purposes of this article, I’ll log on to a Windows Server 2012 R2 domain controller (DC) using a domain administrator account.
The Group Policy Management Editor window will now open. In this example, I’m going to configure the KDC support for claims, compound authentication, and Kerberos armoring setting, which can be located at Computer Configuration > Policies > Administrative Templates > System > KDC, in the left pane of the editor window.
Now we have a GPO with a configured setting, let’s link it in the AD hierarchy. I want to apply the setting I’ve configured to all domain controllers in my domain.
advertisment
In the right pane, you’ll see the new GPO listed. GPOs with a higher link order number, i.e. those that appear higher up the list, take priority over those with lower numbers. You can link GPOs to AD sites and domains in the same way that it’s possible to link them to OUs. The GPO settings will be applied to AD objects that fall in scope, i.e. in this example any computer accounts located in the Domain Controllers OU.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group