First step is to make sure Group Policy Management feature is installed. If is not, you need to install it, go to: Manage -> Add Roles and Features -> Role-based or feature-based installation -> Select the server -> Server Roles (Nothing) -> Features: Group Policy Management.
Open the Group Policy Management. Go to: Server Manager -> Tools -> click on Group Policy Management
- To create a rule for specific computers or users, first you need to create a new Organizational Unit (OU) in Active Directory:
- Right click on domain -> New -> Organizational Unit -> Create a new OU (name: DeptIT)
- Do the same with the new created DeptIT and create a new OU and name it: Computers
- Another new OU and name it: Users
- Go to the original Users/ Computers (container) and do a Cut/Paste into the new OU (Users to Users and Computers to Computers)
- After you moved the Users and Computers go to Group Policy Management.
- Right click on domain -> New -> Organizational Unit -> Create a new OU (name: DeptIT)
- You will see the new OU (name: DeptIT) with Users / Computers.
- If you want to have a GPO for all the Computers, create a new GPO and Link it to Computers. If you want to have a new GPO for all the Users that are inside DeptIT, create a new GPO and Link it to Users.
- Choose a name for the GPO and click OK.
- You’ll see the new GPO linked to the OU that you select to be Linked to, in this case the new GPO will be inside Computers.
- After the GPO was created you have to create the rules for it. Right click on the name and select Edit.
- After click on Edit, it will open a new window “Group Policy Management Editor”. On this window you will create the rules for the GPO that you selected and click on Edit. This editor has to main categories: Computer Configuration and User Configuration. The rules that you create inside Computer Configuration will be specific to computers and the rules that you create inside User Configuration will be specific to users. A rule that setup some rules for the Firewall will be inside Computer Configuration.
- GPO order precedence:
- GPO linked to OU – Inside OU, when you have multiple GPOs, the precedence is by Link Order (you can change the order when click the arrows on the left side – Up/Down)
- GPO linked to Domain
- GPO linked to Site
- Local GPO
- The policy with the lowest link order value is processed last and therefore has the highest precedence (GPO with Link Order 1, will run after GPO with Link Order 2 and will have the highest precedence since will have the latest changes to Computer/User Settings).
Example: GPO with Link Order 1 will require user to change the password every 90 days and the GPO with Link Order 2 will require user to change the password every 30 days. After both will run, the user will be require to change the password every 90 days, since that’s the last one that run and had the highest precedence.
- Group Policy Inheritance is based on precedence, the GPO with the lowest Link Order number will have highest precedence since will run last. You can change the order by click on arrows (left) when you are in the Linked Group Policy Objects (OU or Domain). If you don’t want to have Inheritance from Domain, just right click on OU and click on Block Inheritance, this way only the GPO for OU will show and run. If you click again to Un-Block Inheritance, you will see all the GPO into the Group Policy Inheritance Tab. When you Block Inheritance, you will see a blue “!” in front of the name for that OU.
- A Domain GPO can be enforced: Right Click on GPO Name -> Enforced. If is enforced, will take the Highest precedence and even if you Block Inheritance for OU, will still show and run with the Highest precedence. When enforced a yellow lock will show in front of the name. The same when have multiple GPO within an OU, if you enforce a GPO, will take the highest precedence.
- If nothing is blocked or enforced, when you go into Group Policy Inheritance, you will see the GPO from OU (higher precedence) and then GPO from Domain (lowest precedence). If you enforce the Domain GPO will take higher precedence, before GPO from OU.
- And now we will Block Inheritance and see the effect.
- Now we will Enforce the GPOs from the domain and we will see the effect.
- Let’s try to edit one of the Policy. Right click on the name and Edit.
- This Policy is about Advanced Firewall Rules, you need to go: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall -> Inbound / Outbound Rules.
- Right click (or double click) on the rule and click on Properties.
- If you need to Disable or Delete a rule, right click on the rule and choose Disable Rule or Delete.
- To create a new rule, right click on Inbound / Outbound Rules and choose New Rule.
- After you changed any policy, you need to send updates to the computers/users. Right click on the OU and choose “Group Policy Update”.
- To update any GPOs run on CMD (run as Administrator): gpupdate or gpupdate /force (will update all policies)
- To see the GPO results: gpresult /r