{"id":1745,"date":"2015-12-04T20:36:20","date_gmt":"2015-12-04T20:36:20","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=1745"},"modified":"2015-12-04T20:36:20","modified_gmt":"2015-12-04T20:36:20","slug":"how-to-create-and-link-a-group-policy-object-in-active-directory","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=1745","title":{"rendered":"How to Create and Link a Group Policy Object in Active Directory"},"content":{"rendered":"<p>I\u2019ll show you how to create a Group Policy Object (GPO) in Active Directory, and link it to a site, domain or Organizational Unit (OU).<\/p>\n<p>Group Policy was introduced in Windows 2000 as part of Active Directory, replacing Windows NT System Policies. Group Policy is a powerful tool that can reduce total cost of ownership by helping IT to maintain standard configuration settings on servers and clients. Although PowerShell <em>Desired State Configuration<\/em> (DSC) may usurp Group Policy at some point in the future as the configuration tool of choice, for the time being Group Policy is a key tool for maintaining any AD domain.<\/p>\n<h2>Creating a New Group Policy Object<\/h2>\n<p>The Group Policy Management Console (GPMC) is present by default on domain controllers, or can be installed as part of the Remote Server Administration Tools (RSAT) on member servers or client devices.<\/p>\n<p><a href=\"https:\/\/www.petri.com\/wp-content\/uploads\/2014\/12\/Figure15.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-58350 size-full\" src=\"https:\/\/www.petri.com\/wp-content\/uploads\/2014\/12\/Figure15.jpg\" alt=\"Create and Link a Group Policy Object in Active Directory\" width=\"823\" height=\"563\" \/><\/a><\/p>\n<p>Once you\u2019ve established from which device you\u2019re going to run GPMC, you\u2019ll need to start GPMC, or log on with a user account that has permission to create new Group Policy Objects (GPOs). While it\u2019s not a best practice, for the purposes of this article, I\u2019ll log on to a Windows Server 2012 R2 domain controller (DC) using a domain administrator account.<\/p>\n<ul>\n<li>Whether using Windows 8.1 or Windows Server 2012 R2, switch to the <em>Start<\/em> screen, type <strong><em>group policy management<\/em><\/strong> and select <strong>Group Policy Management<\/strong> from the search results.<\/li>\n<li>If you need to start GPMC with alternate user credentials, make sure <strong>Group Policy Management <\/strong>is selected in the search results, press <strong>CTRL+SHIFT+ENTER<\/strong> and then enter a username and password.<\/li>\n<li>In the left pane of GPMC, expand your AD forest, <em>Domains<\/em>, and then the domain in which you want to create the new GPO if you have more than one to choose from.<\/li>\n<li>Under your domain, right click <strong>Group Policy Objects<\/strong> and select <strong>New<\/strong> from the menu.<\/li>\n<li>In the <em>New GPO<\/em> dialog, give the GPO a name and click <strong>OK<\/strong>.<\/li>\n<li>Expand the <em>Group Policy Objects<\/em> container in the left pane, right click your new GPO and select <strong>Edit<\/strong> from the menu.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The <em>Group Policy Management Editor<\/em> window will now open. In this example, I\u2019m going to configure the <em>KDC support for claims, compound authentication, and Kerberos armoring<\/em> setting, which can be located at<em>Computer Configuration<\/em> &gt; <em>Policies<\/em> &gt; <em>Administrative Templates<\/em> &gt; <em>System<\/em> &gt; <em>KDC<\/em>, in the left pane of the editor window.<\/p>\n<ul>\n<li>In the left pane of the <em>Group Policy Management Editor<\/em> window, navigate to the location of the setting you want to change.<\/li>\n<li>Once you\u2019ve found the location, double click the setting in the right pane, and then check <strong>Enabled<\/strong> in the dialog box.<\/li>\n<li>Sometimes there are additional options, and in this example I need to select <strong>Supported<\/strong> from the drop-down menu in the settings dialog box.<\/li>\n<li>Once you\u2019re done, click <strong>OK<\/strong> and close the <em>Group Policy Management Editor<\/em> window.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Link a Group Policy Object<\/h2>\n<p>Now we have a GPO with a configured setting, let\u2019s link it in the AD hierarchy. I want to apply the setting I\u2019ve configured to all domain controllers in my domain.<\/p>\n<ul>\n<li>In GPMC, right click the <strong>Domain Controllers<\/strong> OU under <em>Domains <\/em>and select <strong>Link an Existing GPO\u2026<\/strong>from the menu.<\/li>\n<li>In the <em>Select GPO<\/em> dialog under <em>Group Policy Objects<\/em>, select the GPO you want to link and click <strong>OK<\/strong>.<\/li>\n<li>Now click the <strong>Domain Controllers<\/strong> OU in the left pane.<\/li>\n<\/ul>\n<p>In the right pane, you\u2019ll see the new GPO listed. GPOs with a higher link order number, i.e. those that appear higher up the list, take priority over those with lower numbers. You can link GPOs to AD sites and domains in the same way that it\u2019s possible to link them to OUs. The GPO settings will be applied to AD objects that fall in scope, i.e. in this example any computer accounts located in the <em>Domain Controllers<\/em> OU.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I\u2019ll show you how to create a Group Policy Object (GPO) in Active Directory, and link it to a site, domain or Organizational Unit (OU). Group Policy was introduced in Windows 2000 as part of Active Directory, replacing Windows NT System Policies. Group Policy is a powerful tool that can reduce total cost of ownership [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,55],"tags":[],"class_list":["post-1745","post","type-post","status-publish","format-standard","hentry","category-ad","category-gpo-group-policy"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1745"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1745\/revisions"}],"predecessor-version":[{"id":1746,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1745\/revisions\/1746"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}