Tag Archives: windows server 2016

Create and Manage Group Policy Objects (GPOs) Part 2 of 2

Microsoft Windows Server, , , ,

Group Policy

In this second post of two of basic Group Policy management, we discuss further topics involving these critical Windows management components.

Backup, Restore, Import and Copy Group Policy Objects (GPOs)

You can perform all backup and restore operations using the Group Policy Management console, or with Windows PowerShell cmdlets.

To backup all GPOs in your domain, open the Group Policy Management console and navigate to the Group Policy Objects node. Right-click the Group Policy Objects node, and then click Back Up All. You can also backup a specific object. To backup a specific GPO, in the Group Policy Objects node, click and then right-click the specific GPO you want to back up, and then click Back Up.

To restore a GPO, right-click the appropriate GPO in the Group Policy Objects node, and then click Restore from Backup.

You can also manage your backups from the Group Policy Management console. You can use the Manage Backups option to view the settings in a backup, to delete a backup, and to restore a backup. To access the Manage Backups tool, in the Group Policy Management console right-click the Group Policy Objects node, and then click Manage Backups. In the Manage Backups dialog box select the backup you want to manage, and then click Restore, Delete, or View Settings, as required.

Although you can link the same GPO to multiple containers, including domains, it is not always best to do this. Usually, it is better to import a GPO from another domain. The import process requires that you effectively restore the settings of another GPO into a newly created, empty GPO.

The process therefore starts with you creating a backup of the source GPO. To import the settings, in the Group Policy Management console on the target domain, create a new GPO in the Group Policy Objects node Right-click the new GPO, and then click Import Settings.

You can duplicate the settings in one GPO for reuse in another. An easy way to do this is to copy a GPO. In the Group Policy Management console, in the Group Policy Objects node, right-click the source GPO, and then click Copy. You can right click the Group Policy Objects node and choose Paste in order to duplicate the settings.

Create and Configure a Migration Table

There is a Migration Table Editor available inside the Group Policy Management tool that permits you to edit UNC and security principle references that might not apply to the domain where you are importing your Group Policy Object settings into. Simply reference this saved table of entries when you are following the Import Settings Wizard.

Reset Default GPOs

There is a simple tool called dcgpofix that you can use at the command prompt to reset the default GPOs back to their default settings. Remember, there is a Default Domain GPO and a Default Domain Controllers GPO. The tool features switches so that you can pic one or the other GPO to reset instead of resetting both.

Delegate Group Policy Management

Remember that you can delegate control over GPO tasks. This is done with the Delegation tab in the Group Policy Management tool, or you can delegate GPO tasks using the Active Directory Users and Computers tool.

Detect Health Issues

You can detect problems with your GPO infrastructure using the Group Policy Management console as well. This is done using the GPO Infrastructure Status page. To view the status, use the following procedure:

1. Select the domain object, and then click the Status tab.

2. To view the current status, click Detect Now.

3. Review the information in the details pane.

Create and Manage Group Policy Objects (GPOs) Part 1 of 2

Microsoft Windows Server, , ,

GPOs

GPOs Overview

Group Policy Objects (GPOs) are one of the most powerful components in a Windows Server 2016-based environment. Thanks to GPOs, you can easily manage:

  • Windows settings
  • Application settings
  • Software deployment
  • Folder redirection (user Home folders)
  • Security settings
  • Infrastructure settings such as wireless and networking

Local GPOs

While most environments leverage the power of Active Directory (AD) and assign GPOs through the AD infrastructure, you can use local GPOs to control computers and users that are not part of an AD. Keep in mind that if you apply local GPOs to a system that is part of an AD, the AD-based GPO settings will override the local settings.

There are multiple local GPOs you can use, including:

  • Local Group Policy – this is the “classic” local Group Policy Object that contains a user and computer node with setting for each
  • Administrators and Non-Administrators Local Group Policy – this GPO allows you to control local admins versus non admins; it only has a user node as you would expect
  • User Specific Local Group Policy – these GPOs allow you to configure user-specific settings

NOTE: If you apply all of these to a local system, the priority order is as listed. For example, a user-specific setting would override a local group policy setting.

To create these local GPOs, simply log in as a local administrator and use the mmc.exe syntax in the run menu. Add a Snap In for the Group Policy Object Editor and then Browse for the local computer or users options to create the above local GPO editors.

Linking AD GPOs

When we use GPOs in the Active Directory environment, we link them to specific AD objects in order to set their scope. These objects include:

  • Sites
  • Domains
  • Organizational Units (OUs)

You can link GPOs to these AD objects using GUI tools as well as PowerShell.

Manage Starter GPOs

It is possible to create a template that contains the most common settings for your enterprise and then use this GPO as a template for customize it for certain areas. This is called a Starter GPO. There is a Starter Node in the Group Policy Management console you can use for this purpose.