In order to start using Group Policy, we first need to create a Group Policy Object. Most commonly referred to as a GPO, this object contains the settings that we want to deploy. It also contains the information necessary for domain joined systems to know which machines and users get these settings and which ones do not. It is critical that you plan GPO assignment carefully. It is easy to create a policy that applies to every domain-joined system in your entire network but, depending on what settings you configure in that policy, this can be detrimental to some of your servers. Often I find that admins who are only somewhat familiar with Group Policy are making use of a built-in GPO called Default Domain Policy. This, by default, applies to everything in your network. Sometimes this is actually what you want to accomplish. Most of the time, it is not!
We are going to use this section to detail the process of creating a new GPO, and use some assignment sections called Links and Security Filters, which will give us complete control over which systems receive these systems, and more importantly, which do not.
Our work today will be accomplished from a Server 2016 domain controller server. If you are running the Domain Services role, you already have the items installed that are necessary to manage Group Policy.
Follow these steps to create and assign a new GPO:
Map Network Drives
. We will end up using this GPO in a later recipe.
Our new GPO is now linked to the US Laptops OU, so at this level, any system placed inside that OU would get the settings if we hadn't paired it down a step further with the Security Filtering section. Since we populated this with only the name of our specific Sales Group, this means that this new drive mapping policy will only apply to those users added into this group.
In our example recipe, we created a new Group Policy Object and took the necessary steps in order to restrict this GPO to the computers and users that we deemed necessary inside our domain. Each network is different, and you may find yourself relying only on the Links to keep GPOs sorted according to your needs, or you may need to enforce some combination of both Links and Security Filtering. In any case, whichever works best for you, make sure that you are confident in the configuration of these fields so that you can know beyond a shadow of a doubt where your GPO is being applied. You may have noticed that, in our recipe here, we didn't actually configure any settings inside the GPO, so at this point it still isn't doing anything to those in the Sales Group. Continue reading to navigate the actual settings portion of Group Policy.
18.117.102.248