GPOs on Windows Server: Centralized Management

Why use GPOs?

• Centralized management: Configure thousands of machines from a single console.
• Security: Apply consistent security policies (password complexity, firewall rules, software restrictions, etc.).
• Standardization: Make sure all workstations share the same baseline configuration (wallpaper, printers, shortcuts, etc.).
• Automation: Deploy software, logon scripts, or network drive mappings automatically.

Prerequisites

• A working Active Directory environment (at least one Domain Controller).
• Domain Administrator rights or an appropriate delegation of permissions.
• Client machines joined to the domain.

The basics of GPO management

Management is done through the "Group Policy Management Console" (GPMC), accessible from the Administrative Tools on a domain controller.

Structure and inheritance

GPOs can be linked at different levels of the Active Directory hierarchy:

1. Domain: Applied to all users and computers in the domain.
2. Organizational Unit (OU): Applied only to the objects contained in that OU and its sub-OUs. This is the most common and flexible method.
3. Site: Based on network topology (less common).

By default, settings are applied hierarchically (Domain -> parent OU -> child OU). A GPO linked at a lower level overrides the settings of a higher-level GPO.

Create and link a GPO

Step 1: Create the GPO object

1. Open the "Group Policy Management" console.
2. Expand your forest and your domain.
3. Right-click on "Group Policy Objects" and select "New".
4. Give your GPO a meaningful name, for example "Security-Workstations".

Step 2: Link the GPO to an OU

1. Navigate to the OU where you want to apply the policy (e.g. an OU containing your desktop computers).
2. Right-click on the OU and select "Link an Existing GPO...".
3. Choose the GPO you just created from the list.

Step 3: Edit the GPO

1. In the console, under the OU, right-click on your new GPO and select "Edit...".
2. The "Group Policy Management Editor" opens. This is where you configure the settings.

Computer Configuration vs User Configuration

• Computer Configuration: Applies to the computer, regardless of which user logs on. Settings are applied at machine startup. E.g. software installation, firewall rules.
• User Configuration: Applies to the user, regardless of which computer they log on to. Settings are applied at logon. E.g. network drive mapping, wallpaper.

Example: Enforce a wallpaper

1. In the GPO editor, go to: User Configuration -> Policies -> Administrative Templates -> Desktop -> Desktop.
2. Double-click on the "Desktop Wallpaper" setting.
3. Select "Enabled", specify the path to an image on a network share accessible by everyone (e.g. `\server\share\wallpaper.jpg`), and choose a style (e.g. "Stretch").
4. Click OK.

Application and troubleshooting

Force a GPO update

By default, clients refresh GPOs every 90 to 120 minutes. To test immediately, you can force the update on a client machine with the command:

gpupdate /force

Check the applied GPOs

The gpresult tool is your best friend for troubleshooting.

# Generate a detailed HTML report of the GPOs applied to the current user and computer
gpresult /h C:\temp\gpo_report.html

Open this report in a browser to see exactly which GPOs were applied and which settings result from them.

Conclusion

GPOs are the backbone of managing a Windows fleet in the enterprise. Mastering them is a fundamental skill for any system administrator. By structuring your Organizational Units correctly and creating modular, well-documented GPOs, you can manage a complex environment efficiently, consistently and securely.