Windows Server Administration Course - I

Table of Contents
CHAPTER 5 .............................................................................................................................................. 2
Group Policy ............................................................................................................................................ 2
5.1 Group Policy Object ...................................................................................................................... 2
5.2 Group Policy .................................................................................................................................. 2
5.3 Group Policy Block Inheritance and Enforcement ........................................................................ 3
5.4 Default Domain Policy ................................................................................................................... 4
5.4.1 Account Policies .................................................................................................................. 4
5.5 Group Policy Settings .................................................................................................................. 11

ITCSTC Page 1
Restricted
 Windows Server Administration Course - I

CHAPTER 5
Group Policy
This chapter covers the following topics:
• Group Policy Object
• Group Policy
• Group Policy Enforcement and Inheritance
• How to create Group Policy Object and link to OU

5.1 Group Policy Object

GPO stands for Group Policy Object. It refers to a collection of Group Policy
configurations defined for a specific system. The GPO is associated with selected Active
Directory containers, such as sites, domains, or organizational units (OUs).
Group Policy Objects are processed in the following order:
1. Local - Every windows operating system has its local group policies installed by
default and the policies are applied at first.
2. Site - If a GPO is set at a site level, the policy setting is affected those computers and
user accounts within the site.
3. Domain - If a GPO is set at a domain level, the policy setting is affected those users
and computers within the domain including all OUs and sub-OUs.
4. Organizational Unit - If a GPO is set at an OU level, the policy setting is affected
those users or computers within the OU including sub-OUs.
When someone logs into a domain computer, that machine checks in with the domain
controller and grabs any recent Group Policy changes. When it does this, it’s downloading the
latest GPO from the server. Group policies are automatically updated every 90 minutes. Users
can manually update the group policy by using gpupdate/ force command from a command
prompt of the server or computers.

5.2 Group Policy

Group Policy is a feature of the Microsoft Windows NT family. Group Policy allows
you to centralize the management of computers in AD network without having to physically
go to and configure each computer individually. The settings are maintained by a domain
controller and individual users or computers can’t override those settings.
Group policy settings can be applied to domain computers, users, or both. It can be
divided into two parts: Computer Configurations and User Configurations. Computer
Settings are applied when the system starts and user settings are applied when the users log in

ITCSTC Page 2
Restricted
 Windows Server Administration Course - I

to the computer. Both settings have policies and preferences. Policies are defined as software
settings, windows settings and Administrative Templates.
Software settings can be deployed to users or computers by the administrator.
Software settings contain software specific group policies: this setting is empty by default.
Windows settings contain local security settings. It can be applied to users or
computers in order to modify the windows environment by using GPO. For example, password
policy, firewall policy, account lockout policy, scripts and so on.
Administrative Templates can control how the local computer behaves in many ways.
For example, specifying the desktop wallpaper, disabling access to non-essential areas of the
computers such as Network desktop icon/ control panel, and so on.
Preferences of a GPO setting is enabling to deploy desired configurations to computers
and users without limiting the user from choosing a different configuration. Preferences are a
group policy extension to map with network components such as network drivers and printers,
and to configure internet options and so on.
Group policies are stored in active directory and they can be configured by using the
Group Policy Management Console (GPMC). Group policy settings have three states:
Enabled, Disabled and Not Configured.

5.3 Group Policy Block Inheritance and Enforcement

By default, group policy settings that are linked to parent objects are inherited to the
child objects in the active directory hierarchy as well as Domain Policy settings are inherited
to all the child objects of the domain hierarchy. If administrators require Block Inheritance,
they can block GPO settings. As shown in the figure below, to configure blocking of GPO
inheritance, right-click the OU container and select the Block Inheritance option from the list.

Group Policy Enforcement prevents GPOs from being overridden by other GPOs.
Such GPOs cannot be blocked if the administrator wants to block using Block Inheritance.

ITCSTC Page 3
Restricted
 Windows Server Administration Course - I

When GPO settings are applied on an OU, they may be conflicted. The settings of the
GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child
organizational units. The administrator can prevent such override by using Enforcement. In
previous Windows Server versions, the GPO enforced option used to be called No Override.
To enable the GPO enforced option, right-click on a particular GPO and click on the
Enforced option.

5.4 Default Domain Policy

Domain based Group Policy Objects are far more common in organizations, mostly
because setting up a new domain creates a "Default Domain Policy" at the root of that domain.
This policy contains a few default settings like a password policy for your users, but most
organizations change these. Additionally, some organizations modify this default policy and
add their own specifications and settings. Two GPOs are created by default when administrator
creates a domain. These are the Default Domain Policy and the Default Domain Controller
Policy. The default domain policy is applied (by default) to all the machines/users in the
domain. The default domain controller’s policy is applied (by default) to the domain controllers
OU into which all domain controllers are put by default. The actual Group Policies are stored
in the Sysvol for Active Directory.

5.4.1 Account Policies

An Account Policy in Active Directory Environments has three different parts:
Password Policy, Account Lockout Policy and Kerberos Policy.
Account policies can be configured in Default Domain Policy to effect for entire
domain users. This policy can be configured by the following steps.

ITCSTC Page 4
Restricted
 Windows Server Administration Course - I

1. Go to Server Manager > Tools > Group Policy Management > Group Policy
Objects under the Domain > right-click on Default Domain Policy > Edit.

2. In Computer Configuration, Policies > Windows Settings > Security Settings.

a. Password Policy
A password policy is a set of rules designed to enhance computer security by
encouraging users to employ strong passwords and use them properly. These passwords help
prevent the compromise of user accounts and administrative accounts by unauthorized users
who use manual methods or automated tools to guess weak passwords.
To add a password policy, Click Account Policies > Password Policy.

1. Enforce password history

ITCSTC Page 5
Restricted
 Windows Server Administration Course - I

The security setting determines the number of unique new passwords that have to be
associated with a user account before an old password can be reused. The value must be
between 0 and 24 passwords.
This policy enables administrators to enhance security by ensuring that old passwords
are not reused continually. Default: 24 on domain controllers, 0 on stand-alone servers.
To maintain the effectiveness of password history, the policy does not allow passwords
to be changed immediately after users were just changed, by also enabling the Minimum
password age security policy setting. For information about the minimum password age
security policy setting, see Minimum password age in the chapter.
To configure > double-click on Enforce password history > click Define this policy
setting > set password history (10) > Apply > OK.

2. Maximum password age

This security setting determines the period of time (in days) that a password can be used
before the system requires the user to change it. You can set passwords to expire after a number
of days between 1 and 999, or you can specify that passwords never expire by setting the
number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum
password age must be less than the maximum password age. If the maximum password age is
set to 0, the minimum password age can be any value between 0 and 998 days. A security best
practice is to have passwords expire every 30 to 90 days, depending on your environment. This
way, an attacker has a limited amount of time in which to crack a user's password and have
access to your network resources. Default: 42.
To configure > double-click on maximum password age > click Define this policy
setting > set expire days (30) > Apply > OK.

ITCSTC Page 6
Restricted
 Windows Server Administration Course - I

3. Minimum password age

This security setting determines the period of time (in days) that a password must be
used before the user can change it. You can set a value between 1 and 998 days, or you can
allow changes immediately by setting the number of days to 0. The minimum password age
must be less than the Maximum password age, unless the maximum password age is set to 0,
indicating that passwords will never expire. If the maximum password age is set to 0, the
minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password
history to be effective. Without a minimum password age, users can cycle through passwords
repeatedly until they get to an old favorite. The default setting does not follow this
recommendation, so that an administrator can specify a password for a user and then require
the user to change the administrator-defined password when the user logs on. If the password
history is set to 0, the user does not have to choose a new password. For this reason, Enforce
password history is set to 1 by default.
To configure > double-click on minimum password age > click Define this policy
setting > set expire days (7) > Apply > OK.

4. Minimum password length

This security setting determines the least number of characters of which a password
may contain for a user account. You can set a value of between 1 and 14 characters, or you can
establish no password that is required by setting the number of characters to 0. The default

ITCSTC Page 7
Restricted
 Windows Server Administration Course - I

settings are 7 on domain controllers and 0 on stand-alone servers. By default, member

computers follow the configuration of their domain controllers.
To configure the minimum password length, double-click on minimum password
length > click Define this policy setting > set minimum password length (8) > Apply > OK.

2. Password must meet complexity requirements

This security setting determines whether passwords must meet complexity
requirements. This setting is enforced by administrator when passwords are changed or
created. If this policy is enabled, passwords must meet the following minimum
requirements:
• Not contain the user's account name or parts of the user's full name that exceed
two consecutive characters
• Contain characters from three of the following four categories:
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Base 10 digits (0 through 9)
o Non-alphabetic characters (for example, !, $, #, %)
By default, member computers follow the configuration of their domain controllers.
Default: Enabled on domain controllers, Disabled on stand-alone servers.
To configure this setting, double-click on Password must meet complexity
requirements > click Define this policy setting > Enabled > Apply > OK.

ITCSTC Page 8
Restricted
 Windows Server Administration Course - I

b. Account Lockout Policies

Account lockout policy disables user accounts if incorrect passwords are entered a
specified number of times over a specified period. The policy settings help you to prevent
attackers from guessing users’ passwords, and to decrease possibility of successful attacks on
the network.
To configure the account lockout policy, Click Account Policies > Account Lockout
Policy.

1. Account lockout threshold

This security setting determines the number of failed logon attempts that causes a user
account to be locked out. A locked-out account cannot be used until it is reset by an
administrator or until the lockout duration for the account has expired. A value of failed logon
attempt can be set between 0 and 999. If it is set the value to 0, the account will never be locked
out. Failed password attempts against workstations or member servers that have been locked
using either CTRL+ALT+DELETE or password-protected screen savers, count as failed logon
attempts. The default value of failed logon attempts is 0.
To configure this setting, double-click on Account lockout threshold > click Define
this policy setting > set invalid logon times (3) > Apply > OK.

ITCSTC Page 9
Restricted
 Windows Server Administration Course - I

2. Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed
logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The
available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this
reset time must be less than or equal to Account lockout duration. The default is none because
this policy setting only has meaning when an Account lockout threshold is specified.
To configure it, double-click on Reset account lockout counter after > click Define
this policy setting > set reset account time (30) > Apply > OK.

3. Account lockout duration

This security setting determines the number of minutes a locked-out account remains
locked out before automatically becoming unlocked. The available range is from 0 minutes
through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked
out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the
account lockout duration must be greater than or equal to the reset time. The default is None,
because this policy setting only has meaning when an Account lockout threshold is specified.
To configure it, double-click on Account lockout duration > click Define this policy
setting > set duration time (30) > Apply > OK.

ITCSTC Page 10
Restricted
 Windows Server Administration Course - I

c. Kerberos Policy
Kerberos is the authentication protocol used in a Windows domain environment to
authenticate logons and grant accounts access to domain resources. An account can be a user
or a computer because computers must also authenticate to the domain. Kerberos provides
mutual authentication between a client and server or between two servers.

5.5 Group Policy Settings

a. Deploy Wallpaper Using Group Policy
If you want to display custom wallpaper with a company logo, you can prevent users
from changing the desktop background on client PC. For instant, Target user group is “Student
Group” resides within an OU named “Student OU”.
Follow the step by step below to set a wallpaper on “Student OU” account using Group
Policy:
1. Creating the Group Policy Object
To create a GPO, in Server Manager, click Tools > Group Policy Management >
expand the forest and domain > right click on Group Policy Objects > select “New”. And give
a name “Wallpaper Policy” for the new policy object.

2. Editing the policy object

The newly created policy “Wallpaper Policy” will be listed on the Group Policy object
list. To edit the object, right click on it and select “Edit”.

ITCSTC Page 11
Restricted
 Windows Server Administration Course - I

An editor window will show up. On the left pane, go to User Configuration > Policies
> Administrative Templates > Desktop > Desktop > double-click on Desktop Wallpaper
setting.

Change the option to Enabled, and then specify the wallpaper location and style. Under
“Options”, type the path of the image you want to set as a default background (\\Svr-
01\wp\wallpaper.jpg) and select the style > Apply > OK.
Fully qualified path and name of the file that stores the wallpaper image must be used
in this setting. For example, C:\Windows\web\wallpaper\home.jpg or
\\Server\Share\Corp.jpg.

ITCSTC Page 12
Restricted
 Windows Server Administration Course - I

3. Applying the policy object

Back to the Group Policy Management console window. And then to apply the policy,
right-click on “Student OU” > > select “Link an Existing GPO” > Select “Wallpaper
Policy” > click OK.

Verify that Wallpaper Policy is now listed under the “Student OU”.

Once you complete these steps, you'll need to restart your computer to see the changes.
The alternative way is using command gpupdate /force to apply and command gpresult /r to
verify this policy. When the policy “Wallpaper Policy” under the section “Applied Group
Policy Objects” is applied, the desktop background wallpaper is changed.
a. Moderating Access to Control Panel
Setting limits on a computers’ Control Panel creates a safer business environment.
Through Control Panel, you can control all aspects of your computer. So, by moderating who
has access to the computer, you can keep data and resources safe. Follow the step by step below
to deny access to Control Panel on “Student OU” using Group Policy:
1. Creating the Group Policy Object

ITCSTC Page 13
Restricted
 Windows Server Administration Course - I

To create a GPO, in Server Manager, click Tools > Group Policy Management >
expand the forest and domain > right click on Group Policy Objects > select “New”. And give
a name “Deny Control Panel” for the new policy object.

2. Editing the policy object

The newly created policy will be listed on the Group Policy object list. Right click on
it > select “Edit” > User Configurations > Policies > Administrative Templates > Control
Panel > Prohibit access to Control Panel and PC settings.

Right click on the setting Prohibit access to Control Panel and PC settings and click
Edit. This setting prevents Control.exe and SystemSettings.exe, the program files for Control
Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings,
or run any of their items. Click Enabled > Apply > OK.

ITCSTC Page 14
Restricted
 Windows Server Administration Course - I

3. Applying the policy object

Back to the Group Policy Management console window and right click on “Student
OU” > select “Link an Existing GPO”. Select the Deny Control Panel and click OK.

b. Control Access to Command Prompt

Command Prompts can be used to run commands that give high-level access to users
and evade other restrictions on the system. So, to ensure system resources’ security, it’s wise
to disable Command Prompt. To control access to command prompt, perform the following
steps.
1. In the window of Group Policy Management Editor, go to User Configurations >
Policies > Administrative Templates > System.
2. In the right pane, double-click “Prevent access to the command prompt” policy.
3. Click “Enabled” to apply the policy.
4. Click “Apply” and “OK”

ITCSTC Page 15
Restricted