• Status: Solved
  • Priority: High
  • Security: Private
  • Views: 69
  • Last Modified:

GPO (Group policy object) in windows 2012

I would like to study which GPO (Group policy) are assigns to users and which to computers in a OU (organization unit) a windows 2012 infrastructure?
Also i need a good tutorial or other materials for this subject.
0
Gas
Asked:
Gas
7 Solutions
 
Mitul PrajapatiJunior IT EngineerCommented:
Check the youtube link below for understanding of GPO

https://www.youtube.com/watch?v=KSTKGChQus0

https://www.youtube.com/watch?v=VUdHwKiXA_I

you need to install hyper V in your computer and create one server and one client computer for the practice.
1
 
yo_beeDirector of Information TechnologyCommented:
With over 3000 setting out of the box it is very hard to speak on computers or user settings.

From a 10,000 ft view computer settings are system wide and apply to any use that logs on to that computer. Whereas user settings follow the user from computer to computer.  

Next comes the hierarchy of GP. Knowing how GP apply is very important.  https://www.google.com/amp/s/emeneye.wordpress.com/2016/02/16/group-policy-order-of-precedence-faq/amp/.

Here is a good download pdf as well.
https://www.microsoft.com/en-US/download/details.aspx?id=53314

If the OUs do not have blocked inheritance GPO's trickle down to child OUs. So you place the GP at the highest level that you want all subsidiary objects to receive. This is where things need to be thought out and tested.  If you place a GP to low in the chain the settings that you want will not apply and the same is true if your GP is way at the top of the chain and you do not want it to apply to everyone, but it may.

I watched the first video link and it was a good explanation.

Most of my education with GP was googling a setting I was looking to control. I recommend you do the same. There is some much out there.  You always can ask here as well. There are many knowledgable EE's here that are biting at the bit to help.

Hope this helps a bit
0
 
GasAuthor Commented:
"With over 3000 setting out of the box it is very hard to speak on computers or user settings"
I am looking for the most important of these settings . I mean for the 5-10 GPO's , the main  GPO which apply to the users and the computers in OU
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

Open Group Policy Management Console (start>>run>>gpmc.msc) from the domain controller, expand domain, select the OU which you specifically looking for. In the right hand side 'Linked Group Policy Objects', you will be able to see the GPO's which linked with this OU which will apply to the users and computers.

Next, expand the OU (from left hand side), You will get 4 options in right hand side (Scope, Details, Settings, Delegation). If you click on the 'Scope' tab, Under Security Filtering, you can add the users group, or computers group, so the settings in the GPO can only apply to the following users and computers.

If you select the 'Settings' tab, you can see the settings which enabled in the policy. Computer based policies under 'Computer Configuration' and User based policies under 'User Configuration'.

This is how you can see it from server. Now, if you want to see which policies being applied to end users or machines? then you can either run gpresults (Group Policy Results) from the server or rsop.msc from the machines.
0
 
yo_beeDirector of Information TechnologyCommented:
There are two set of default GPO's (Default Domain Policy and Default Domain Controller Policy) that should never be modified or deleted.  These can be considered the main GPO's.  Anything else will be specific to your environment needs. To do this you create a new GPO and do not add any settings to the default ones.  


If you are asking what settings apply both to computers and users there is none.  Its either a computer setting or a user setting.

Here are some that come to mind password history, length between changing passwords, complexity of passwords, and screensaver/lock screen.  The rest is up to you on how much you want to lock the computer down.  One thing to keep in mind when you use GPO's is that the setting you are pushing out to the environment is locked and you cannot change it at the computer level.  

i.e.  
Internet Explorer list of trusted sites.  Once you enable this you cannot go into IE on the clients computer and add one-off sites.  If this needs to be added and you need to keep the GPO setting enable you will have to do it at the GPO level and then sync it (during the polling at the default 90 min interval or manually by running GPUPDATE).  

I hope this image helps explain some more.

 GPO1.png
0
 
DonNetwork AdministratorCommented:
Sounds to me like you're just looking for some best practices, I'd read up on some best practice articles

http://www.itprotoday.com/management-mobility/group-policy-design-best-practices
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Here is full process on how to find settings as well as a GPO applying a particular setting.
https://www.experts-exchange.com/articles/29415/How-to-find-Active-Directory-Group-Policy-GPO-that-applies-a-particular-setting.html
0
 
GasAuthor Commented:
Guys , thanks for the help , mainly the purpose of the question is for practice and increase my knowledge.
Furthermore i would like to make clear what is my question. I need to know what GPO are apply to users and what GPO are apply to computers.
f.e at the Users (In OU)  apply the GPO : .....
at the Computers (In OU) apply the GPO: ...
0
 
yo_beeDirector of Information TechnologyCommented:
If you run RSOP.MSC from the computer you can see what is being applied to what.  
Alternative is to use Group Policy Result Wizard in GMPC  to run a query against an known user and computer.

Right click on Group Policy Results Node and select Group Policy Result Wizard and follow the prompt.
I use this tool all the time for troubleshooting.  

gpo2.png
Edit: Your questions is not as straight forward as you are thinking.  My previous comment with the screenshot showing my hierarchy in my environment.  There are GPOs closer to the top that trickle down to both my Computers OU and my Users OU.  So if the GPO has both Computer and User settings configured the sub-OU with computer objects will get the Computer Configuration settings, while the Sub-OU with the Users gets the User Configuration.  Now if I put a Computer setting in a GPO linked to the Users OU those computer setting will never apply to any computer with how my AD OU structure is setup.  Now if you look ad my VDI OU you will see that it is set to block inheritance, so the only GPOs that will apply to the object in this OU will are the ones linked to the VDI OU.  

Now this holds true until you through LOOPBACK to the computer.   This setting allows you to target User Configuration based on the computer location in the OU structure.  I do not want to go into the weeds on this setting because it will just really confuse you, but it is a very valuable setting to be knowledgeable on.

Do you have anything you are looking to apply?
0
 
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- yo_bee (https:#a42467545)
-- yo_bee (https:#a42466988)
-- Don (https:#a42467582)
-- Shaun Vermaak (https:#a42467593)
-- Radhakrishnan R (https:#a42467210)
-- Mitul Prajapati (https:#a42466955)
-- yo_bee (https:#a42468206)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now