GPO (Group policy object) in windows 2012

I would like to study which GPO (Group policy) are assigns to users and which to computers in a OU (organization unit) a windows 2012 infrastructure?
Also i need a good tutorial or other materials for this subject.
GasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mitul PrajapatiIT SupervisorCommented:
Check the youtube link below for understanding of GPO

https://www.youtube.com/watch?v=KSTKGChQus0

https://www.youtube.com/watch?v=VUdHwKiXA_I

you need to install hyper V in your computer and create one server and one client computer for the practice.
1
yo_beeDirector of Information TechnologyCommented:
With over 3000 setting out of the box it is very hard to speak on computers or user settings.

From a 10,000 ft view computer settings are system wide and apply to any use that logs on to that computer. Whereas user settings follow the user from computer to computer.  

Next comes the hierarchy of GP. Knowing how GP apply is very important.  https://www.google.com/amp/s/emeneye.wordpress.com/2016/02/16/group-policy-order-of-precedence-faq/amp/.

Here is a good download pdf as well.
https://www.microsoft.com/en-US/download/details.aspx?id=53314

If the OUs do not have blocked inheritance GPO's trickle down to child OUs. So you place the GP at the highest level that you want all subsidiary objects to receive. This is where things need to be thought out and tested.  If you place a GP to low in the chain the settings that you want will not apply and the same is true if your GP is way at the top of the chain and you do not want it to apply to everyone, but it may.

I watched the first video link and it was a good explanation.

Most of my education with GP was googling a setting I was looking to control. I recommend you do the same. There is some much out there.  You always can ask here as well. There are many knowledgable EE's here that are biting at the bit to help.

Hope this helps a bit
0
GasAuthor Commented:
"With over 3000 setting out of the box it is very hard to speak on computers or user settings"
I am looking for the most important of these settings . I mean for the 5-10 GPO's , the main  GPO which apply to the users and the computers in OU
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

Open Group Policy Management Console (start>>run>>gpmc.msc) from the domain controller, expand domain, select the OU which you specifically looking for. In the right hand side 'Linked Group Policy Objects', you will be able to see the GPO's which linked with this OU which will apply to the users and computers.

Next, expand the OU (from left hand side), You will get 4 options in right hand side (Scope, Details, Settings, Delegation). If you click on the 'Scope' tab, Under Security Filtering, you can add the users group, or computers group, so the settings in the GPO can only apply to the following users and computers.

If you select the 'Settings' tab, you can see the settings which enabled in the policy. Computer based policies under 'Computer Configuration' and User based policies under 'User Configuration'.

This is how you can see it from server. Now, if you want to see which policies being applied to end users or machines? then you can either run gpresults (Group Policy Results) from the server or rsop.msc from the machines.
0
yo_beeDirector of Information TechnologyCommented:
There are two set of default GPO's (Default Domain Policy and Default Domain Controller Policy) that should never be modified or deleted.  These can be considered the main GPO's.  Anything else will be specific to your environment needs. To do this you create a new GPO and do not add any settings to the default ones.  


If you are asking what settings apply both to computers and users there is none.  Its either a computer setting or a user setting.

Here are some that come to mind password history, length between changing passwords, complexity of passwords, and screensaver/lock screen.  The rest is up to you on how much you want to lock the computer down.  One thing to keep in mind when you use GPO's is that the setting you are pushing out to the environment is locked and you cannot change it at the computer level.  

i.e.  
Internet Explorer list of trusted sites.  Once you enable this you cannot go into IE on the clients computer and add one-off sites.  If this needs to be added and you need to keep the GPO setting enable you will have to do it at the GPO level and then sync it (during the polling at the default 90 min interval or manually by running GPUPDATE).  

I hope this image helps explain some more.

 GPO1.png
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonNetwork AdministratorCommented:
Sounds to me like you're just looking for some best practices, I'd read up on some best practice articles

http://www.itprotoday.com/management-mobility/group-policy-design-best-practices
0
Shaun VermaakTechnical SpecialistCommented:
Here is full process on how to find settings as well as a GPO applying a particular setting.
https://www.experts-exchange.com/articles/29415/How-to-find-Active-Directory-Group-Policy-GPO-that-applies-a-particular-setting.html
0
GasAuthor Commented:
Guys , thanks for the help , mainly the purpose of the question is for practice and increase my knowledge.
Furthermore i would like to make clear what is my question. I need to know what GPO are apply to users and what GPO are apply to computers.
f.e at the Users (In OU)  apply the GPO : .....
at the Computers (In OU) apply the GPO: ...
0
yo_beeDirector of Information TechnologyCommented:
If you run RSOP.MSC from the computer you can see what is being applied to what.  
Alternative is to use Group Policy Result Wizard in GMPC  to run a query against an known user and computer.

Right click on Group Policy Results Node and select Group Policy Result Wizard and follow the prompt.
I use this tool all the time for troubleshooting.  

gpo2.png
Edit: Your questions is not as straight forward as you are thinking.  My previous comment with the screenshot showing my hierarchy in my environment.  There are GPOs closer to the top that trickle down to both my Computers OU and my Users OU.  So if the GPO has both Computer and User settings configured the sub-OU with computer objects will get the Computer Configuration settings, while the Sub-OU with the Users gets the User Configuration.  Now if I put a Computer setting in a GPO linked to the Users OU those computer setting will never apply to any computer with how my AD OU structure is setup.  Now if you look ad my VDI OU you will see that it is set to block inheritance, so the only GPOs that will apply to the object in this OU will are the ones linked to the VDI OU.  

Now this holds true until you through LOOPBACK to the computer.   This setting allows you to target User Configuration based on the computer location in the OU structure.  I do not want to go into the weeds on this setting because it will just really confuse you, but it is a very valuable setting to be knowledgeable on.

Do you have anything you are looking to apply?
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- yo_bee (https:#a42467545)
-- yo_bee (https:#a42466988)
-- Don (https:#a42467582)
-- Shaun Vermaak (https:#a42467593)
-- Radhakrishnan R (https:#a42467210)
-- Mitul Prajapati (https:#a42466955)
-- yo_bee (https:#a42468206)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.