Group Policy

Simple Guide : Implementing Group Policy in Windows Server 2012 R2

For this demo also, I use my existing Domain Server which is DC01.comsys.localand my Windows 8 client which is Surface01.comsys.local.

1 – 1st, you need configure a Central Store on DC01 Server, but before that, go to your Group Policy Management on DC01.

2 – Next, on the Group Policy Management Console (GPMC), double cickComsys.local, expand till you get Group Policy Objects folder. Right Click Default Domain Policy and click Edit

3 – Next, on the Group Policy Management Editor, double click User Configuration, expand Policies, and then click Administrative Templates, if you check on that, you will see note saying Administrative Templates: Policy definitions (.admx files) retrieved from the local computer.

4 – Next, access to your Policies folder (c:\windows\SYSVOL\sysvol\comsys.local), here create a new folder name PolicyDefinitions.

5 – Next, access to your C:\windows\PolicyDefinitions folder, what you need to do here is to copy all .adml & .admx files...

6 – then, paste the .adml & .admx files that you copied just now into c:\windows\SYSVOL\sysvol\comsys.local\PolicyDefinitions folder.

7 – Next, lets verify the administrative template location in GPMC.. open back your GPMC and then click on the Administrative Templates, you should see now it saysAdministrative Templates: Policy definitions (ADMX files) retrieved from the Central Store….

8 – Next step lets create Internet Explorer Restriction default starter GPO, on the GPMC, right click Starter GPOs and click New

9 – In the New Starter GPO box, type ComSystem IE Restrictions, and in theComment field, type This GPO created by Hamizi to disables the General page in IE Options, and then click OK…

10 – after you created the Started GPO, now we need to configure the IE Restriction starter GPO, to continue, right click ComSystem IE Restrictions and click Edit

11 – Next, on the Group Policy Starter GPO Editor, go to User Configuration, Administrative Templates, and then right click All Settings, and then click Filter Options

12 – then in the Filter Options  box, click Enable Keyword Filters box and then in the Filter for word(s): field, type General page, then you choose Exact then clickOK

13 – Next, you need to double-click the Disable the General page setting, clickEnabled, and then click OK..

14 – Our next step is to create an IE Restrictions GPO from the IE Restrictions starter GPO, to continue right click Comsys.local and click Create a GPO in this domain, and link it here…

15 – Next, in the New GPO  box, type ComSystem IE Restrictions and then Under Source Starter GPO, select ComSystem IE Restrictions, and then click OK…

16 – so now lets test the GPO, see if it effected to our domain users or not…on the Windows 8 client, I log in as Alan.. Alan is from Research Department.

17 – once your user successfully log in, go to Control Panel and click Network and Internet, then click click Change your homepage..you should see a message box displays informing you that this feature has been disabled

18 – you can click Internet Options and notice that in the Internet Properties dialog box the General tab does not display

19 – so now for next step, lets use security filtering to exempt the IT Departmentfrom the Internet Explorer Restrictions policy.. on the GPMC, click ComSystem IE Restrictions GPO and click Delegation tab, then click Advanced button..

20 – Next, In the ComSystem IE Restrictions Security Settings box, click Add..

 

21 – then in the Select Users, Computers, Service Accounts, or Groups field, type IT Dept, and then click OK…

 

22 – next, In the  ComSystem IE Restrictions Security Settings box, click the IT Dept (COMSYS\IT Dept) group, next to the Apply group policy permission, select the Deny check box, and then click OK.. then click Yes to acknowledge..

 

23 – Now lets test the GPO for our IT Department.. on my Windows 8 I log in asCandy (Candy is a IT Engineer in IT Dept)…

 

24 – once Cindy successfully log in to Windows 8, go to Control Panel and click Network and Internet then click Change your homepage, The Internet Properties box opens to the General tab, and all settings are available..

 

that’s all for now folks.. c ya next time for more Windows Server 2012 R2 configuration…

Simple Guide : Creating & Configure GPO in Windows Server 2012 R2 – Part 2

For this demo objective, I’m going to restrict access to control panel, and restrict few apps such as Notepad.exe and Calc.exe my Marketing & Production users.

Lets get started…

1 – As usual on the domain server, create a new GPO, in my case my new GPO will be Comsys Infra Standard

2 – Next, right click Comsys Infra Standard GPO and click Edit…

 

3 – Next, on the Group Policy Management Editor, expand User Configuration, Policies, and Administrative Templates, and then click System, next double click Don’t run specified Windows applications, click Enabled and click Show…

 

4 – In the Show Contents box, in the Value list, type notepad.exe, Calc.exe andPaint.exe and then click OK…

 

5 – Next, click Control Panel, on the right pane, double click Prohibit access to Control Panel and PC Settings, then click Enabled and click OK

 

6 – Next, lets Link the Comsys Infra Standard GPO to our domain, right clickComsys.local and click Link an Existing GPO…

 

7 – On the Select GPO box, under Group Policy Object, click Comsys Infra Standard and then click OK to proceed…

 

8 – Next, you can open CMD and type gpupdate /boot /force…

 

9 – Next, log in to your Windows client PC, in my case my Windows 8 Client and I log in as my domain user (either your Marketing @ Production users…

 

10 – once you successfully log on, try open notepad and Control Panel and you will be presented with Restrictions warning box…

 

11 – Next, back to your Domain Server and open Control Panel (remember that my Domain Server is longed in as Domain Administrator)…

 

12 – once you click Control Panel, you will be presented with Restrictions warning box, but I’m a Domain Administrator, why I had this Restriction??

 

13 – Not to worry with this error, what you need to do to solve this small issue just a simple step where as in the Group Policy Management, click Comsys Infra Standard GPO, on the right pane, under Security Filtering, click Authenticated Users and then click Remove…

 

14 – On the Group Policy Management box, click OK to confirm remove the Authenticated Users group…

 

15 – Next, still in the Security Filtering, please add Marketing and Production group so that only this 2 groups will effected with this GPO…

 

Orait, thats all for Part 2, wait for my Group policy Part 3…