When Microsoft introduced group policy objects (GPOs) along with Windows Server 2000 nearly 17 years ago, they were an exciting new approach to managing user and system permissions. Today, they're simply part of the administrative woodwork, and as a result, some IT admins have forgotten how powerful these settings can be and when they can be used to solve problems.
When Windows Server 2016 is released later this fall, it will preserve those oh-so-handy GPOs, leaving them unchanged except for the addition of some settings specific to Windows Server 2016 and Windows 10. If it ain't broke ...
The Group Policy Management Console tools are installed with Active Directory, but you need Active Directory Domain Services (ADFS) for group policies to actually work. To control servers or workstations, they must be connected (aka "joined") to the domain. Although local policies can be configured for individual (non-domain-joined) PCs, it's a one-off scenario that doesn't tap into the core value of implementing group policy to control multiple systems and users at once.
There are thousands of potential configuration settings and options for GPOs. The easiest way to find your way to a setting is to identify its location path in the Group Policy Management Console (GPMC) tool, as shown in Figure 1. The location path shows you the full path to the settings you are seeking, in the same way you might look for a file that is buried in multiple folders.
Three uses of group policies make a good starting point both for the newbie admin and for the experienced admin who's taken group policies for granted and stopped seeking ways to use them for new needs. (When you're ready to dig deeper, Microsoft has a good, detailed tutorial that gets into the intricacies of group policies.)
GPO example 1: Enforce password complexity
To create a password complexity policy that applies to all users in a domain, perform the following steps:
- Open your Group Policy Management Console.
- Expand the Domains container and select your domain name.
- Right-click the domain name and choose the option Create a GPO in This Domain, and Link It Here.
- Give the new GPO a name (for example, Password Complexity Policy) and click OK.
- Once the policy is visible in your domain, right-click the policy and choose Edit. This opens the Group Policy Management Editor (GPME).
- Drill down to the location path in the GPME, as shown in Figure 2:
GPO_name\Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy.
- Right-click the Password Must Meet Complexity Requirements option and click Properties, as shown in Figure 3.
- Check the box Define This Policy Setting, check Enabled, then click OK. Note: You can also click the Explain tab for a full explanation of what this setting does.
There are of course other settings you can include in this GPO. For example, you can enable the complexity requirements and set the minimum password length to, say, eight characters.
GPO example 2: Disable USB drives
Some policies need to be applied situationally (to an organization unit, aka an OU), such as disabling USB devices. For example, you might have road warriors that need USB access on their laptops whereas you might want to lock down in-house PCs' USB ports.
Here's how you create such a situational policy:
- In the Group Policy Management Console, expand the domain name and look for the Group Policy Objects container. Typically, there are two default policies in that container (Default Domain Controller and Default Domain Policy), but if you've configured the Password Complexity Policy, it will also show up.
- Right-click the Group Policy Objects folder and click New.
- Give the new GPO a name like USB Restriction and click OK.
- Select the policy and click Edit to open the Group Policy Management Editor.
- Navigate to
GPO_name\Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access, as Figure 4 shows.
- Double-click the setting, check Enabled, then click OK or Apply.
As Figure 4 shows, there are a variety of settings to choose from. Here, I've chosen the All Removable Storage Classes: Deny All Access option to configure. You can see a description of a selected setting in the description pane if you click the Extended tab.
Keep in mind that you have created only the policy setting at this point; you haven't linked it to anything. To link it:
- Select either the domain in the Group Policy Management Console or the organizational unit you have in place.
- Right-click the organizational unit (as shown in Figure 5) and select Link an Existing GPO.
- Select the USB Restriction GPO and click OK.
- Right-click the GPO that is now linked and check the Enforced option to enforce it over that GPO.
It takes some time for group policies to be applied to systems and users, but you can force the changes to be applied by opening a command prompt and typing
Once this policy is applied, a user who tries to introduce a USB device should get an "access denied" message.
GPO example 3: Disable PST file creation
We've all dealt with the compliance nightmare that comes from using PST mailbox files. So how do you prevent users from creating them? With a group policy, of course. (Yes, there are registry configuration edits you can use to do this, but a group policy is much easier and faster.)
To make the changes you first have to download the Group Policy Administrative Templates for the version of Office you're imposing settings on. Once those templates are installed (which may require some finagling), you apply additional settings (shown in Figure 6) to control that version of Office through group policy.
Once you've chosen the site, domain, or organizational unit level to apply the policy to and have opened the Group Policy Management Editor, navigate to
GPO_name\User Configuration\Policies\Administrative Templates\Microsoft Outlook 2016\Miscellaneous\PST Settings.
There are two settings you might want to configure. The first is Prevent Users from Adding New Content to Existing PST files, which (as its name suggests) prevents users from adding more email to the PSTs they already have. The second setting is the Prevent Users from Adding PSTs to Outlook Profiles and/or Prevent Using Sharing-Exclusive PSTs, which blocks the creation of new PST files by your users.