# Group Policy Objects (GPO) Goal: create and link a few representative GPOs. ## What is a GPO A Group Policy Object is a set of settings applied to users or computers. It is stored in `SYSVOL` (on DCs) and replicated to all domain-joined machines. Two main scopes: - `Computer configuration`: applied at boot - `User configuration`: applied at logon A GPO is **linked** to a container (site, domain, OU). Objects in that container and its descendants inherit the GPO. You thus use OUs as scoping targets: link a GPO to `Students` OU and it will only apply to those users. ## Lab scenarios Three GPOs: 1. Strengthen the domain password policy 2. Force a wallpaper on students 3. Restrict Control Panel access for students ## Password policy Lives in the `Default Domain Policy`, applied domain-wide. ### GUI 1. Open `Group Policy Management` (`gpmc.msc`) 2. Domain > `Default Domain Policy` > right-click > `Edit` 3. `Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy` 4. Tune minimum length, complexity, history, age ### PowerShell Key cmdlet: `Set-ADDefaultDomainPasswordPolicy`. ``` Set-ADDefaultDomainPasswordPolicy -Identity corp.lab ` -MinPasswordLength 10 ` -ComplexityEnabled $true ` -PasswordHistoryCount 5 ` -MaxPasswordAge (New-TimeSpan -Days 90) ` -LockoutThreshold 5 ` -LockoutDuration (New-TimeSpan -Minutes 15) ``` ## Wallpaper GPO ### GUI 1. `gpmc.msc` > Domain > right-click `OU=Students,OU=Users,OU=CORP` > `Create a GPO in this domain, and link it here` 2. Name it (e.g. `GPO_Students_Wallpaper`) 3. Right-click GPO > `Edit` 4. `User Configuration > Policies > Administrative Templates > Desktop > Desktop` 5. Setting `Desktop Wallpaper` > `Enabled`, set the image path and style ### PowerShell Key cmdlets: `New-GPO`, `New-GPLink`, `Set-GPRegistryValue`. ``` New-GPO -Name "GPO_Students_Wallpaper" Set-GPRegistryValue -Name "GPO_Students_Wallpaper" ` -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` -ValueName "Wallpaper" -Type String -Value "C:\Windows\Web\Wallpaper\Windows\img0.jpg" New-GPLink -Name "GPO_Students_Wallpaper" ` -Target "OU=Students,OU=Users,OU=CORP,DC=corp,DC=lab" ``` ## Control Panel restriction GPO Same steps via GUI, setting: `User Configuration > Policies > Administrative Templates > Control Panel > Prohibit access to Control Panel and PC settings > Enabled` PowerShell: ``` New-GPO -Name "GPO_Students_NoCP" Set-GPRegistryValue -Name "GPO_Students_NoCP" ` -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` -ValueName "NoControlPanel" -Type DWord -Value 1 New-GPLink -Name "GPO_Students_NoCP" ` -Target "OU=Students,OU=Users,OU=CORP,DC=corp,DC=lab" ``` ## Test On a client machine with a student logged in: ``` gpupdate /force gpresult /r ``` `gpresult` lists effective GPOs. If yours is missing, check: - the user is in the right OU - the GPO is linked to the right OU - the user has `Apply Group Policy` permission (security filtering) - no WMI filter blocks it ## Notes - Don't stuff the `Default Domain Policy`. Always create dedicated GPOs for anything beyond the password policy. - GPO precedence: Local > Site > Domain > OU (closer wins on conflicts). - `Block Inheritance` breaks the chain for a child OU. Use sparingly. ## Next `05-shares-ntfs.md` for SMB shares and NTFS permissions.