AcadeNice/Lab_AD_Complet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Lab_AD_Complet/docs/etudiant/en/04-gpo.md
Corentin 8e1b06e090 Initial lab release: Docker-based Active Directory lab 
Complete Active Directory teaching environment based on dockurr/windows:
- Windows Server domain controller, Windows 11 client, Debian 12 client
- docker-compose orchestration, env-driven configuration
- Bilingual documentation (FR + EN) for students
- Dual approach (GUI + PowerShell) in every procedure
- Instructor course plan and reference scripts
- RDP launcher scripts for Linux, macOS and Windows

Made by AcadéNice - https://acadenice.fr/
2026-04-17 11:29:49 +02:00

3.4 KiB
Raw Permalink Blame History

Group Policy Objects (GPO)

Goal: create and link a few representative GPOs.

What is a GPO

A Group Policy Object is a set of settings applied to users or computers. It is stored in SYSVOL (on DCs) and replicated to all domain-joined machines.

Two main scopes:

  • Computer configuration: applied at boot
  • User configuration: applied at logon

A GPO is linked to a container (site, domain, OU). Objects in that container and its descendants inherit the GPO. You thus use OUs as scoping targets: link a GPO to Students OU and it will only apply to those users.

Lab scenarios

Three GPOs:

  1. Strengthen the domain password policy
  2. Force a wallpaper on students
  3. Restrict Control Panel access for students

Password policy

Lives in the Default Domain Policy, applied domain-wide.

GUI

  1. Open Group Policy Management (gpmc.msc)
  2. Domain > Default Domain Policy > right-click > Edit
  3. Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
  4. Tune minimum length, complexity, history, age

PowerShell

Key cmdlet: Set-ADDefaultDomainPasswordPolicy.

Set-ADDefaultDomainPasswordPolicy -Identity corp.lab `
    -MinPasswordLength 10 `
    -ComplexityEnabled $true `
    -PasswordHistoryCount 5 `
    -MaxPasswordAge (New-TimeSpan -Days 90) `
    -LockoutThreshold 5 `
    -LockoutDuration (New-TimeSpan -Minutes 15)

Wallpaper GPO

GUI

  1. gpmc.msc > Domain > right-click OU=Students,OU=Users,OU=CORP > Create a GPO in this domain, and link it here
  2. Name it (e.g. GPO_Students_Wallpaper)
  3. Right-click GPO > Edit
  4. User Configuration > Policies > Administrative Templates > Desktop > Desktop
  5. Setting Desktop Wallpaper > Enabled, set the image path and style

PowerShell

Key cmdlets: New-GPO, New-GPLink, Set-GPRegistryValue.

New-GPO -Name "GPO_Students_Wallpaper"

Set-GPRegistryValue -Name "GPO_Students_Wallpaper" `
    -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
    -ValueName "Wallpaper" -Type String -Value "C:\Windows\Web\Wallpaper\Windows\img0.jpg"

New-GPLink -Name "GPO_Students_Wallpaper" `
    -Target "OU=Students,OU=Users,OU=CORP,DC=corp,DC=lab"

Control Panel restriction GPO

Same steps via GUI, setting:

User Configuration > Policies > Administrative Templates > Control Panel > Prohibit access to Control Panel and PC settings > Enabled

PowerShell:

New-GPO -Name "GPO_Students_NoCP"

Set-GPRegistryValue -Name "GPO_Students_NoCP" `
    -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
    -ValueName "NoControlPanel" -Type DWord -Value 1

New-GPLink -Name "GPO_Students_NoCP" `
    -Target "OU=Students,OU=Users,OU=CORP,DC=corp,DC=lab"

Test

On a client machine with a student logged in:

gpupdate /force
gpresult /r

gpresult lists effective GPOs. If yours is missing, check:

  • the user is in the right OU
  • the GPO is linked to the right OU
  • the user has Apply Group Policy permission (security filtering)
  • no WMI filter blocks it

Notes

  • Don't stuff the Default Domain Policy. Always create dedicated GPOs for anything beyond the password policy.
  • GPO precedence: Local > Site > Domain > OU (closer wins on conflicts).
  • Block Inheritance breaks the chain for a child OU. Use sparingly.

Next

05-shares-ntfs.md for SMB shares and NTFS permissions.