AcadeNice/Lab_AD_Complet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Lab_AD_Complet/docs/etudiant/en/04-gpo.md
Corentin 8e1b06e090 Initial lab release: Docker-based Active Directory lab 
Complete Active Directory teaching environment based on dockurr/windows:
- Windows Server domain controller, Windows 11 client, Debian 12 client
- docker-compose orchestration, env-driven configuration
- Bilingual documentation (FR + EN) for students
- Dual approach (GUI + PowerShell) in every procedure
- Instructor course plan and reference scripts
- RDP launcher scripts for Linux, macOS and Windows

Made by AcadéNice - https://acadenice.fr/
2026-04-17 11:29:49 +02:00

121 lines
3.4 KiB
Markdown
Raw Permalink Blame History

# Group Policy Objects (GPO)
Goal: create and link a few representative GPOs.
## What is a GPO
A Group Policy Object is a set of settings applied to users or computers. It
is stored in `SYSVOL` (on DCs) and replicated to all domain-joined machines.
Two main scopes:
- `Computer configuration`: applied at boot
- `User configuration`: applied at logon
A GPO is **linked** to a container (site, domain, OU). Objects in that
container and its descendants inherit the GPO. You thus use OUs as scoping
targets: link a GPO to `Students` OU and it will only apply to those users.
## Lab scenarios
Three GPOs:
1. Strengthen the domain password policy
2. Force a wallpaper on students
3. Restrict Control Panel access for students
## Password policy
Lives in the `Default Domain Policy`, applied domain-wide.
### GUI
1. Open `Group Policy Management` (`gpmc.msc`)
2. Domain > `Default Domain Policy` > right-click > `Edit`
3. `Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy`
4. Tune minimum length, complexity, history, age
### PowerShell
Key cmdlet: `Set-ADDefaultDomainPasswordPolicy`.
```
Set-ADDefaultDomainPasswordPolicy -Identity corp.lab `
-MinPasswordLength 10 `
-ComplexityEnabled $true `
-PasswordHistoryCount 5 `
-MaxPasswordAge (New-TimeSpan -Days 90) `
-LockoutThreshold 5 `
-LockoutDuration (New-TimeSpan -Minutes 15)
```
## Wallpaper GPO
### GUI
1. `gpmc.msc` > Domain > right-click `OU=Students,OU=Users,OU=CORP` > `Create a GPO in this domain, and link it here`
2. Name it (e.g. `GPO_Students_Wallpaper`)
3. Right-click GPO > `Edit`
4. `User Configuration > Policies > Administrative Templates > Desktop > Desktop`
5. Setting `Desktop Wallpaper` > `Enabled`, set the image path and style
### PowerShell
Key cmdlets: `New-GPO`, `New-GPLink`, `Set-GPRegistryValue`.
```
New-GPO -Name "GPO_Students_Wallpaper"
Set-GPRegistryValue -Name "GPO_Students_Wallpaper" `
-Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" `
-ValueName "Wallpaper" -Type String -Value "C:\Windows\Web\Wallpaper\Windows\img0.jpg"
New-GPLink -Name "GPO_Students_Wallpaper" `
-Target "OU=Students,OU=Users,OU=CORP,DC=corp,DC=lab"
```
## Control Panel restriction GPO
Same steps via GUI, setting:
`User Configuration > Policies > Administrative Templates > Control Panel > Prohibit access to Control Panel and PC settings > Enabled`
PowerShell:
```
New-GPO -Name "GPO_Students_NoCP"
Set-GPRegistryValue -Name "GPO_Students_NoCP" `
-Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" `
-ValueName "NoControlPanel" -Type DWord -Value 1
New-GPLink -Name "GPO_Students_NoCP" `
-Target "OU=Students,OU=Users,OU=CORP,DC=corp,DC=lab"
```
## Test
On a client machine with a student logged in:
```
gpupdate /force
gpresult /r
```
`gpresult` lists effective GPOs. If yours is missing, check:
- the user is in the right OU
- the GPO is linked to the right OU
- the user has `Apply Group Policy` permission (security filtering)
- no WMI filter blocks it
## Notes
- Don't stuff the `Default Domain Policy`. Always create dedicated GPOs for
anything beyond the password policy.
- GPO precedence: Local > Site > Domain > OU (closer wins on conflicts).
- `Block Inheritance` breaks the chain for a child OU. Use sparingly.
## Next
`05-shares-ntfs.md` for SMB shares and NTFS permissions.
Reference in a new issue View git blame Copy permalink