How To Build a Group Policy Object in Microsoft Windows Servers?

It’s easy to understand the general use of the word “policy”, meaning some kind of ruleset, structure, or standard to which you need something to adhere. In our case, we’re talking about Microsoft Windows-based computers (and servers). Applying policies to computers, such as security policies, application policies, or printer policies, sounds like a great idea. If applying policies to a computer is great, applying policies to a group of computers must be even better, hence the term “Group Policy.” In a nutshell, Group Policy is a centralized way to issue policies to groups of computers inside your domain network.

This article is an excerpt taken from one of the chapters of the book Mastering Windows Server 2019, Third Edition by Jordan Krause – an updated third edition that provides you with the in-depth knowledge needed to implement and use this operating system in any environment.

Building a GPO 

There’s nothing quite as good as jumping in and getting your hands dirty, so let’s get down to business and build a new GPO. Don’t worry, we will be careful not to apply this GPO to anything yet and save that for our next section. As with most Microsoft technologies, there is a special management console created just for interacting with Group Policy, appropriately named the Group Policy Management Console (GPMC). Logging into any of your Domain Controller servers, you can launch GPMC from inside Administrative Tools, inside the Tools menu of Server Manager, or by launching GPMC.MSC from Start>Run, Command Prompt, or PowerShell: 

Figure 1: GPMC 

You’ll notice in Figure 1 that there are already some GPOs listed here. They are a combination of default GPOs that always exist when you install Active Directory. To create a new GPO in a way that it is not yet applying to any workstations or users, right-click on the Group Policy Objects folder and select New. Create a name for your new GPO, click OK, and you have created a Group Policy Object! So far, your new GPO is void of any settings or configurations, and it is not applying to anything or anybody, so it is precisely pointless. We will soon change that… 

Adding Trusted Sites 

I named my first GPO “Adding Trusted Sites” because I am going to use this new GPO to apply some URLs to be recognized as trusted sites inside Internet Explorer on my Windows 10 client computer. If you run a web application in your network that needs to run JavaScript or ActiveX controls, or something like that, it may be required that the website is part of the trusted sites list inside Internet Explorer for it to run properly. You could print off an instructions page for the helpdesk on how to do this on each computer and make them spend the time to do it for every user who calls in because they cannot access the application. Or you could simply create a GPO that makes these changes for you automatically on every workstation and save yourself from dealing with all of those phone calls. This is just one tiny example of the power that Group Policy possesses, but it’s a good example because it is useful, and it is a setting that is buried way down in the GPO settings, so you can get a feel for just how deep these capabilities go. 

Right-click on the new GPO and choose Edit…. Now navigate to Computer Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page. See, I told you it was buried in there! 

Figure 2: Creating a GPO to manage trusted websites 

Now double-click on Site to Zone Assignment List and set it to Enabled. This allows you to click on the Show… button, within which you can enter websites and give them zone assignments. Each GPO setting has a nice descriptive text to accompany it, telling you exactly what that particular setting is for and what the options mean. As you can see in the text for this one, in order to set my websites to be trusted sites, I need to give them a zone assignment value of 2. And, just for fun, I also added a site that I do not want to be accessible to my users and gave it a zone value of 4 so that badsite.contoso.com is a member of the restricted sites zone on all of my desktop computers. Here is my completed list: 

Figure 3: Assigning websites to different zones 

Are we done? Almost. As soon as I click on the OK button, these settings are now stored in my Group Policy Object and are ready to be deployed. As you know, we have not assigned this new GPO to apply to anybody yet, so for now the GPO is populated with these settings but still doing nothing. Before we push out these settings, let’s build out a couple more common GPOs to make sure our examples here are well-rounded. 

Mapping network drives 

File servers are some of the most common types of servers that exist because all companies across all industries need to create and maintain documentation to run their businesses. This is not a chapter about how to build a file server, set up shares, restrict permissions, or utilize Distributed File System (DFS) to improve the overall flexibility and resiliency of your file server infrastructure, although these are all good things to learn. Today, we are going to assume that you already have file servers in place and that there are already shared folders on those file servers. In my test lab, I have shared folders from a few different servers, as identified here: 

• \\DC1\HR 
• \\DC2\Accounting 
• \\WEB3\Installers 

The challenge we are trying to solve is how to automate these shared folder locations being available on all of my user’s workstations. I could put together a piece of documentation that shows users how to manually get to these locations by using UNC paths plugged into the address bar of File Explorer. Or maybe even take it a step further and show my folks how to map network drives from inside File Explorer so that they end up with drive letters assigned on their computers for ongoing access to these locations. Doing so would work, but it puts an administrative burden on my users, and also leads to the possibility of users having differing drive letters. Grace might use her “R” drive letter to map to the accounting share, while Jackson may decide that “T” is his accounting drive letter of choice. 

Obviously, there’s a better way to handle this situation. One of the very common chores we task to a GPO is the standardized creation of mapped network drives on client computers. Inside a new GPO we can define UNC paths for shares and assign drive letters to them. We can then assign that GPO to users and computers, and drive letters will magically map when your users log into their computers. 

Create a new GPO for this purpose, and edit that GPO, as you already know how to do. This time we are navigating to the following location: 

User Configuration | Preferences | Windows Settings | Drive Maps 

Right-clicking on Drive Maps and choosing New | Mapped Drive brings you into the configuration section for a single mapped drive letter. You can see in the screenshot below that I am mapping a drive to \\DC1\HR, and assigning it a drive letter of H: 

Figure 4: Mapping drives with Group Policy 

You’ll notice the Action dropdown menu has four different options: Create, Replace, Update, and Delete. This is important to understand as many GPO preference configurations have this same drop-down selection. Here is a quick summary of each available option as it relates to our new drive mapping policy: 

• Create: Use this action to create the new mapped drive only if it does not already exist. If the H: drive is already in use on a workstation, this new mapping will then be ignored. In our example, if I were to configure this new drive mapping for Create, it would only take an action if the H: drive letter was currently open and available. 
• Replace: Use this action to remove an existing setting and replace it with a new setting. In our case, it will update whatever mapped drive is using H: to our \\DC1\HR. The Replace option is redundant because of the Update option and is rarely used. 
• Update: This is the default action for most preference settings and is generally the most useful. If the setting that we are configuring doesn’t exist, Update will create it. Additionally, if the setting (mapped drive) is already in place on the workstation, it will now be updated to reflect our new definition inside the GPO. Drive mapping policies almost always use the Update action to push new drive letters into place. 
• Delete: This removes the specific setting from the client machine. If you are removing a network share and want to ensure that it is removed from all of the computers in your domain, this would be a useful Action to ensure that happens. 

Before clicking OK on this new drive mapping, go ahead and visit the Common tab. This tab and its five options are commonly shown on many preference settings that you plug into a GPO. Most of these are self-explanatory, though we will discuss Item-level targeting more in just a few pages. For our drive mapping GPO, I like to point out the Run in logged-on user’s security context checkbox. This tells Group Policy to run whatever setting or preference the GPO is putting into place, under the logged-in user’s account. For mapped drives, this is particularly useful because you typically want users to interface with their mapped drives in their regular user context. While it is not common to check this box, for drive mapping GPOs I always do. 

Figure 5: Map drives under user’s security context 

Rinse and repeat for any additional drive letters that you want to include inside your new GPO, and you are now well on your way to automating the mapping of all drive letters across your entire network! I set up drive letter mappings for each of my shared folders and also included a GPO setting to delete the Z: drive if it exists. It doesn’t in my lab, but this way you can also see an example of what that looks like inside the policy: 

Figure 6: Mapped drives via GPO 

Once again, this new GPO does not apply to any users yet, but never fear – once we finish creating just one more example GPO, we will move onto scoping GPO settings, which is where we will push the new GPOs into action and verify that settings and mapped drives show up automatically on our client computers. 

Installing registry keys 

In much the same way that mapped network drives can be pushed to users via GPO, we can implement registry keys and values onto computers automatically as well. This is spectacularly powerful because almost anything within a Windows environment can be manipulated by using registry keys. Create yet another new GPO and this time, navigate to the following location: 

User Configuration | Preferences | Windows Settings | Registry 

Creating, replacing, updating, or deleting registry keys flows in very much the same fashion as it does for mapping network drives. The tricky bit is making sure that the options are specified properly, or they won’t work, particularly the Key Path and Value information. For our example, I am going to push a registry value that prevents users from being able to change their desktop background image and specifies a custom desktop background of my own. In my experience, the easiest way to ensure the GPO configuration is populated correctly inside the configuration window is to actually place the new registry key and/or value that you are working with onto the server or computer from which you are running GPMC. This way you can select the ellipsis button and seek out the exact registry setting, rather than trying to remember how it must be formatted for the Key Path field. 

The registry information that I am putting into place is: 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System 

Inside the System registry key, the registry value name is Wallpaper. 

Here is my populated entry inside Group Policy: 

Figure 7: Adding registry keys via Group Policy 

Because I have selected this registry value to be pushed as an Update action, every time that Group Policy processes on this computer, it is going to ensure that this registry key is present, thus continually preventing users from being able to adjust their desktop wallpaper. 

I chose this example because it is straightforward and because often in Group Policy you will find that there are multiple ways to accomplish the same thing. Instead of using a registry value to lock down wallpaper settings, I could have alternatively created a GPO that utilized the following GPO setting, and it would have accomplished the same thing without having to touch registry settings: 

User Configuration | Policies | Administrative Templates | Desktop | Desktop | Desktop Wallpaper 

Summary

Group Policy is an incredibly powerful tool to have at your disposal when working within a domain environment. Many pre-built configurations and settings exist, and since we can manipulate the registry on client machines, the sky is pretty much the limit on what you can manage on your client computers via GPOs.

About the Author

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world’s first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.