With Active Directory, you can give your Windows Server a lot more power. One of its great features is assigning policies. In this tutorial, I will show you how you can assign a policy to a certain group in Windows Server. We stick to a specific group because if all groups shared the same policies, that would negate the purpose of using policies.
Policies are basically rules. Say that you have a marketing and a sales department. Now, let’s assume you trust the sales department more than the marketing department, and you want to allow them to change the background of their computer. With a policy, you can set that the sales department can change its desktop background, but the marketing department cannot.
Before you can assign policies to groups, you need to create the group first. This can be achieved by accessing Active Directory Users and Computers on the Windows Server. In the sidebar, you will see your domain. Expand it by double-clicking it. You will now see several folders. The first thing that we have to do is to create an OU (Organizational Unit). To do this, right-click your domain and go to New -> Organizational Unit. Give it an appropriate name, such as Departments.
Next, double-click Departments. As we do not yet have any users or groups, it will say, There are no items to show in this view.
Let’s add a group so that we can later assign users to it. To do this, right-click your Organizational Unit (“Departments”) and go to New -> Group. Enter a group name, Marketing, and Windows will automatically enter the pre-Windows 2000 group name. You can leave the Group scope and Group type defaults.
Click OK. You have created a group.
Now that we have a group, we want to add a user so that we can assign the user to the group. To do this, right-click on your Organizational Unit (Departments) and go to New -> User. You will be asked for several things here. The user fields (first name, last name, etc) are straightforward. The user logon name is the user’s username. If you have multiple domains, make sure to select the right one.
Click OK, and the user is created.
Go to your Organizational Unit Departments and select the user that you want to assign to a group. When you right-click that user and click Properties, a window will show with a lot of tabs. The tab you’re looking for is Member Of. When you click on this tab, you will see all the groups to which that user belongs. To add a group, which is what we want to do, click Add. Now type the group name and click OK. If the group exists, the user should now be a member of the group.
Click OK to save the changes.
Now that we have the group(s) and user(s), what we need to do is set policies for that group. To do this, go to the Group Policy Management Console(GPMC) on your Windows Server. You might notice it looks similar to Active Directory Users and Computers – just a bit more complex.
Right-click your domain in the sidebar, and click. Create a GPO in this domain, and Link it here…” This will create a new GPO (Group Policy Object). You will now need to choose an appropriate name for your GPO. I suggest you just call it. [Group name] GPO or “[Group name] OU”. This will create a new GPO.
Now that we have a new GPO, we need to assign groups to that GPO. We can do this by clicking Add… under Security FilteringAll groups added to that list will use the policies.
At this point, we want to start using policies. To do this, right-click your GPO in the sidebar and click Edit…. This will open the GPO editor. You will see two categories here: Computer Configuration and User Configuration. If you want to see what you can do with the policies, just see what policies are available by expanding the different categories.
Sometimes, after changing the policies, they immediately have an effect. Other times, they don’t. This is why it’s always a smart idea to force update the policies. To force an update of the policies, run the following command in a command prompt.
gpupdate /forceCongratulations – your policies will now take effect. For all groups that you create, create a new GPO and assign the group to that. Repeat the steps in the tutorial for additional groups.