With Active Directory, you can give your Windows Server a lot more power. One of its great features is assigning policies. In this tutorial, I will show you how you can assign a policy to a certain group in Windows Server. We stick to a specific group because if all groups would share the same policies, that would negate the purpose of using policies.
Policies are basically “rules”. Say that you have a marketing and a sales department. Now let’s assume you trust the sales department more than the marketing department, and you want to allow them to change the background of their computer. With a policy, you can set that the sales department can change their desktop background, but the marketing department cannot.
Before you can assign policies to groups, you need to create the group first. This can be achieved by accessing “Active Directory Users and Computers” on Windows Server. In the sidebar, you will see your domain. Expand it by double-clicking it. You will now see a number of folders. The first thing that we have to do is to create an OU (Organizational Unit). To do this, right-click your domain, go to “New -> Organizational Unit”. Give it an appropriate name, such as “Departments”.
Next, double-click “Departments”. As we do not yet have any users or groups, it will say “There are no items to show in this view”.
Let’s add a group so that we can later assign users to it. To do this, right-click your Organizational Unit (“Departments”) and go to “New -> Group”. Enter a group name (“Marketing”) and Windows will automatically enter the pre-Windows 2000 group name. You can leave the “Group scope” and “Group type” default.
Click “OK”. You have created a group.
Now that we have a group, we want to add a user so that we can assign the user to the group. To do this, right-click on your Organizational Unit (“Departments”) and go to “New -> User”. You will be asked for a number of things here. The user fields (first name, last name, etc) are straightforward. The user logon name is the user’s username. If you have multiple domains, make sure to select the right one.
Click “OK”, and the user is created.
Go to your Organizational Unit (‘Departments’) and select the user that you want to assign to a group. When you right-click that user, and click “Properties”, a window will show with a lot of tabs. The tab you’re looking for is “Member Of”. When you click on this tab, you will see all the groups in which that user belongs. In order to add a group, which is what we want to do, click “Add”. Now type the group name and click “OK”. If the group exists, the user should now be a member of the group.
Click “OK” to save the changes.
Now that we have the group(s) and user(s), what we need to do is set policies for that group. To do this, go to the “Group Policy Management Console” (GPMC) on your Windows Server. You might notice it looks similar to “Active Directory Users and Computers” – just a bit more complex.
Right-click your domain in the sidebar, and click “Create a GPO in this domain, and Link it here…”. This will create a new GPO (Group Policy Object). You will now need to choose an appropriate name for your GPO. I suggest you just call it “[Group name] GPO” or “[Group name] OU”. This will create a new GPO.
Now that we have a new GPO, we need to assign groups to that GPO. We can do this by clicking “Add…” under “Security Filtering”. All groups added to that list will use the policies.
At this point, we want to start actually using policies. To do this, right-click your GPO in the sidebar and click “Edit…”. This will open the GPO editor. You will see two categories here: “Computer Configuration” and “User Configuration”. If you want to see what you can do with the policies, just see what policies are available by expanding the different categories.
Sometimes after changing the policies, they immediately have effect. Other times, they don’t. This is why it’s always a smart idea to force updating the policies. To force update the policies, run the following command in a command prompt.
gpupdate /force
Congratulations – your policies will now take effect. For all groups that you create, create a new GPO and assign the group to that. Basically, repeat the steps in the tutorial for additional groups.