Organization Units and Group Policies in Server 2012

 in Operating Systems / Servers / Windows  tagged group policy / server 2012 / servers / Windows by

We know how to add new users to Server, how to create and administer groups,about File and Sharing permissions and the difference between them and how we can secure our files on network and Server. So why do we need something like Organization Units and Group Policies? What does that mean anyway? How does it concern you as a System Admin? Why do you need to know about it?

We know how to assign permissions to control access to many users at one go. But what if you want to restrict the users to only use the software they need. User will log in, do his work and leave. User can’t change his desktop wallpaper, user can’t add or remove objects, user can’t download or install screen-savers, User can’t access the Control-Panel or Task-Manager and many more things. Which means you can control the user’s actions and stop him from doing anything else other than his work!

For this, we need Organization Units and Group Policies. An Organization Unit is a place where we put users you want to control. You can add as many users or groups as you want. Then we need a Policy that will control these user/groups. So create a new policy, and configure it as per your needs. There are many many options and just looking at it will surprise you. Just like permissions, you’ll understand Group Policies only when you actually try it on your own and then play with it. So lets move forward and try creating an Organization Unit and link it with a group policy:

 

  1. Open Server Manager. Go to Tools –> Group Policy Management.

    Select Group Policy Management.

    Select Group Policy Management.

     

  2. If you have active directory configured, you’ll see your domain name in Forest. Open Forest –> Domains –> geekstarts.tech.
    Right-click on it and select ‘New Organization Unit’.

    Right Click on your domain. Select New Organization Unit.

    Right Click on your domain. Select New Organization Unit.

     

  3. Enter the name of your Organization Unit.

    Enter the name of Organization Unit.

    Enter the name of Organization Unit.

     

  4. You will now see the new Organization unit. Below it will be Group Policy. We will create a new Group Policy so right-click on it and select ‘New’.

    Right-click on group Policy and select New

    Right-click on group Policy and select New

     

  5. Enter name for the new policy.

    Enter name for Group Policy.

    Enter name for Group Policy.

     

  6. Right-click on new policy and select edit.

    Right click --> Edit

    Right click –> Edit

     

  7. This is the Group Management Editor Policy. Since we want to control the users, Go to ‘User Configuration’ –> ‘Policies’ –> Administrative Templates.
    Under Administrative Templates you will find many settings to configure per your need. In this post we will restrict the user from changing the Desktop Background and from accessing Task Manager.

    Group Policy Management

    Group Policy Management

     

  8. Changing the wallpaper and screen savers comes under ‘Personalization’. Select ‘Prevent Changing Desktop Background’ and right-click –> edit or double-click on it.
    User Configuration --> Policies --> Administrative Templates --> Personalization

    User Configuration –> Policies –> Administrative Templates –> Personalization

    Enable the settings and don’t forget to Apply it. Read the small description to understand what it does.

    Enable and apply

    Enable and apply

     

  9. In All Settings you can find will find ‘Remove Task Manager’. Double click on it.
    All Settings --> Remove Task Manager.

    All Settings –> Remove Task Manager.

    Enable it and click on Apply.

    Enable and apply.

    Enable and apply.

     

  10. Now we have a Group Policy and an Organization Unit. But this won’t work since we haven’t told the Organization Unit to use this Policy. So right-click on your unit and select ‘Link an existing GPO’.

    Right click on OU --> link

    Right click on OU –> link

     

  11. If you did everything right, you will see your Group Policy. Select it and click Ok.

    Select your group policy

    Select your group policy

     

  12. Organization Unit linked with Group Policy.

    Group Policy linked with OU

    Group Policy linked with OU

     

  13. So we now have an Organization unit linked with a Group Policy. Will it work? NO! Because we don’t have any users under our Organization Unit. Select ‘Active Directory Users and Computers’ from Tools.

    Select Active Directory Users and Computers

    Select Active Directory Users and Computers

     

  14. Go to Users and select the user you want to control. Right-click and select ‘Move’.

    Right click on user --> Move

    Right click on user –> Move

     

  15. Select your Organization Unit.

    Select your OU

    Select your OU

     

  16. User moved to Organization Unit.

    Check if user is added in OU

    Check if user is added in OU

     

  17. Sign in from that user.

    Sign in with test user

    Sign in with test user

     

  18. Check if you can change the background.

    Desktop background disabled

    Desktop background disabled

     

  19. Right-click on taskbar and check if you can open Task-Manager.

    Task Manager Disabled.

    Task Manager Disabled.


Leave a Reply