Setting up Group Policy
Create and link GPOs, then scope them to users or computers. These examples cover common user restrictions, security baselines, and security filtering with AD groups.
The following demonstration outlines how to set up basic GPOs and apply them to Active Directory user and computer accounts.
GPO Applied to AD User Account
Hide the “Run” Command from Start Menu (User GPO)
Objective: Prevent users from accessing Run (Win+R) to limit launching tools or scripts.
1) Open Group Policy Management
Server Manager → Tools → Group Policy Management.
2) Expand the Forest/Domain
3) Create & Link a GPO at the Domain
Right-click the domain → Create a GPO in this domain, and Link it here…
4) Name the GPO
5) Edit the GPO
6) Configure the Setting
User Configuration → Policies → Administrative Templates → Start Menu and Taskbar → Remove Run menu from Start Menu
7) Enable the Policy
Disable Control Panel and Settings (User GPO)
Objective: Block access to Control Panel and the Settings app on domain-joined clients.
1) Open GPMC & Create GPO
2) Create & Link at Domain
3) Name the GPO
4) Edit the GPO
5) Configure the Setting
User Configuration → Policies → Administrative Templates → Control Panel → Prohibit access to Control Panel and PC settings
6) Enable the Policy
GPO Applied to AD Computer Account
Account Lockout Policy (Computer GPO)
One of the first domain security baselines: define lockout threshold/duration to mitigate brute-force attempts.
1) Open GPMC
2) Create & Link a New GPO
3) Name the GPO
4) Edit the GPO
5) Configure Policies
Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
6) Set Threshold
7) Example Configuration
Choose a threshold (e.g., 3 invalid attempts), and define lockout duration/reset values.
Custom Logon Message (Computer GPO)
Objective: Display a legal/banner message at sign-in.
1) Create & Link a New GPO
GPMC → Right-click the domain → Create a GPO in this domain, and Link it here…
2) Name the GPO
3) Edit the GPO
4) Configure Security Option
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → Interactive logon: Message title for users attempting to log on (and the accompanying Message text).
5) Set the Message
Disable USB Storage Devices (Computer GPO)
Objective: Block USB mass-storage devices on domain-joined computers.
1) Configure Removable Storage Access
Computer Configuration → Policies → Administrative Templates → System → Removable Storage Access → All Removable Storage classes: Deny all access
2) Enable Policy
Create a Security Group and Scope a GPO with Security Filtering
Step 1: Create a Security Group in AD
- Open Active Directory Users and Computers (dsa.msc).
- Navigate to the desired OU → Right-click → New → Group.
- Name it (e.g., GPO Testers), Type: Security, Scope: Global.
Step 2: Add Users to the Group
- Open the group → Members tab → Add users → OK.
Step 3: Create & Link a New GPO
- Open Group Policy Management (gpmc.msc).
- Right-click the target OU → Create a GPO in this domain, and Link it here…
- Name it (e.g., Disable Control Panel) → Edit and configure settings.
Step 4: Security Filtering
- Select the GPO → Scope tab → Under Security Filtering remove Authenticated Users and add your new security group.
Verify Permissions
- GPO → Delegation tab → Advanced → ensure the group has Read and Apply group policy.
Step 5: Update & Test
- On a client:
gpupdate /force - Sign in as a user inside the group → verify the GPO applies.
- Sign in as a user not in the group → verify it does not apply.
This approach provides precise targeting via security groups instead of broad OU application.