Implementing Group Policy in Windows Server 2012 R2:

For those who maintaining Server Infra you all know how challenging is the task especially on the Group Policy, you as Administrators need a mechanism to configure and enforce user and computer settings and restrictions. Group Policy can provide that consistency by enabling you as administrators to centrally manage and apply configuration settings.

For this demo, let’s assume your IT Manager has asked you to create a central store for ADMX files to ensure that everyone can edit GPOs that have been created with customized ADMX files. You also need to create a starter GPO that includes Internet Explorer settings, and then configure a GPO that applies GPO settings for the Research department and the IT department.

For this demo also, I use my existing Domain Server which is DC01.comsys.local and my Windows 8 client which is Surface01.comsys.local.

1 – 1st, you need configure a Central Store on DC01 Server, but before that, go to your Group Policy Management on DC01.

1

2 – Next, on the Group Policy Management Console (GPMC), double cick Comsys.local, expand till you get Group Policy Objects folder. Right Click Default Domain Policy and click Edit

2

3 – Next, on the Group Policy Management Editor, double click User Configuration, expand Policies, and then click Administrative Templates, if you check on that, you will see note saying Administrative Templates: Policy definitions (.admx files) retrieved from the local computer.

3

4 – Next, access to your Policies folder (c:\windows\SYSVOL\sysvol\comsys.local), here create a new folder name PolicyDefinitions.

4

5 – Next, access to your C:\windows\PolicyDefinitions folder, what you need to do here is to copy all .adml & .admx files...

5

6 – then, paste the .adml & .admx files that you copied just now into c:\windows\SYSVOL\sysvol\comsys.local\PolicyDefinitions folder.

6

7 – Next, lets verify the administrative template location in GPMC.. open back your GPMC and then click on the Administrative Templates, you should see now it says Administrative Templates: Policy definitions (ADMX files) retrieved from the Central Store….

7

8

8 – Next step lets create Internet Explorer Restriction default starter GPO, on the GPMC, right click Starter GPOs and click New

9

9 – In the New Starter GPO box, type ComSystem IE Restrictions, and in the Comment field, type This GPO created by Hamizi to disables the General page in IE Options, and then clicks OK…

10

10 – after you created the Started GPO, now we need to configure the IE Restriction starter GPO, to continue, right click ComSystem IE Restrictions and click Edit

11

11 – Next, on the Group Policy Starter GPO Editor, go to User Configuration, Administrative Templates, and then right click All Settings, and then click Filter Options

12

12 – then in the Filter Options box, click Enable Keyword Filters box and then in the Filter for word(s): field, type General page, then you choose Exact then click OK

13

13 – Next, you need to double-click the Disable the General page setting, click Enabled, and then click OK..

14

15

14 – Our next step is to create an IE Restrictions GPO from the IE Restrictions starter GPO, to continue right click Comsys.local and click Create a GPO in this domain, and link it here…

16

15 – Next, in the New GPO box, type ComSystem IE Restrictions and then Under Source Starter GPO, select ComSystem IE Restrictions, and then click OK…

17

16 – so now lets test the GPO, see if it effected to our domain users or not…on the Windows 8 client, I log in as Alan.. Alan is from Research Department.

18

17 – once your user successfully log in, go to Control Panel and click Network and Internet, then click click Change your homepage..you should see a message box displays informing you that this feature has been disabled

19

18 – you can click Internet Options and notice that in the Internet Properties dialog box the General tab does not display

20

19 – so now for next step, let’s use security filtering to exempt the IT Department from the Internet Explorer Restrictions policy.. on the GPMC, click ComSystem IE Restrictions GPO and click Delegation tab, then click Advanced button..

21

20 – Next, In the ComSystem IE Restrictions Security Settings box, click Add..

22

21 – then in the Select Users, Computers, Service Accounts, or Groups field, type IT Dept, and then click OK…

23

22 – next, In the ComSystem IE Restrictions Security Settings box, click the IT Dept (COMSYS\IT Dept) group, next to the Apply group policy permission, select the Deny check box, and then click OK.. then click Yes to acknowledge..

24

23

23 – Now lets test the GPO for our IT Department.. on my Windows 8 I log in as Candy (Candy is a IT Engineer in IT Dept)…

26

24 – once Cindy successfully log in to Windows 8, go to Control Panel and click Network and Internet then click Change your homepage, The Internet Properties box opens to the General tab, and all settings are available..

27