Note: If you need to zoom in, you can click on the image.

Introduction

To access GPO in Server Manager, we need to go to tools -> Group Policy Management. This is what we have:

From the picture above, we can see that there is an OU for the Domain Controllers and Finance and in those OU we can apply GPOs that allow us to manage the setting or the ability of the user/computers. Default Domain Policy and Default Domain Controllers will automatically be there when you first install Windows Server.

Group Policy Objects contains all the man made GPO and default GPO that is automatically there when windows first installed.

Additionally, if a GPO is inside the OU, that policy apply to only the members in the OU. For example, I have a OU named: “Finance” and underneath the OU, I have a group named: “Accountant” and inside the group, I have users that are accountant. Only those members would be affected to of the OU.

Create a GPO

To create an GPO, we go to Group Policy Object -> Right Click -> New. Then we are presented with a menu that ask us what to name our GPO. I will name mine “Disable USB Access”. Essentially, we’re trying to stop USB from getting plugged into the computer.

Adding an Policy

When we first create an GPO, it will have zero policy. To add a policy, we will right click on the policy that we want to configure and click edit. Then we will be presented with two options: User Configuration, Computer Configurations.

User Configuration affects users object. While computer configurations affect computers object. The one we’re looking for is in the Computer configuration -> Policies -> Administrative Template -> System -> Device Installation -> Device Installation Restriction -> Prevent Installation of removable devices. Now, we’re going click on the policy and it even give us a description of what it does.

We’re going to click Enabled -> Apply. Now if we take a look at the GPO that we just configure and go to setting, we can see that the policy we just configured applies. Basically the settings section of a GPO that us what policy has already been added.

Scope

When we talk about scope, we’re talking about the area where the GPO applies. From here to there. When we create an OU, and add a GPO to an OU. That GPO only applies to the OU that it been added. For example: in this picture below, Disable USB Access would only apply to Finance OU.

Now, to create a GPO that applies to domain, we right click on the domain -> Create a GPO in the domain and link it here.

Note: If you do this, Default Domain Policy well have precedence over your man-made domain policy.

Here is the Group Policy Processing order I found on the internet:

That is all I wanted to cover. Thanks for reading.