Active Directory GPO Management

    View GPOs.

    ADManager Plus offers different ways to view GPOs, and an administrator can choose a view depending on the requirement. The different ways to view GPOs and the objects linked to these are:

    View all available GPOs in a domain.

    Administrators can view the list of all available GPOs in a domain using this option.

    Procedure:

    The GPOs available in a domain can be viewed using 'Select Domain' available on the 'Manage GPO' page.

    Steps:

    To view all the GPO(s) available in a domain:

    1. Click 'Management tab'.
    2. In 'GPO Management', click 'Manage GPOs'.
    3. Select the required domain using 'Select Domain.

    View all the GPOs linked to a specific domain/OU/site.

    Administrators can instantly view the list of all the GPOs that are linked to any specific domain/OU/site using this option.

    Procedure:

    Using 'Select' on the 'Manage GPO Links' page, the GPOs linked to specific domain, OUs, or sites can be viewed.

    Steps:

    To view all the GPO(s) linked to a domain, OU, or site:

    1. Click 'Management tab'.
    2. In 'GPO Management', click'Manage GPO Links'.
    3. Select the required domain, OUs, or sites using 'Select'.
    4. This will list all the GPO(s) linked to the selected domain, OUs, or sites. You can also view other details like 'Link Status', 'Enforce Status', 'GPO Inheritance Status', 'GPO Status' etc...

    View all the OUs/sites that a GPO is linked to.

    This option enables the administrators to know the OUs/sites that any GPO is linked to.

    Procedure:

    The OUs/sites that a GPO is linked to can be viewed by clicking on the particular GPO from the list of GPOs generated using 'Select Domain'.

    Steps:

    To view all the OUs/sites to which a GPO is linked:

    1. Click 'Management tab'.
    2. In 'GPO Management', click 'Manage GPO'.
    3. Select the required domain using 'Select Domain'.
    4. Click on the GPO for which you need to view the linked OUs/sites.
    5. You can also view the 'Link Status' and 'Enforce Status' status of this particular GPO, for each of the OUs and sites it is linked to.

    Create GPOs.

    New GPOs can be created using ADManager Plus, thus eliminating the need to install GPMC in the machine that runs ADManager Plus.

    Procedure:

    Using 'Create new GPO' at the top right corner of the'Manage GPOs' page, administrators can create GPOs and link those to OUs, sites, or domain.

    Steps:

    To create a new GPO:

    1. Click 'Management tab'.
    2. In 'GPO Management', click 'Manage GPOs'.
    3. Click 'Create new GPO' on the top right corner of the page.
    4. In the 'Create GPO' window that opens, enter the name of the new GPO in the text box beside 'GPO name'.
    5. Click 'Link Later' to link the new GPO to a domain, OUs, or sites at a later point in time.
    6. Click 'Link Now' to link the new GPO to a domain, OUs, or sites right at the time of GPO creation.
      • To link the new GPO to OUs or domain, select 'OU/Domain'. Select the domain or OUs to be linked using the check box.
      • To link the new GPO to sites, select 'Sites'. Select the sites to be linked using the check box.

    Edit GPOs.

    Administrative Templates settings of both User and Computer configurations, and important security settings, viz., Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System, of Computer Configuration can be edited using ADManager Plus.

    Procedure:

    Use the 'Edit GPO Settings' option in the action column beside each GPO to edit the Administrative Templates and Security Settings associated with each GPO.

    Steps:

    To edit the settings of a GPO:

    1. Click the Management tab.
    2. In GPO Management, click Manage GPOs.
    3. Select the domain where the required GPOs are located using 'Select Domain'.
    4. From the GPOs listed, click the Edit GPOs icon located in the Actions column of the GPO that you wish to edit.
    5. In the Edit GPO Settings window that opens,
      • To modify the settings of Computer Configuration's Security Settings, under the GPO Name, go to Computer Configuration → Policies → Windows Settings → Security Settings
      • Note: You can also navigate or locate the desired setting within the folder using the search option available at the top of the page.
      • To modify the Administrative Templates settings of Computer Configuration, under the GPO name, go to Computer Configuration → Policies → Administrative Templates
        Note: You can also navigate or locate the desired setting using the search
      • option available at the top of the page.
      • To modify the Administrative Templates settings of User Configuration, under the GPO name, go to User Configuration → Policies → Administrative Templates
        Note: You can also navigate or locate the desired setting using the search option available at the top of the page.
    6. Select the appropriate folder based on the settings you wish to modify, and click on the setting to be edited.
    7. In the window that opens, you can choose enable, disable, not configured, or make the necessary changes in the setting.
    8. After you have made the changes, click Apply to save and update the changes.
    9. Click Next to go to the next setting.

    Enable/disable GPOs.

    With ADManager Plus 'GPO Management', administrators can enable or disable, at one go, multiple GPOs in the required domains. Administrators can also choose to enable/disable the GPOs completely or partially (either the user configuration or computer configuration settings), as needed.Administrators can also enable/ disable a single GPO or GPOs in bulk.

    Procedure:

    Using 'Select Domain' in 'Manage GPOs' get the list of all GPOs, and enable/disable them completely or partially, as required.

    Steps:

    To enable/disable GPO(s):

    1. Click 'Management tab'.
    2. In 'GPO Management', click 'Manage GPOs'.
    3. Select the domain where the required GPOs are located using 'Select Domain'.
    4. Select the required GPO(s). (You can also locate the required GPO(s) using the search option located at the top of this page)
    5. GPO(s) can be enabled completely or partially as follows:
      • To enable GPO(s) completely: Select 'Enable' from the 'Manage' option located above the GPO list to fully enable the GPO(s), or, enable both 'User Configuration Settings' and 'Computer Configuration Settings' using the toggle buttons located beside each GPO.
      • To enable user configuration only: Select 'Enable User Configuration' from the 'Manage' option located above the GPO list, or, enable the 'User Configuration Settings' and disable the 'Computer Configuration Settings' using the toggle buttons located beside each GPO.
      • To enable computer configuration only: Select 'Enable Computer Configuration' from the 'Manage' option located above the GPO list, or, enable the 'Computer Configuration Settings' and disable the 'User Configuration Settings' using the toggle buttons located beside each GPO.
    6. GPOs can be disabled completely or partially as follows:
      • To disable GPO(s) completely: Select 'Disable' from 'Manage' option located above the GPO list to fully disable the GPO(s), or, disable both 'User Configuration Settings' and 'Computer Configuration Settings' using the toggle buttons located beside each GPO.
      • To disable user configuration only: Disable the 'User Configuration Settings' and enable the 'Computer Configuration Settings' using the toggle buttons located beside each GPO.
      • To disable computer configuration only: Disable the 'Computer Configuration Settings' and enable the 'Enable User Configuration' settings using the toggle buttons located beside each GPO.

    Delete GPOs.

    Administrators can delete those GPOs which are no longer required using the 'Delete' option available in ADManager Plus.

    Procedure:

    After selecting the required domain using 'Select Domain' in the 'Manage GPO' page, choose the GPOs which are to be deleted. Select 'Delete' from the 'Manage' option above the GPO list.

    Steps:

    To delete GPO(s):

    1. Click 'Management tab'.
    2. In 'GPO Management', click 'Manage GPOs'.
    3. Select the domain where the required GPOs are located using 'Select Domain'.
    4. Select the GPO(s) to be deleted. (You can also locate the required GPO(s) using the search option located at the top of this page)
    5. Select 'Delete' from the 'Manage' option located above the GPO list to delete the GPO(s).

    GPO scope

    The scope of a GPO can be defined by linking it to a site or a domain or an OU. By default, a GPO will be applied throughout the linked object unless it is narrowed down. One of the common ways to narrow down GPO scope is using filters like Security or WMI filtering.

    Steps to configure GPO filters

    1. Logon to ADManager Plus.
    2. Navigate to Management tab → GPO Management → Manage GPOs.
    3. Select the domain to which the GPO belongs.
    4. From the list of GPOs in the selected domain, click on the Linked Objects button, next to the GPO to be modified.
    5. Navigate to the Scope tab and click on Advanced Settings located at the bottom of the linked objects table.
    6. In the Security Filtering section, add or remove the objects (users, groups or computers) to which the GPO is to be applied.
    7. In the WMI Filtering section, you can choose the desired WMI filter from the drop down menu.
    8. Click Update to save the changes.

    GPO delegation

    You can view or configure the GPO permissions for desired security principals by following these steps,

    Steps to configure GPO delegation permissions

    1. Logon to ADManager Plus.
    2. Navigate to Management tab > GPO Management > Manage GPOs.
    3. Select the domain to which the GPO belongs.
    4. From the list of GPOs in the selected domain, click on Linked Objects button next to the GPO to be modified.
    5. Navigate to the Delegation tab.
    6. From the Select Permissions section, select the desired accounts and choose the appropriate permissions from the drop down menu,
      • Edit Settings - Allows you to edit the GPO settings
      • Modify Security - Allows you to modify the security permissions for GPOs
      • Read - Allows you to view the GPO
      • Delete - Allows you to delete the GPO
    7. Click Update to save the changes.

    Add/remove GPO links.

    This option helps administrators apply GPOs to a domain, sites, or OUs, or, remove GPO links which are no longer required for that particular domain, sites, or OUs.

    Procedure:

    Using 'Link GPOs' in the 'Manage GPO Links' page, link GPOs to required domain, sites, or OUs. GPO links can be removed using the 'Remove Links' available in the 'Manage' option.

    Steps:

    To link GPO(s):

    1. Click 'AD Mgmt'.
    2. In 'GPO Management', click 'Manage GPO Links'.
    3. Select the required domain/OU/site using 'Select'.
    4. Click on 'Link GPOs' option located on the top right corner above the list of GPOs.
    5. In the 'Select GPOs to be linked' window that opens, use 'Link GPOs' to select the domain, OUs, or sites to which GPOs are to be linked.
    6. Select the required GPO(s) to be linked and click on 'Link GPOs'. You will see a summary of the action just performed along with the linking status, for the added GPO link(s).

    To remove GPO link(s):

    1. Click 'AD Mgmt'.
    2. In 'GPO Management', click 'Manage GPO Links'.
    3. Select the required domain/OU/site using 'Select'.
    4. Select the GPO(s) whose links are to be removed.
    5. Click 'Manage' located just above the list of linked GPO(s).
    6. From the options, click 'Remove Links' to remove selected GPO link(s).

    Enable/disable GPO links.

    Administrators can enable or disable the application of GPOs to a particular domain, sites, or OUs using this option.

    Procedure:

    From the list of GPOs available for the selected domain/OU/site, select the required GPOs whose links are to be enabled or disabled. Enable or disable the links using the option available in 'Manage'.

    Steps:

    To enable/disable GPO link(s):

    1. Click 'AD Mgmt'.
    2. In 'GPO Management', click 'Manage GPO Links'.
    3. Select the required domain/OU/site using 'Select'.
    4. Select the GPO(s) whose links are to be enabled or disabled.
    5. Click 'Manage' located just above the list of available GPO(s). Select 'Enable Links' or 'Disable Links' to enable or disable the selected GPO link(s).

    Enforce/remove enforcement of GPO links.

    This option allows administrators to specify the GPOs which have to be enforced on specified target containers, in one single action. Using the remove enforcement option, this enforced application of GPOs can be revoked.

    Procedure:

    From the list of all GPOs linked to the selected domain, OUs, or sites, select the required GPOs and enforce or remove enforcement, as required.

    Steps:

    To enforce or remove enforcement of GPO link(s):

    1. Click 'AD Mgmt'.
    2. In 'GPO Management', click 'Manage GPO Links'.
    3. Select the required domain/OU/site using 'Select'.
    4. Select the required GPO(s).
    5. Click on 'Enforce' or 'Remove enforce' from the 'Manage' option in order to enforce or remove enforcement.

    Block/unblock GPO inheritance.

    Administrators can use this option to block/unblock the inheritance of GPO settings by any OU or domain from its parent container.

    Procedure:

    Select the OU or domain for which inheritance of GPO settings is to be blocked or unblocked, and then block or unblock inheritance, as required.

    Steps:

    To block/unblock the inheritance of GPO settings for the required domain/OU:

    1. Click 'AD Mgmt'.
    2. In 'GPO Management', click 'Manage GPO Links'.
    3. Select the required domain/OU/site using 'Select'.
    4. Click on 'Block Inheritance' or 'Unblock Inheritance' from 'Manage' option to block or unblock inheritance of GPO.

    Troubleshooting.

    1. If 'Access Denied - 80070005' error occurs while creating a new GPO , ensure that the user account configured in the domain settings has the necessary rights to create GPO in the desired domain.

      Recommendation: As a best practice, ensure that the account with which the ADManager Plus runs has the necessary rights to create GPO in the desired domain.

    2. In case of a 'Network access is denied - 80070041' error, perform the following actions in the machine where ADManager Plus is installed:
      • Run gpedit.msc.
      • Go to Computer → Administrative Templates → Network → Network Provider → Hardened UNC Paths.
      • Choose'Enabled'.
      • Under 'Options', click 'Show'.
      • Under 'Value name', enter "\\*\SYSVOL" (without quotes).
      • Under 'Value', enter "RequireMutualAuthentication=0, RequireIntegrity=0, RequirePrivacy=0" (without quotes).
      • Click OK to apply the changes.
      • Open command prompt and run gpupdate /force to apply the changes made.
    3. If "Unable to retrieve the registry setting" error occurs, change that registry setting to "Not configured" using GPMC. You will then be able to display or modify the registry setting using AD Manager Plus. (This error occurs because of the difference in admx files available in GPMC and AD Manager Plus for that particular registry setting.)
    Copyright © 2022, ZOHO Corp.All Rights Reserved.