Group Policy Objects (GPOs) are one of the most powerful components in a Windows Server 2016-based environment. Thanks to GPOs, you can easily manage:
- Windows settings
- Application settings
- Software deployment
- Folder redirection (user Home folders)
- Security settings
- Infrastructure settings such as wireless and networking
While most environments leverage the power of Active Directory (AD) and assign GPOs through the AD infrastructure, you can use local GPOs to control computers and users that are not part of an AD. Keep in mind that if you apply local GPOs to a system that is part of an AD, the AD-based GPO settings will override the local settings.
There are multiple local GPOs you can use, including:
- Local Group Policy – this is the “classic” local Group Policy Object that contains a user and computer node with setting for each
- Administrators and Non-Administrators Local Group Policy – this GPO allows you to control local admins versus non admins; it only has a user node as you would expect
- User Specific Local Group Policy – these GPOs allow you to configure user-specific settings
NOTE: If you apply all of these to a local system, the priority order is as listed. For example, a user-specific setting would override a local group policy setting.
To create these local GPOs, simply log in as a local administrator and use the mmc.exe syntax in the run menu. Add a Snap In for the Group Policy Object Editor and then Browse for the local computer or users options to create the above local GPO editors.
Linking AD GPOs
When we use GPOs in the Active Directory environment, we link them to specific AD objects in order to set their scope. These objects include:
- Organizational Units (OUs)
You can link GPOs to these AD objects using GUI tools as well as PowerShell.
Manage Starter GPOs
It is possible to create a template that contains the most common settings for your enterprise and then use this GPO as a template for customize it for certain areas. This is called a Starter GPO. There is a Starter Node in the Group Policy Management console you can use for this purpose.