Configure Group Policy Processing

In the Configure Group Policy Processing IT Pro Challenge lab, learners will understand Group Policy, Group Policy Order (GPO), when to use the link enabled vs. block inheritance vs. the link enforced option, how to configure group policies for different users, and how to enable security filtering.

Understanding how to configure Group Policy Processing is valuable to careers as an Active Directory Group Policy Administrator or Windows Server Administrator.

Overview

For this virtual lab, you are a Windows Server Administrator, tasked with managing the Active Directory Domain Services (AD DS) for your organization. To accomplish this, you will need to do the following:

• Configure Group Policy processing
• Modify Group Policy by using the Link Enabled and Block Inheritance options
• Enforce a GPO
• Implement Security Filtering

At the beginning of this virtual lab, you are provided with a Windows Server 2016 domain controller and a member server.

Modify Group Policy Processing by Using the Link Enabled Option

The first step of this virtual lab shows you how to use the Link Enabled Option for Group Policy Processing. Group Policy is a Windows feature that allows the administrator to set the environment for both users and computers. It allows the administrator to control applications, user settings, and operating systems.

Learners will log in as the administrator, review the existing Group Policy, and note if the Active Directory Domain has multiple GPOs linked to it.

When prioritizing processing, GPOs follow the Local, Site, Domain, Organizational Units (OU), and Sub-OUs rules for processing. That means that local GPOs are processed first, and OUs are processed last.

NOTE: When talking about GPOs, a link is simply a connection between a GPO and an OU.

By using Link Enabling, you enable the GPO; if you don’t enable a link, Windows does not process the GPO. If you are trying to troubleshoot an issue, it’s helpful to disable GPO links so that you can systematically eliminate which configuration is causing the problem.

Modify Group Policy Processing by Using the Block Inheritance Option

In this part of the lab, you are going to use the Block Inheritance Option for Group Policy Processing.

Using Block Inheritance allows the administrator to prevent an OU from inheriting GPOs from any parent containers. Block Inheritance is helpful when you need to create a group policy that is independent from the rest of the organization, where some users/computers need different settings from the rest of the users in the domain.

Modify Group Policy Processing by Using the Link Enforced Option

Now you are going to use the Link Enforced Option for Group Policy Processing.

Using the link Enforced option means that a policy can’t be overwritten by another policy, regardless of where the policy was set (local, site, domain, etc.). The parent GPO link takes precedence over everything else. All other Group Policies are applied later.

NOTE: GPO links are not enforced by default.

Modify Group Policy Processing Using Security Filtering

In the final part of the lab, you are going to use Security Filtering for Group Policy Processing.

Windows defaults to applying a GPO to authenticated users, which means that the GPO is applied to all users/computers. Using security filtering allows you to restrict a GPO to a specific user group without nesting another (new) OU to link to the GPO.

Summary Conclusion

By taking this virtual lab, you will learn about Group Policy processing and how to modify it by using the following:

• Link Enabled option
• Block Inheritance option
• Link Enforced option
• Security Filtering

You will also learn the difference between link enabled, block inheritance, and link enforced options and know when to use each. You will also understand the purpose of security filtering and how it can be beneficial over creating new OUs.