1. Click the Windows button and choose Administrative Tools Group Policy Management. The Group Policy Management tool opens.
  2. Expand the Forest, Domains, your domain name, and North America containers. Right- click the Corporate OU and then choose Create A GPO In This Domain, And Link It Here.
  3. When the New GPO dialog box appears, type Warning Box in the Name field. Click OK.
  4. The New GPO will be listed on the right side of the Group Policy Management window.

Right- click the GPO and choose Edit.

  1. In the Group Policy Management Editor, expand the following: Computer Configuration ➢ Policies ➢ Windows Settings ➢ Security Settings ➢ Local Policies ➢ Security Options. On the right side, scroll down and double- click Interactive Logon: Message Text For Users Attempting To Log On.
  2. Select the option Define This Policy Setting In The Template. In the text box, type Unauthorized use of this machine is prohibited and then click OK. Close the GPO and return to the GPMC main screen.
  3. Under the domain name (in the GPMC), right- click Group Policy Objects and click New.
  4. When the New GPO dialog box appears, type Unlinked Test GPO in the Name field. Click OK.
  5. On the right side, the new GPO will appear. Right- click Unlinked Test GPO and click Edit.
  6. Under the User Configuration section, click Policies ➢ Administrative Templates ➢ Desktop. On the right side, double- click Hide And Disable All Items On The Desktop and then click Enabled. Click OK and then close the GPMC.

Note that Group Policy changes may not take effect until the next user logs in (some settings may even require that the machine be rebooted). That is, users who are currently working on the system will not see the effects of the changes until they log off and log in again. GPOs are reapplied every 90 minutes with a 30- minute offset. In other words, users who are logged in will have their policies reapplied every 60 to 120  minutes. Not all settings are reapplied (for example, software settings and password policies).

Linking Existing GPOs to Active Directory

Creating a GPO is the first step in assigning Group Policies. The second step is to link the GPO to a specific Active Directory object. As mentioned earlier in this chapter, GPOs can be linked to sites, domains, and OUs.

Exercise 8.2 walks you through the steps that you must take to assign an existing GPO to an OU within the local domain. In this exercise, you will link the Test Domain Policy GPO to an OU. To complete the steps in this exercise, you must have completed Exercise 8.1.

EXERCISE 8.2

Linking Existing GPOs to Active Directory
  1. Open the Group Policy Management Console.
  2. Expand the Forest and Domain containers and right- click the Africa OU.

EXERCISE 8.2 (continued)

3. Choose Link An Existing GPO.

4. The Select GPO dialog box appears. Click Unlinked Test GPO and click OK.

5. Close the Group Policy Management Console.

Note that the GPMC tool offers a lot of flexibility in assigning GPOs. You can create new GPOs, add multiple GPOs, edit them directly, change priority settings, remove links, and delete GPOs, all from within this interface. In general, creating new GPOs using the GPMC tool is the quickest and easiest way to create the settings you need.

To test the Group Policy settings, you can simply create a user account within the Africa OU that you used in Exercise 8.2. Then, using another computer that is a member of the same domain, you can log on as the newly created user.

Forcing a GPO to Update

There will be times when you need a GPO to get processed immediately. If you are testing a GPO, you will not want to wait for the GPO to process in its own time or you may not want to have to log off the domain and log back onto the domain just to get the GPO processed.

Windows Server 2022 has changed how GPOs get processed. In a Windows Server 2022 domain, when a user logs onto the domain, the latest version of the Group Policy gets downloaded from the domain controller, and it writes that policy to the local store.

If you have your GPOs set up and running in synchronous mode, then the next time the computer restarts, it will use the most recently downloaded GPO from the local store and not download the GPO from the domain. This is a new feature in Windows Server 2022, and it helps to reduce the time it takes to log onto the domain because the GPO doesn’t need to be downloaded each time.

So, now that you understand how GPOs get processed in Windows Server 2022, let’s look at a few different ways that you can force a GPO to get processed immediately.

Forcing the GPO from the Server

Windows Server 2022 has an MMC called Group Policy Management Console (GPMC), and by using this MMC, you can remotely refresh an organizational unit (OU) and force the GPO on all users and computers within that OU. The GPMC remote refresh automatically updates all settings, including security settings, which are configured in the GPO that is linked to the OU. In the OU’s context menu, you can choose to refresh remotely the OU and the GPOs associated with that OU. When you remotely refresh an OU, the following steps occur:

  1. Windows Server 2022 does an Active Directory query, and that query returns a list of all users and computers that belong to the OU.
  2. Windows Management Instrumentation (WMI) queries all users and computers that are currently logged into the domain and creates a list that will be used.
  3. Using the list that was created in step 2, a remote scheduled task is created, and a GPUpdate.exe /force    is executed on all of the users and computers that are logged into the domain. The remote scheduled task is then scheduled to execute with a 10- minute random delay to help decrease the load on network traffic.

When you are using the GPMC to force a GPO update, you do not have the ability to change the 10- minute random delay, but if you force the GPO through the use of PowerShell, you have the ability to set the delay.

Another way that you can force a GPO to update immediately is to use Windows  PowerShell. By using the PowerShell command Invoke- GPUpdate cmdlet, you can not only force the GPO but also set the parameters to be more granular.