Create Organizational Units (OUs) and Group Policy Objects
Introduction
In the series of Windows Server Configuration Articles, this is the second article. We set up ADDS, DNS, and DHCP on the server in the first article. We carry on with the configuration from the last article’s end. In the first section of this article, we discuss rolebase access control, which is the core idea of this OU structure. After that, we establish organization units (OUs) in this domain. Finally, we configure three group policies, verify their operation, and go over some key points about group policies.
previous part of this series — Click here >>
What is Rolebase Access Control ?
Role-Based Access Control (RBAC) is a security model that restricts system access to authorized users based on their roles within an organization. In RBAC, permissions are associated with roles, and users are assigned to specific roles based on their responsibilities and job functions. This approach simplifies access management by allowing administrators to define and manage permissions at a role level, reducing the complexity of individual user permissions. RBAC enhances security and helps ensure that users only have the access necessary for their roles, minimizing the risk of unauthorized actions and data breaches. The Windows Server OS uses RBAC to manage and control access permissions within a Windows Server environment. It operates on the principle of assigning roles to users or groups, and these roles dictate the level of access and specific tasks users can perform.
What are organizational units (OUs) in Windows Server?
Organizational Units (OUs) in Windows Server are a fundamental component of Active Directory (AD) structure. They are containers within a domain that are used to organize and manage objects such as users, groups, computers, and other OUs. OUs provide a way to structure and manage the resources within a domain in a logical and hierarchical manner.
Key points about OUs-
· Hierarchical Structure — OUs can be nested within each other to form a hierarchical structure. This allows for the organization of resources in a way that reflects the organization’s structure or administrative needs.
· Group Policy Application — Group Policies, which define various settings and configurations for users and computers, can be applied to OUs. This allows administrators to apply specific policies to different sets of users or computers based on their organizational role or location within the OU structure.
· Delegation of Administration — Administrators can delegate administrative control over OUs to specific users or groups. This makes it possible to restrict resource management within specific OUs more precisely without giving everyone domain-wide administrative access.
· Security Boundaries — OUs can also be used to define security boundaries within a domain. Access control lists (ACLs) can be applied to OUs to control access to resources within them.
· Logical Organization — OUs provide a logical way to organize resources within a domain based on administrative, geographical, or functional criteria. For example, an organization might have separate OUs for different departments, geographic locations, or types of resources.
Implementation Organizational Units (OUs), Groups, Users and Computers.
We need to open Server Manager first. In this demonstration, I used the following structure to implement OUs.
On this server, AD DS is already installed. So we can see Active Directory users and computers are available in Tools. Open Active Directory Users and Computers. Then we can see the fct.ac.lk domain here, and there are certain containers in this domain. Then right-click on the fct.ac.lk domain and select New. Then we can see Acrive Directory objects such as computers, contacts, groups, users, organizational units, etc. We want to select organizational units and specify the name of the OU. I named it ‘FCT’. I make two more OUs under this one, naming them “User” and “Computers”. Then create two OUs named “Student” and “Staff” each in the above two OUs.
In this demonstration, I create 4 groups, 2 users, and 2 computer. Now I want to create a new user called “Student” in the Student OU, which is located in the User OU. Right-click on User OU, move the cursor over New, and select User. Then I give the first name as “student.” We can add last names also, but I have not added any in this demo. Now we should specify the user logon name. This name must be unique in that domain name. If you add a name that is already added as a logon name in the same domain, it will raise an error message saying that this logon name already exists in your active directory. I add the user logon name as “Student” in this demonstration. Then click next.
Here, we are asked to specify a strong password for our user account. After retyping the password, we can select an option among certain options in there.
If we select “User must change password at next logon,” it means we use one password to create a user account, but when the user logs in for the first time to this account, it will ask the user to setup a new password. Then it will keep some privacy for the user because the administrator does not know about the user’s new password. In most real-world scenarios, administrators add a common password or one password from the list of passwords with a common pattern for user accounts. Users can change it for their own passwords.
If we select “User cannot change password,” then the user cannot change the user’s account’s password. Administrators know the password of the user account and can change it.
The above two options cannot change at the same time.
The third option is “password never expires”. If we select it, the password never be expired, but I do not select it. By default, in the Windows Active Directory user account, the password will expire after 42 days. We can modify this limit as well using group policies. But in a real-time environment, the user’s password must expire, and the user must change his or her password after certain days because it adds some extra security to the organization.
The fourth option is “Account is disabled.” If the admin wants to create a user account but does not want to use it right now, we can disable it. Also, assume one user takes leave for a long time or is absent for a for a long time, so admins can also disable this existing user account.
Then click next, and we can see basic information about our user configuration. Click finish. Now we can see our Student user has been created.
Now we want to create a Student_group. Right-click on Student OU, which is located in the User OU, and move the pointer on to New and select Group. Then it will ask us to specify a group name, so I give the name “Student_group”. Group scope and group type are already selected as global and security, respectively.
Let’s have a brief idea about types of group scope and group types.
Group Scopes-
· Domain local groups are primarily used for assigning permissions within a single domain, allowing access to domain resources such as files, folders, and printers.
· Global groups are utilized for organizing users with similar roles or permissions across multiple domains within a forest, simplifying administration by managing access to resources across domains.
· Universal groups are employed for granting access to resources in multiple domains across a forest, providing a flexible way to manage permissions for users and resources that span the entire directory structure.
Group types-
· Security groups are used to assign permissions and access control to resources such as files, folders, and network resources, ensuring that only authorized users have the appropriate level of access.
· Distribution groups are primarily used for sending emails to multiple recipients simultaneously, facilitating efficient communication within an organization without the need to manage individual user accounts.
Then click OK. Then we can see that our student group has created.
Now we want to add the Student user to the Student_group because the Student user is a member of the Student_group.
We can do it in two ways. The first method I use is to right-click on the student user and then select add to group or properties. I select Properties. Then navigate to the “member of” tab. We can see that the student user is, by default, a member of the Domain Users group.
Select the advanced option by clicking the add button, then click “find now” to locate the group to which you wish to add this user. In this demonstration, I used “student_group”. In addition to that, you can type group name and use check names as well.
Then click OK, and then click Apply. Now we have successfully added Student user to the Student_group.
As in the previous steps, we create Staff_groups and Staff users as well. Instead of the first method, I use the second method to add Staff users to the Staff_group.
Right-click on the Staff_group and select properties. Then navigate to the “Member” tab. Select the advanced option by clicking the add button, then click “find now” to locate the user to whom you wish to add this group. In this demonstration, I add a Staff user to this group. In addition to that, you can type the user’s name and use check names as well.
Then click OK, and then click Apply. Now we have successfully added Staff user to the Staff_group.
After that, I want to create a new computer called “FCT_CL1” in the Student OU, which is located in the Computers OU. Right-click on Student OU, move the cursor to New, and select Computer. After that, set the computer name to “FCT-CL1” and click OK. We now wish to add this computer to the Student_PCs group by following the same steps of one method between the two methods we used to add the user to the group earlier.
Now we can see that our computer was created.
In this demonstration, I create another computer named “FCT-CL2” and set it as a member of the Staff_PCs group.
Additional tips-
Windows Active Directory has plenty of built-in security groups by default, such as DHCP Administrator, DnsAdmins, DHCP Users, Key Admins, Protected Users, etc. We can use these groups to assign certain levels of permission to your users.
We can create nested groups in the active directory, which will help us organize the structure gradually.
Group Policy Configurations
In this demonstration, I hope to implement three group policies.
What is a Group Policy Object (GPO)?
A Group Policy Object (GPO) is a collection of settings that define the behavior of computers and users in an Active Directory environment. These settings can include policies related to security, software installation, system configurations, and more. GPOs are applied to organizational units (OUs) within the Active Directory structure to enforce specific configurations and security settings across the network.
Lock the Control Panel Access and PC settings
As a first-group policy, my requirement is to lock the control panel access and PC settings for the student group and the staff group.
First, we should navigate to Tools > Group Policy Management.
Then right-click and select New to create a new group policy object and name it “Lock the Control Panel Access”. You can choose any suitable name for this.
Right-click on the GPO that you created the moment before and select Edit. A new window will open, and you can see computer configurations and user configurations here. In this scenario, we want to add this policy to student user accounts and staff user accounts, so I extracted user configuration. Choose User Configuration if you wish to add policies to individual users or user groups in this domain. You should choose computer configurations if you wish to add policies to computers in that domain. Then navigate to Policies > Administrative Template > Control Panel. In there, there are a bunch of policies related to the control panel. Select “Prohibit access to the Control Panel and PC settings”.
Click Enabled to enable the policy. Then click Apply and click OK.
Now our Group Policy Object (GPO) has been created successfully. Now we should add this policy to the student OU and the staff OU. Navigate to group policy management again. First, we link this policy to the Student OU. Right-click on Student OU and then select “Link an Existing GPO.” Now we can see all group policy objects in this domain. Select “Lock the Control Panel Access” to add this policy.
Now we can see our policy has been added to Student OU.
As with the previous step, we should link this same policy to the Staff OU.
Now we can check the functionality of this policy. Move to the client computer and sign in with your student account. Try to access the control panel or computer settings. We can open it and do some configurations on the computer because we have not updated our policies until then. Open the command prompt and type the gpupdate/ force command, then hit enter. Executing “gpupdate /force” in Command Prompt on a client PC triggers an immediate update of group policies from the domain controller.
We then attempt to access the control panel or computer settings again. We are now unable to access the settings or control panel. We may observe that when action is prohibited, a notification will appear.
Our policy has been successfully applied. When we sing in to the staff account with another PC, It is also restricted to accessing the control panel or computer settings.
The significance of policy-
Locking access to the Control Panel and PC settings through Group Policy is crucial for maintaining security and system integrity in a Windows environment. By enforcing this policy, administrators can prevent users from making unauthorized changes to system configurations, which could lead to unintended modifications, security vulnerabilities, or system instability. This helps ensure that critical system settings remain consistent across all user accounts and minimizes the risk of accidental or malicious alterations that could impact the stability and security of the network.
Prohibit all Removable Media
We prohibit access to any removable media only for student accounts under this policy. We can configure this policy in the same way as in the previous steps. Create a new GPO and name it “Prohibit all removable media”.
Edit GPO and navigate to User Configuration > Administrative Templates > System > Removable Stroage Access and click “All Removable Stroage classes: Deny All Access”.
Enable this policy.
Our requirement is to apply this policy only to student accounts. so we only link this GPO to Student OU.
Update group policies with the gpupdate /force command. Right now, devices that are accessed using student accounts are unable to access removable media. However, removable media is accessible from other computers, such as those logged in with staff accounts.
The significance of policy-
Implementing a “Prohibit all Removable Media” policy for student accounts in this domain is crucial for safeguarding sensitive data and maintaining network security. By restricting access to removable media for students, such as USB drives and external hard drives, the policy helps prevent the introduction of malware, unauthorized file transfers, and data breaches. This proactive measure not only mitigates the risk of cyber threats but also ensures compliance with data protection regulations.
Disable Desktop Wallpaper Change and Set the given Wallpaper
With this policy, we are required to set the same wallpaper for every computer in that domain, and it cannot be changed by users themselves. Here, I configure this policy for all user accounts in the domain, rather than just the computers in this domain.
First, we should create a folder on the server and store the wallpaper image we want to set as a desktop wallpaper. Then we want to share this folder with everyone in this domain. Right-click on this folder and select properties. Navigate to the sharing tab and click the share button.
Then type Everyone, click the Add button, and grant permission for everyone to access it. Then click the share button.
After sharing is complete, click the finish button. Copy the network path of this folder.
Navigate to Group Policy Management and create a new GPO the previous way and name it “Disable Change Wallpaper and Set Wallpaper”.
Then edit this GPO and navigate to User Configuration > Administrative Template > Desktop > Desktop. Select Desktop Wallpaper.
After that, enable it and copy the network path that we copied in the previous step to the wallpaper name input box. At the end of that address, add the “\” symbol and the name of the image that we want to set as desktop wallpaper in this folder. In this demonstration, I set the wallpaper name as “FCT-DC1\Wallpaper\wallpaper1.jpg”. Then click the Apply button and the OK button.
In these previous cases, we try to apply GPO to certain OUs, but you can also add GPO to the whole domain or certain sites if you require it. In this case I will link GPO to whole domain. Thus I choose to “Link an Existing GPO” when I right-click on fct.ac.lk and link the policy to the domain.
We can now use the command “gpupdate /force” to update group policies on any client computer within that domain and verify that the configuration is working properly. We can see our wallpaper has been set successfully. We are unable to change the wallpaper on this client computer when we try to.
What is a Link Order?
We can link a bunch of GPOs for the same OU, domain, or site. For this demonstration, I added several more GPOs to Student OU. There is a cloumn called Link Order.
The “Link Order” refers to the order in which GPOs are applied to organizational units (OUs) within the Active Directory structure. The link order determines the precedence of GPOs when multiple GPOs are linked to the same OU. When multiple GPOs are linked to an OU, they are applied in order based on their link order number, with lower numbers having higher priority. This means that GPOs with lower link order numbers are processed before those with higher link order numbers. The link order can be adjusted to prioritize the application of specific GPO settings over others within the same OU. We can change this order using the up and down arrows in this window.
In the upcoming piece of this series, I intend to carry on and go over some more interesting group policies and features in the Windows server environment. You can leave a comment if you’re having any issues. Helping you guys would be a pleasure for me.
Next Part of this Series — Click here >>
