Lab Objective: Examine the role of Organization Units within Active Directory and learn to apply different group policy sets to separate Organizational Units.
Power up your Domain Controller Domain Client. (Created in Unit 1.)
On the Domain Controller, select Tools —> ‘Active Directory Users and Computers’
Expand the drop-down menu for the top-level domain, in my case, beck.local
We’ll place the following into Organizational Units on Active Directory
- User Accounts
- Service Accounts
- Computers
What’s the purpose?
- Once our objects are placed in Organizational Units, we can create individual Group Policy Objects that apply to the objects (users and computers) with these OUs.
- Understanding how these GPOs are applied and in what order is essential.
For Example:
- I could create an OU called ‘No_Security_Access_OU.’
- I could place certain users and computers into this OU
- I could apply a group policy that does not allow users to view the ‘Security’ tab when attempting to right-click and view file/folder properties.
- I could create an OU called ‘Security_Access_OU.’
- I could again place certain users and computers into this OU
- The default Windows setting is to allow users to view the ‘Security’ tab within file/folder properties.
- Users in this OU can utilize the ‘Security’ Tab within the File Properties dialogue by not configuring this option within the group policy and leaving it as ‘unconfigured’.
Let’s do that!
Right-click on the top-level domain and select New—>Organizational Unit within Active Directory Users and Computers.’
Name it ‘No_Security_Access’