Creating and managing a Group Policy in Windows server 2016
In this article, we see about How to create Group policy in windows server 2016. First open Group Policy Management console by using server manager. By using GPM we can assign various polices for Organizational units(OU). We show simple example to create GP. Right click domain name and click to create GPO in this domain and link here. Give a name for New GPO, we give Information Security and click OK.
Right click Group Policy Object and click Edit.
Here we showing simple example for editing GPO, click policies-Windows settings-Security Settings-Account polices-password Policy and click Maximum password age change password expire days and click OK. Click GPO and click Settings to check what are the policy enabled. Block Inheritance Group Policy
To Block Inheritance of group policy to parent Organizational unit, it’s used to not apply any policy to blocked inheritance. For Example Right click Organizational unit and click Block Inheritance We see now blocked Organizational units as BPO and Technical Dept. Enforced Group policy
Enforcing Policy will take presence and apply to all the OUs followed in the Active Directory. which means that Even you blocked any OU using the Block Inheritance, Enforce will take override of that settings and apply the policy what ever enforced. So be careful, when selecting the Enforce has it will override and apply which may cause issues if any OUs defined and required different settings..
To enable Enforce, Right click GPO and select Enforced. Link enabled GPO
Link enabled that the group policy is linked to the OU. So the policy applies to the objects within the OU. Right click GPO and select Link enabled. By Default Group Policy will take 90 Minutes of frequency to update to Clients which means client will contact Active Directory every 90 Minutes to check any policy changes are there and update if any changes or new Policies available and applicable for that particular client. If you want to update immediately, We can us gpupdate /force in the clients which will do check and update.