100%
GRIMOIRE
GrimoireDindon CorpusSynthesis VolumesThe Foundation of Iron
FRENAR
← PreviousNext →
RATIO
THE FOUNDATION OF IRON · COURSE MATERIAL · WEEK 23
◆◆◆
GROUP POLICY
OBJECTS — GPO
Week 23 of 26 · Block 8 — Active Directory & GPO
9h theory · 26h practice
◆ WEEKLY LEARNING OBJECTIVES

1. Understand GPO principles (inheritance, precedence, scope)
2. Create and link GPOs to OUs, sites or the domain
3. Configure security and configuration GPOs
4. Deploy settings to client machines via GPO
5. Diagnose a GPO conflict or a GPO not being applied

◆◆◆
◆ SEQUENCING NOTE

GPOs are taught here, immediately after Active Directory (Week 22), of which they are a direct feature. Teaching GPOs without a previously deployed Active Directory would be meaningless — that is exactly the reason for the sequencing chosen in this programme.

Amine RAITI · Infrastructure Architect & SRE
Public document · CC BY-NC-SA 4.0 · AI Powered by Amine
Opération Dindon
RATIO
COURSE OUTLINE · 9H
THEORY GUIDING THREAD
23.1 · GPO principles3h
— Definition: a GPO is a set of configuration settings applied to users or computers in the domain
— Scope: a GPO can be linked to a site, a domain, or an OU
— Application order: Local → Site → Domain → OU (LSDOU) — in a conflict, the child OU's GPO wins
— Inheritance: a child OU inherits its parent's GPOs unless explicitly blocked
23.2 · Types of GPO settings3h
— Computer Configuration: applied at machine startup, regardless of the logged-in user
— User Configuration: applied at user login, on any domain machine
— Common settings examples: password policy, screen lock, network drive mapping, system settings restrictions
23.3 · Diagnosing and resolving GPO conflicts3h
— Diagnostic tools: Group Policy Results (RSoP), gpresult, event log
— Common causes of non-application: misconfigured security filter, unlinked GPO, name resolution error (link with Week 21 — DNS)
— Inheritance blocking and enforcement: when and why to use them cautiously
RATIO
EXERCISE 1 · CREATING AND DEPLOYING GPOs · 13H

Equipment: domain controller (Week 22), domain-joined client machines, provided configuration scenario.

(3h) Creating a security GPO on the domain: password policy (minimum length, complexity, lifetime), account lockout after N failed attempts — applying to client machines and verifying.
(3h) Creating a user configuration GPO on the Technical OU: automatically mapping a network drive (the Week 12 share) at login — verify only Technical OU users see this drive.
(3h) Creating a restriction GPO on the Guests OU: block access to the Control Panel, disable Task Manager — verify application on the client machine logged in with a Guest account.
(2h) Creating a GPO conflicting with an inherited GPO, observing the result (which GPO applies?), resolving via inheritance blocking or enforcement.
(2h) Using gpresult to display the effective GPOs on a client machine, interpreting the report.
SOLUTION — EXERCISE 1

Expected behaviour for the network drive GPO: a user in the Technical OU sees the network drive automatically mapped at login on any domain-joined machine. A user in another OU does not see this drive — the security filter or OU scope guarantees isolation.

Interpreting the gpresult report: the report lists applied GPOs (with their origin OU) and denied GPOs (with the reason for denial) — it is the first-line diagnostic tool for any GPO not being applied issue.

RATIO
EXERCISE 2 · FULL GPO SCENARIO AND DIAGNOSIS · 13H

Equipment: full AD environment (Week 22 + Exercise 1).

(4h) Full scenario deployment: the fictitious company wants a different security policy for 3 user groups (Management: light restrictions, Technical: full access to system tools, Guests: maximum restrictions). Create and link the 3 corresponding GPOs.
(4h) Diagnosis exercise: the instructor secretly modifies the configuration (disables a GPO, changes a security filter, creates a conflict) — the trainee notices unexpected behaviour on a client machine and must diagnose via gpresult and event logs.
(3h) GPO administration via PowerShell (Get-GPO, New-GPO, Set-GPLink) — demonstrating equivalence with the GUI.
(2h) Documenting all deployed GPOs: summary table (name, scope, main settings, target users).
SOLUTION — EXERCISE 2

Expected diagnosis method: 1) check the GPO is linked to the correct OU (GPMC console), 2) check the security filter (the user's group must have Read and Apply rights), 3) force a GPO refresh on the client machine, 4) re-run gpresult to confirm.

◆ SUMMARY SHEET — WEEK 23 SELF-ASSESSMENT
1. I can explain GPO application order (LSDOU).
2. I can create and link a GPO to an OU.
3. I can configure security settings via GPO (password policy, lockout).
4. I can automatically map a network drive via GPO.
5. I can apply UI restrictions via GPO.
6. I can use gpresult to diagnose effective GPOs.
7. I can diagnose a GPO not being applied (filter, link, conflict).
8. I can administer GPOs via PowerShell.
← PreviousNext →