# GPO Creation & Verification ### Overview Group Policy Objects (GPOs) are one of the most powerful tools in Active Directory. They allow an administrator to push settings, restrictions, and configurations to any user or computer in the domain automatically — without touching each machine individually. This is a daily tool at every MSP. *** ### What is a GPO? A GPO is a ruleset created on the Domain Controller that automatically applies to users and computers within a linked OU. GPOs can control virtually every aspect of a Windows environment. #### Real World Examples of GPOs Used at MSPs | GPO | Purpose | | ----------------------------- | --------------------------- | | Screen lock after inactivity | Security compliance | | Disable USB drives | Data loss prevention | | Map network drives on login | User convenience | | Block access to Control Panel | Prevent user tampering | | Push software installations | Remote deployment | | Enforce password complexity | Security policy | | Disable Command Prompt | Prevent unauthorized access | | Desktop wallpaper enforcement | Branding compliance | > **MSP Context:** GPOs are how MSPs manage dozens or hundreds of client machines simultaneously without physically touching them. A well structured GPO environment means changes roll out to every machine in scope automatically — saving enormous amounts of time and ensuring consistency across a client's entire fleet. *** ### GPO Created: IT-ScreenLock-Policy #### Purpose Automatically lock the screen on all computers in the IT OU after 5 minutes of inactivity. #### Why This GPO Screen lock policies are one of the most commonly required security controls in business environments. Many compliance frameworks including HIPAA, PCI-DSS, and SOC 2 require automatic screen locking as a baseline security measure. MSPs implement these across client environments as standard practice. *** ### Creating the GPO 1. Opened Group Policy Management from Windows Administrative Tools 2. Expanded Forest → Domains → lab.local → LabCorp 3. Right clicked IT OU → Create a GPO in this domain and link it here 4. Named it: IT-ScreenLock-Policy 5. Clicked OK *** ### Editing the GPO 1. Right clicked IT-ScreenLock-Policy → Edit 2. Navigated to:Computer Configuration\ └── Policies\ └── Windows Settings\ └── Security Settings\ └── Local Policies\ └── Security Options 3. Located: Interactive Logon: Machine inactivity limit 4. Set value to: 300 seconds (5 minutes) 5. Closed the Group Policy Management Editor *** ### GPO Scope Settings After creation, verified GPO scope in the Scope tab: | Setting | Value | | ------------------ | ------------------- | | Link Enabled | Yes | | Enforced | No | | Security Filtering | Authenticated Users | > **Link Enabled vs Enforced:** > > * Link Enabled: GPO is active and will apply to objects in scope > * Enforced: Prevents child OUs from blocking inheritance of this GPO — not needed here but critical in complex OU hierarchies > > **Security Filtering:** Authenticated Users means the GPO applies to all authenticated users and computers in the linked OU — the standard default setting *** ### Applying and Verifying the GPO #### Force GPO Update on Client On WIN10-CLIENT01, opened Command Prompt and ran: gpupdate /force This forces the client to immediately pull the latest policies from the DC rather than waiting for the default background refresh interval (every 90 minutes). > **MSP Context:** gpupdate /force is one of the most used commands in MSP day to day work. Any time a policy is created or modified, technicians run this on affected machines to apply changes immediately without waiting for the next refresh cycle. *** ### Verifying GPO Application #### Method 1 — gpresult /r Returns a summary of all GPOs applied to the current user and computer. Run as Administrator for full output. Look for IT-ScreenLock-Policy under: Applied Group Policy Objects #### Method 2 — gpresult /h (HTML Report) Generates a detailed HTML report showing every GPO being processed, its status, and the reason for each result. Open in a browser for a full visual breakdown. > **Important:** Must be run as Administrator — running as a standard domain user returns Access Denied #### Result IT-ScreenLock-Policy confirmed as Applied in the HTML report alongside Default Domain Policy. *** ### Troubleshooting Notes **Issue:** gpresult /r showed N/A for Applied Group Policy Objects initially **Cause:** WIN10-CLIENT01 was still in the default Computers container — outside the scope of the IT OU linked GPO **Fix:** Moved WIN10-CLIENT01 into LabCorp → IT OU in Active Directory Users and Computers, then ran gpupdate /force **Issue:** gpresult /h returned Access Denied **Cause:** Command run as standard domain user (jsmith) without administrator privileges **Fix:** Ran Command Prompt as Administrator using LAB\Administrator credentials *** ### Key Commands Reference | Command | Purpose | | ------------------------ | --------------------------- | | gpupdate /force | Force immediate GPO refresh | | gpresult /r | Summary of applied GPOs | | gpresult /h C:\file.html | Full HTML GPO report | *** ### Skills Practiced * Creating and linking GPOs in Group Policy Management * Navigating Computer Configuration policy paths * Understanding GPO scope, filtering, and inheritance * Forcing GPO updates with gpupdate /force * Verifying GPO application with gpresult * Generating and reading HTML GPO reports * Troubleshooting GPO scope issues * Understanding compliance driven GPO use cases * MSP level Group Policy management ``` ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://stefs-documentation.gitbook.io/stefs-documentation-docs/project-overview-bare-metal-homelab/active-directory/gpo-creation-and-verification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.