• Group policies (GPOs)

  • Provision of central group policies for KIT organizational units. Group policies (GPOs) offer the simple option of configuring computer and user objects in an Active Directory with central settings.


Group policies (GPOs)

Group policies (GPOs) provide an easy way to configure computer and user objects in an Active Directory with centralized settings.

Prerequisites

  • You need write access to your Division in KIT-AD, i.e. a user account that is a member of the <OE>-Admins group, where <OE> stands for your organizational unit.
    • We recommend that you always use so-called administration accounts for administration;
    • You can informally apply for a personal administration account at the SCC ServiceDesk;
    • If you are already a member of the <OE>-Admins group with your personal IDM account, you can change the group membership yourself via the MMC "Active Directory Users and Computers" by exchanging your IDM account for your administration account;
  • You need the MMC "Group Policy Administration", which is part of the so-called Remote Server Administration Tools (RSAT).
  • The computers or users to be administered must be in the KIT-AD.

Procedure

  • Start the "Group Policy Management" MMC on your computer under your administration account; the following procedure is recommended for Windows 8 and higher:
    • press the Windows key and type the word Group Policy Management;
    • right-click on Group Policy Management in the results list and select "Pin to taskbar";
    • Then Shift-right-click on the new icon in your taskbar and select "Run as another user".
  • Alternatively, log in to our remote desktop server rds-adm.scc.kit.edu with your administration account and start the MMC "Group Policy Management" there.

Rules and notes

  • Important: ALL GPOs you create must start with your OE abbreviation!!! Otherwise we reserve the right to rename or delete GPOs!!!
  • You can copy third-party GPOs and rename the copies accordingly and adapt them to your requirements.
    • Copies of GPOs are called either "Copy ..." or "Copy ..." depending on the language of your operating system.
  • You should never copy third-party GPOs without checking them;
  • You should never use third-party GPOs directly in your OU, as the third-party author could delete or change their GPO at any time;
    • This also applies to GPOs whose names begin with "SCC-";
  • GPOs that were created by you can only be changed by you; it may be advisable to also give the <OE>-Admins group write permissions;
  • GPOs whose names begin with "KIT-" apply to the entire KIT-AD and should only be blocked in absolutely exceptional cases;
  • GPOs whose names begin with "_OE-" are templates for you and should/may be copied and adapted accordingly;
  • The designations "B-" or "C-" after the prefix "KIT-" and "_OE-" indicate whether it is a GPO for user accounts or computer accounts;

Further links

The following websites are helpful when using group policies: