---
description: This week we created organizational units and group policy on our AD server
---

# Lab05 - ADDS & Group Policy

### Create organizational units and add users/computers/groups

* Server Manager -> Active Directory Users and Computers
* rc nathan.local -> new -> Organizational Unit (named SYS255)
* rc SYS255, create three child OUs (Accounts, Computers, and Groups)
* add users Alice, Bob, and Charlie to SYS255/Accounts (default password is Pass123!)
* move WKS01-NATHAN from nathan.local/Computers to nathan.local/SYS255/Computers
* within the SYS255\Groups OU, add a global security group called custom-desktop with users Alice and Bob (not Charlie) as members

### Create group policy

* Server Manager -> Group Policy Management
* rc nathan.local/SYS255 -> Create GPO in this domain... (name it sys255-desktop)
* click sys255-desktop, under Security Filtering, add the custom-desktop global security group
* remove Authenticated Users
* add Domain Computers

* Delegation tab -> Advanced -> Domain Computers -> Uncheck Apply Group Policy and Select Deny

### Edit group policy

* rc sys255-desktop - > Edit

#### remove the recycling bin

![image](../assets/lab05-1.png)

#### disable last login

* create a GPO under SYS255/Computers
* aplly security filtering to only domain computers
* rc DisableLastLogin -> Edit

### Useful commands

`gpresult /r` - shows a summary of group policy on a workstation\
`gpresult /scope computer /r` - shows a summary of computer-specific group policy\
`gpupdate /force` - forces a group policy update