Welcome to ITFreeTraining video on Starter
GPO’s and copying Group Policy Objects. If you create a lot of Group Polices that
are simpler, this video will show you how to speed up that process. This video also
looks at how to copy Group Policy Objects in the same domain and between different domains.
You have probably come across a template before. For example, in an office it is not uncommon
for the office to have a fax template. Each time you want to send a fax, you simple copy
the fax template and make any changes that you require.
Group Policy has a template feature called Starter GPO’s. Since there is already a
section in Group Policy called Administrative Templates, it is mostly likely Microsoft did
not want to use the term Template again. For this reason, the name Starter GPO’s was
used but essentially they work the same way as a traditional template would work.
Although a starter GPO is copied to a new Group Policy just like you would expect a
template to be, it does not include all the settings in Group Policy. The Starter GPO
only includes the Administrative Template part of Group Policy. If you require all the
settings, there is also a copy option that I will look at which will allow you to copy
a complete Group Policy Object. I will now change to my Windows Server to have a look
at how to configure starter GPO’s and copy Group Policy Objects.
First of all I will open Group Policy Management from administrative tools under the start
menu. The first feature of Group Policy that I will look at is Starter GPO’s found under
Starter GPO’s. Starter GPO’s are not configured by default.
To start using starter GPO’s, select the option Create Starter GPO’s folder. You
will notice that once this option is selected a number of Starter GPO’s are created. These
were added with Windows Server 2008 R2. If you are not running Windows Server 2008 R2,
you can add these Starter GPO’s by downloading the latest version of the Remote Server Administration
Tools. The first starter GPO is Windows Vista EC
Computer. EC stands for enterprise client. Windows Vista EC Computer is a number of Computer
Group Policy settings that Microsoft recommends for the standard enterprise client.
Below this, you can see Windows Vista SSLF Computer. SSLF standard for Specialized Security
Limited Functionality. SSLF is used for highly secure environments and environment with a
high risk of attack. It is designed to protect information of the highest value, for example
government systems holding confidential information. Any SSLF starter GPO’s tighten up security
on the system making it more secure and residence to attack.
This starter GPO is for the computer side of Group Policy, but there is also starter
GPO’s for the user side as well. If you want to create a new starter GPO, you
can right click on Starter GPO and select new. To create the starter GPO, all you need
to do is enter in a name and a comment if you wish.
Once the Starter GPO is created, I can than right click on it and select edit. Notice
that the Starter GPO’s only has Administrative Templates, you cannot configured any other
settings in a Starter GPO. For this demonstration, I will configure the
desktop wallpaper under user configuration. You are free to configure as many settings
that you want. Once complete, the next step is to go back into Group Policy Management
and create a new Group Policy Object. In this case, I will create a new Group Policy
under London by selecting the option Create a GPO in this domain and link it here.
In this case, I will enter in the name as London Office. Under this, notice that I have
the option to select source Starter GPO. In this case, I will select the starter GPO that
I just created called Default Branch Office. The Group Policy has been created and linked
under the London OU using the starter GPO as a template. If I edit the Group Policy
Object, notice how I have the option to edit any setting in the Group Policy that I want.
In the Starter GPO, I only had the option to edit Administrative Templates.
If I expand down in the user settings and down to the Desktop settings, notice that
the setting Desktop Wallpaper that I configured in the starter GPO is configured. If I edit
the settings, notice I have complete control over it, I can even select the option not
configured. Once the starter GPO is used to create a Group Policy object, you have complete
control over which settings you change or leave. Also, any changes that you make do
not affect the original starter GPO. If you know what default settings you want
to use in advance, starter GPO’s can be very useful. In some case you may already
have the Group Policy created that you want to copy and later modify. This Group Policy
may be in the same domain or a different domain. If the Group Policy is in the same domain,
it is a simple matter to copy the Group Policy Object. In this case, I will open Active Directory
Users and Computers and create a new Organizational Unit called Washington. Once the OU is created,
I can go back into Group Policy Management and press F5 to refresh the view.
In this case, I want to copy an existing Group Policy and link to Washington. To do this,
expand into Group Policy Objects, right click the Group Policy Object that you want to copy
and select copy. The next step is to right click Group Policy Objects and select paste.
You will get the option to keep the existing permissions or use the default permissions.
If you are not sure, select the option for default permissions for new GPO’s. It does
not take long to copy the Group Policy, once complete, I will rename the group Policy Object.
Once the Group Policy object is copied and a suitable name given, the next step is to
link the Group Policy to the required OU. In some cases, you may want to copy a Group
Policy Object from a different domain. If you want to copy the Group Policy Object from
domain to domain, one trick you can do is to right click the Group Policy object that
you want to copy and select the option Back Up.
In this case, I will choose to Back Up the Group Policy to the desktop. Once I enter
in the optional description, I will press Back Up to Back Up the group Policy to the
desktop. Once the backup is complete, the next step is to import the settings.
Since the settings will be imported, it is a good idea to create a new Group Policy.
If you use an existing Group Policy Object, you will merge the backed up setting with
the settings that exist in that Group Policy. In this case, I will create a new Group Policy
Object LA. Once this is created, I can right click the Group Policy Object and select the
option Import Settings. Once in the import wizard, I will skip pass
the welcome screen. The next screen gives you the option to back up the GPO before starting
the import. This is a good idea if you are merging the settings with an existing Group
Policy. In this case, I am importing the settings into a brand new empty Group Policy so I will
not worry about backing up the settings. On the next screen, I need to give the path
where I backed up the previous Group Policy. On the next screen, it should have a list
of the Group Policy objects that are available to be imported. It is a good idea before the
import to press the button view settings. This will allow you to see the settings that
will be imported. Before the settings are imported, the wizard
will do a quick check for any UNC paths. UNC paths access a share directly by the server
and share name. For this reason, if you import the settings from a different forest, it is
possible that settings exist that reference a server that is not accessible from this
domain. Once I press finish on the wizard, the Group
Policy settings will be imported. Using this method gives you a way of copying Group Policy
between domains in different forests. Thanks for watching this video from ITFreeTraining.
This video is part of the free Active Directory course. For more videos from this course and
others, please feel free to visit our website or YouTube channel. You can also subscribe
to are channel to ensure that you have the latest videos. Thanks for watching and see
you next time. Thanks for watching this video for ITFreeTraining,
just one of the videos in these series for Active Directory. See you next time.