Windows Server 2016 006: Organizational Units and Group Policy Objects

In this article I’ll be covering the very basics of Organizational Units (OUs) and Group Policy Objects (GPOs).

An OU is very much like a folder in which you can place Users, Groups, Computers and other OUs. GPOs allow for very fine grain control over what users are able to do with their computers. For example, being able to open Control Panel, change the Desktop Background or open Task Manager. You can also map network drives at login and other useful tasks. You can link GPOs to a Domain or OU and everything within the Domain/OU will inherit the GPOs.

Create an Organizational Unit

Here I’ll explain how to create and OU and put some users and groups in to it.

  1. In Server Manager, open Tools in the top right and click on Active Directory Users and Computers
  2. Right click your domain and go New > Organizational Unit
  3. Type in a name and press OK

Placing users, groups or computers in these OUs is as simple as dragging and dropping them in.

Group Policy Objects

Creating GPOs and linking them to an OU is rather easy, however mastering GPOs will take a lot more time and experience. Here I’ll show you enough to get you on your feet tinkering with all the fancy bells and whistles GPOs have to offer.

  1. In Server Manager, open Tools in the top right and click on Group Policy Management
  2. Expand down as shown in the image and Right click on Group Policy Objects
  3. Enter and name and click OK
  4. Right click on a OU you’ve added Users to and click on Link an Existing GPO…
  5. Pick the GPO you created and click OK

You now have your GPO linked to an OU. We’ll go edit the GPO settings now. I’ll disable Task Manager and lock users task bar as these are obvious ones to show off at the end.

  1. Click on Group Policy Objects, Right click the GPO that you made and click Edit
  2. Expand down User Configurations > Policies > Administrative Templates and click on Start Menu and Taskbar
  3. Find the option do Lock the Taskbar, Double click on it and Enable it
  4. Expand down System (below Start Menu and Taskbar) and click on Ctrl+Alt+Del options
  5. Double click Remove Task Manager and enable it.

Now, go to a client computer and login to a user that was in the OU you linked the GPO to (The GPO changes will only take effect after users logout and login again, they aren’t a real time change). You’ll see the user is no longer can open Task Manager or Unlock the Taskbar.


Now that you have this knowledge, the best way to gain experience with GPO is to lock down a system and then go to that system and try to break things. Your main goals are generally to stop people breaking their own systems or getting distracted with non work tasks.

Share this post

This Post Has 4 Comments

  1. David Hyde

    This is very help full.

    1. John Keen

      Thank you!

  2. jason grimes

    Can this be used to apply different session timeout periods for users? For example, I have 100 users and I want 10 of them to be able to be idle on a server for an hour before getting the boot and 90 can only stick around for 15 minutes. Would this be a way to manage this task?

Leave a Reply