Securing Computers with Group Policy (a simple example)

by Greg Thatcher, MCSD, MCDBA, MCSE


This document provides the reader with a simple example of how an Administrator can specify lock-down settings for any number of users and computers in an office or enterprise, and have those settings applied automatically in bulk to those users and machines without having to physically visit each of those machines.

To perform this "configuration magic", your office or enterprise must have Active Directory installed and working.

In this simple example, we will pretend that we wish to lockdown the configuration of three users: Anne, Ben, and Betty. All three users are members of the Accounting Department, and any future members of the Accounting Department should have the same security settings applied to them. There are many security settings we may apply to these users. For this simple example, we will configure the following three:
  • We will disable the Control Panel, as the CTO has asked that these users be prevented from reconfiguring their systems in an effort to reduce support costs.
  • We will set the Home Page for Internet Explorer
  • We will disable the Run Menu


To begin, login to one of the computer's that serves as your domain controller, and run the "Active Directory Users and Computers" mmc console by clicking on Start->Programs->Administrative Tools->Active Directory Users and Computers. Click on the "Users" container to see a list of users.

Active Directory MMC

If you need to create a new user account, right click on the Users container and choose New->User to create the user.

New User

Next, right click on your domain name (listed at the top of the left panel), and choose New->Organizational Unit. Create a new Organizational Unit (OU) called "Accounting".

New OU

Left click on the "Users" container. Then right click on the "Anne" user account and choose "Move".

Move User

Choose "Accounting" to move the user named "Anne" to the Accounting Organizational Unit. Repeat the steps above to move the use accounts for Ben and Betty to the Accounts OU.

Move Dialog


Click here to continue this tutorial.