Azure Identity And Access Management Part 31 – Azure Active Directory – Domain Service ( Azure AD-DS) 6 – Manage Group Policy Object (GPO)
Hope you all are doing good !!!
In our last articles we have discussed , How To Create An Organizational Unit (OU) . Today In this article, we will discuss how to Manage Group Policy Object (GPO) In Azure Active Directory Domain Services managed domain.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure AD DS Group Policy Objects (GPO) :
Group Policy Objects (GPO) has played a very important role in Azure Active Directory Domain Services (Azure AD DS). Using GPO, we can manage the settings of user objects and computer objects. Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. We can customize these built-in GPOs to configure Group Policy as required for our organization. Admin can also create custom GPOs. Members of the Azure AD DC administrators group have Group Policy administration privileges in the Azure AD DS domain.
In a hybrid environment, group policies configured in an on-premises AD DS environment aren’t synchronized to Azure AD DS. We need to edit one of the default GPOs or create a custom GPO, if we want to define configuration settings for users or computers in Azure AD DS.
Before we proceed to create our custom group policy, we need the following resources and privileges.
- An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
- A Windows Server management VM that is joined to the Azure AD DS managed domain.
- A user account that’s a member of the Azure AD DC administrators group in your Azure AD tenant.
Lab Exercises :
Install Group Policy Management Tools In Domain Joined VM :
Group Policy Management tools is a very important tool to manage and configure Group Policy Object (GPOs). We need to install this tool, if not installed yet. These tools can be installed as a feature in Windows Server. Let’s go through the following steps and install it.
Step 1 – Login to Azure Portal and Create a new Window Server Virtual Machine (VM) under same VNet where we have configured our Azure AD DS but in different subnet. I have created a virtual machine named as ‘Manas-AADDS’. Also we have discussed how to join this VM to a managed domain and install administrative tools on the VM, in our previous session.
Step 2 – Let’s connect the VM. As we an see in the following figure, there are different ways to connect with VM. Here I am connecting the VM through BASTION . In the Overview pane for our VM, select Connect, then Bastion => provide the credentials of an user, who is a member of built-in ADD DC Administrators group and click Connect to connect the VM.
Step 3 – After we connected to the VM, select Administrative Tools from the Start screen. Select the Start menu => choose Server Manager . Under ‘Configure this local server ‘ click on Add roles and features link as shown in the following figure.
Step 4 – This will take us to Add Roles and Features Wizard. We can skip the first Before you begin section. So let’s click Next button to proceed to the next page.
Step 5 – On Installation Type section, keep the default setting and leave the Role-based or feature-based installation option checked and select Next button.
Step 6 – On the Server Selection page, choose the current VM from the server pool, here it is Manas-AADDS.manasmoharana.microsoft.com, then select Next button as show in the following figure.
Step 7 – On the Server Roles section, keep the default setting and click Next button.
Step 7 – On the Features section , select the Group Policy Management feature as showing in the following figure.
Step 8 – On the Confirmation section, click Install button to install the Group Policy Management tools.
Step 9 – Once reacquired feature installation is complete, click Close to complete the installation.
As showing in he following figure, we can see the result, by clicking the notification from top – right side of the page and her we can see our feature installed successfully on the server.
Modify Existing GPO in Managed Domain :
In the above section, we have installed Group Policy Management feature. Now we can view and edit an existing GPO using this feature/tool. To administer group policy in a managed domain, we must be signed in to a user account that’s a member of the AAD DC Administrators group. In our case we will use firstname.lastname@example.org. So let’s start with managing GPO using Group Policy Management console by going through the following steps.
Step 1 – Considering we are connected with our VM using web based RDP. go to Start screen and select Administrative Tools. It will show a list of available management tools including Group Policy Management installed in the above section.
Step 2 – Select Group Policy Management to open the Group Policy Management Console (GPMC) as showing in the following figure where we can see our domain manasmoharana.onmicrosoft.com .
Step 3 – As we can see in the left side of the following figure, under manasmoharana.onmicrosoft.com managed domain, there are two built-in Group Policy Objects (GPOs) exists as AADDC Computers and AADDC Users.
We can customize built-in GPOs to configure group policy as required by our organization within our managed domain.
Step 4 – Select the GPO we want to modify and choose Edit from the context menu as shown in the following figure.
Step 5 – The Group Policy Management Editor tool opens to let us to customize the GPO. We can see in the following figure, there are two section one is Computer configuration and the other one is User configuration. Let’s modify the password policy for the Computer configuration.
Step 6 – So expand Computer Configuration => Window Settings => Account Policy =>Password Policy => modify the Minimum password age property as shown in the following figure => Ok => File menu =>click Save to save the changes. Group policy settings refreshed in every 90 minute to synchronize the update.
Create And Edit A Custom Group Policy Object :
Azure AD Domain Services supports simple Group Policy in the form of a built-in GPO each for the users and computers containers. As we know managed domains provided by Azure AD Domain Services support only a flat OU (Organizational Unit) structure. All domain-joined machines reside in a single flat OU. We can creates our custom Group Policy Object (GPO) and link it with our custom Organization Unit (OU).
In our last article we have discussed how to create one OU. Now we will discuss, how to create and link a GPO with our new OU ‘ Knowledge Junction‘.
Step 1- now we are on Group Policy Management Console (GPMC). expand the domain, it will show all available OUs. In the following figure we can see our Knowledge Junction OU and at the moment there is no GPO linked with it.
Step 2 – To create a custom GPO for our Knowledge Junction OU, click ‘Create a GPO in this domain and link it here… ‘ option in the context menu as shown in the following figure.
Step 3 – One pop-up will come and ask to provide the name of the new GPO. Let’s put a name as per the naming convention of our organisation. I am giving ‘Knowledge Junction User Policies‘ as the name and leave the rest of the setting as it is and click Ok.
Step 4 – As we can see in the flowing figure, our new custom GPO has created, now let’s modify it to satisfy our requirement. To modify this GPO, we need to follow the same process as we did, when modify the built-in GPO. Select the GPO and click Edit from the context menu.
Step 5 – Let’s assume for security reason, our GPO need a very complex password. So to configure or enable a complex password, we should modify the password policy and enable ‘Password must meet complexity requirements‘ option and save the changes as shown in the following figure.
With the above information, I am concluding this article. Hope this post helps you.
As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with active directory . Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂