Creating Starter Group Policy Objects for Quick Policy Baselines

If you are lucky to build a complete Active Directory infrastructure from scratch, then you know how much planning and consideration goes into the whole process. And it doesn’t just stop with delivering the environment. You have to also consider ongoing management of the environment.

That’s why you should consider using Starter Group Policy objects.

Starter Group Policy object is just a blank, or clean slate if you will, Group Policy Object. The purpose of these objects is to allow an administrator to create and have a pre-configured group of settings that represent a baseline for any future policy that is to be created. These settings can then be copied into a more formal Group Policy Object that is then applied to single or multiple organizational units (OU’s for short). Copying these starter objects preserves your baseline strategy and allows you to dynamically add or remove settings that shouldn’t be applied to future objects.

Are you an IT pro ready to take your career to the next level? If so, join our contributor program! You don't have to be an expert presenter, a Microsoft MVP or even have a blog. We want your knowledge! You will be coached on presentation skills, become a member of our awesome community and get paid some nice side hustle income every, single month! Sign up today!.

These objects are great for settings that will not be changing, such as specific security related protocol configurations, Windows Update settings, particular software settings or registry entries to name a few. The choice is yours as a Sysadmin and can reflect whatever strategy you are employing.

Here’s a scenario:

You walk into your work area and just as you start sipping that already cold cup of coffee because you’ve been stopped 15 times on your way to your area, you open your email to discover you are being asked by the boss to aid in deploying Group Policy in an environment. You are also given a list of baselines required for this new deployment from your security team or boss.

You could begin assigning these baselines to ordinary policy objects using the Group Policy Management Console or because you are a long-term thinker, you decide to step back and see if you can maybe automate some of this task and memorialize these baselines better.

You open up your trusty PowerShell console and start looking for cmdlets. You then search for the module ‘GroupPolicy’ and import it. Looking at the available cmdlets, you find two that look like they are exactly what you need, New-GPStarterGPO and Get-GPStarterGPO.

After looking at the help you see that creating this one by one or even as a loop is pretty straightforward and there are only but a couple of necessary Parameters, -Name and -Comment.

Armed with this new info, you create a small foreach loop through an array of names & comments and pass them off to the New-GPStarterGPO cmdlet, creating 5 new baseline policies to be edited later by your intern. Time for a beverage refill.

Leave a Reply

Your email address will not be published. Required fields are marked *