Where is the Group Policy located in Windows Server operating system?

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How To Configure Group Policies to Set Security for System Services

  • Article
  • 09/24/2021
  • 2 minutes to read

In this article

This article describes how to configure Group Policies to Set Security for System Services.

Applies to:   Windows Server 2003
Original KB number:   324802

Summary

This article describes how to use Group Policy to set security for system services for an organizational unit in Windows Server 2003.

When you implement security on system services, you can control who can manage services on a workstation, member server, or domain controller. Currently, the only way to change a system service is through a Group Policy computer setting.

If you implement Group Policy as the Default Domain Policy, the policy is applied to all computers in the domain. If you implement Group Policy as the Default Domain Controllers policy, the policy applies only to the servers in the domain controller's organizational unit. You can create organizational units that contain workstation computers to which policies can be applied. This article describes the steps to implementing a Group Policy on an organizational unit to change permissions on system services.

How to Assign System Service Permissions

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. Right-click the domain to which you want to add the organizational unit, point to New, and then click Organizational Unit.

  3. Type a name for the organizational unit in the Name box, and then click OK.

    The new organizational unit is listed in the console tree.

  4. Right-click the new organizational unit that you created, and then click Properties.

  5. Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use the name of the organizational unit for which it is implemented), and then press ENTER.

  6. Click the new Group Policy object in the Group Policy Objects Links list (if it is not already selected), and then click Edit.

  7. Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.

  8. In the right pane, double-click the service to which you want to apply permissions.

    The security policy setting for that specific service is displayed.

  9. Click to select the Define this policy setting check box.

  10. Click Edit Security.

  11. Grant the appropriate permissions to the user accounts and groups that you want, and then click OK.

  12. Under Select service startup mode, click the startup mode option that you want, and then click OK.

  13. Close the Group Policy Object Editor, click OK, and then close the Active Directory Users and Computers tool.

Note

You must move the computer accounts that you want to manage into the organizational unit. After the computer accounts are contained in the organizational unit, the authorized user or groups can manage the service.


Additional resources

Additional resources

In this article

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Use Group Policy to Configure Domain Member Client Computers

  • Article
  • 07/29/2021
  • 4 minutes to read

In this article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

In this section, you create a Group Policy Object for all of the computers in your organization, configure domain member client computers with distributed cache mode or hosted cache mode, and configure Windows Firewall with Advanced Security to allow BranchCache traffic.

This section contains the following procedures.

  1. To create a Group Policy Object and configure BranchCache modes

  2. To configure Windows Firewall with Advanced Security Inbound Traffic Rules

  3. To configure Windows Firewall with Advanced Security Outbound Traffic Rules

Tip

In the following procedure, you are instructed to create a Group Policy Object in the Default Domain Policy, however, you can create the object in an organizational unit (OU) or other container that is appropriate for your deployment.

You must be a member of Domain Admins, or equivalent to perform these procedures.

To create a Group Policy Object and configure BranchCache modes

  1. On a computer upon which the Active Directory Domain Services server role is installed, in Server Manager, click Tools, and then click Group Policy Management. The Group Policy Management console opens.

  2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located.

  3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy Object (GPO). For example, if you want to name the object BranchCache Client Computers, type BranchCache Client Computers. Click OK.

  4. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens.

  5. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer, Network, BranchCache.

  6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache. The policy setting dialog box opens.

  7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.

  8. To enable BranchCache distributed cache mode, in the details pane, double-click Set BranchCache Distributed Cache mode. The policy setting dialog box opens.

  9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then click OK.

  10. If you have one or more branch offices where you are deploying BranchCache in hosted cache mode, and you have deployed hosted cache servers in those offices, double-click Enable Automatic Hosted Cache Discovery by Service Connection Point. The policy setting dialog box opens.

  11. In the Enable Automatic Hosted Cache Discovery by Service Connection Point dialog box, click Enabled, and then click OK.

    Note

    When you enable both the Set BranchCache Distributed Cache mode and the Enable Automatic Hosted Cache Discovery by Service Connection Point policy settings, client computers operate in BranchCache distributed cache mode unless they find a hosted cache server in the branch office, at which point they operate in hosted cache mode.

  12. Use the procedures below to configure firewall settings on client computers by using Group Policy.

To configure Windows Firewall with Advanced Security Inbound Traffic Rules

  1. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located.

  2. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the BranchCache client computers GPO that you created previously. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens.

  3. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security - LDAP, Inbound Rules.

  4. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard opens.

  5. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Content Retrieval (Uses HTTP). Click Next.

  6. In Predefined Rules, click Next.

  7. In Action, ensure that Allow the connection is selected, and then click Finish.

    Important

    You must select Allow the connection for the BranchCache client to be able to receive traffic on this port.

  8. To create the WS-Discovery firewall exception, again right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard opens.

  9. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Peer Discovery (Uses WSD). Click Next.

  10. In Predefined Rules, click Next.

  11. In Action, ensure that Allow the connection is selected, and then click Finish.

    Important

    You must select Allow the connection for the BranchCache client to be able to receive traffic on this port.

To configure Windows Firewall with Advanced Security Outbound Traffic Rules

  1. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens.

  2. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Content Retrieval (Uses HTTP). Click Next.

  3. In Predefined Rules, click Next.

  4. In Action, ensure that Allow the connection is selected, and then click Finish.

    Important

    You must select Allow the connection for the BranchCache client to be able to send traffic on this port.

  5. To create the WS-Discovery firewall exception, again right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens.

  6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache - Peer Discovery (Uses WSD). Click Next.

  7. In Predefined Rules, click Next.

  8. In Action, ensure that Allow the connection is selected, and then click Finish.

    Important

    You must select Allow the connection for the BranchCache client to be able to send traffic on this port.

Feedback

Submit and view feedback for


Additional resources

Additional resources

In this article

Where is Group Policy in Windows Server?

On a computer upon which the Active Directory Domain Services server role is installed, in Server Manager, click Tools, and then click Group Policy Management. The Group Policy Management console opens.

What is Group Policy in Windows Server OS?

Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft's Active Directory to implement specific configurations for users and computers. Group Policy is primarily a security tool, and can be used to apply security settings to users and computers.