Administer Group Policy in a Microsoft Entra Domain Services managed domain

How-to
10/06/2023

Settings for user and computer objects in Microsoft Entra Domain Services are often managed using Group Policy Objects (GPOs). Domain Services includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. Members of the AAD DC Administrators group have Group Policy administration privileges in the Domain Services domain, and can also create custom GPOs and organizational units (OUs). For more information on what Group Policy is and how it works, see Group Policy overview.

In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Domain Services. To define configuration settings for users or computers in Domain Services, edit one of the default GPOs or create a custom GPO.

This article shows you how to install the Group Policy Management tools, then edit the built-in GPOs and create custom GPOs. We recommend that you back up GPOs after you make any changes to them. For more information about how to back up and restore GPOs, see Backup, restore, migrate, and copy Group Policy Objects.

If you are interested in server management strategy, including machines in Azure and hybrid connected, consider reading about the guest configuration feature of Azure Policy.

Prerequisites

To complete this article, you need the following resources and privileges:

An active Azure subscription.
- If you don't have an Azure subscription, create an account.
A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- If needed, create a Microsoft Entra tenant or associate an Azure subscription with your account.
A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant.
- If needed, complete the tutorial to create and configure a Microsoft Entra Domain Services managed domain.
A Windows Server management VM that is joined to the Domain Services managed domain.
- If needed, complete the tutorial to create a Windows Server VM and join it to a managed domain.
A user account that's a member of the AAD DC Administrators group in your Microsoft Entra tenant.

Note

You can use Group Policy Administrative Templates by copying the new templates to the management workstation. Copy the .admx files into %SYSTEMROOT%\PolicyDefinitions and copy the locale-specific .adml files to %SYSTEMROOT%\PolicyDefinitions\[Language-CountryRegion], where Language-CountryRegion matches the language and region of the .adml files.

For example, copy the English, United States version of the .adml files into the \en-us folder.

Install Group Policy Management tools

To create and configure Group Policy Object (GPOs), you need to install the Group Policy Management tools. These tools can be installed as a feature in Windows Server. For more information on how to install the administrative tools on a Windows client, see install Remote Server Administration Tools (RSAT).

Sign in to your management VM. For steps on how to connect using the Microsoft Entra admin center, see Connect to a Windows Server VM.
Server Manager should open by default when you sign in to the VM. If not, on the Start menu, select Server Manager.
In the Dashboard pane of the Server Manager window, select Add Roles and Features.
On the Before You Begin page of the Add Roles and Features Wizard, select Next.
For the Installation Type, leave the Role-based or feature-based installation option checked and select Next.
On the Server Selection page, choose the current VM from the server pool, such as myvm.aaddscontoso.com, then select Next.
On the Server Roles page, click Next.
On the Features page, select the Group Policy Management feature.
On the Confirmation page, select Install. It may take a minute or two to install the Group Policy Management tools.
When feature installation is complete, select Close to exit the Add Roles and Features wizard.

Open the Group Policy Management Console and edit an object

Default group policy objects (GPOs) exist for users and computers in a managed domain. With the Group Policy Management feature installed from the previous section, let's view and edit an existing GPO. In the next section, you create a custom GPO.

Note

To administer Group Policy in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

From the Start screen, select Administrative Tools. A list of available management tools is shown, including Group Policy Management installed in the previous section.
To open the Group Policy Management Console (GPMC), choose Group Policy Management.

There are two built-in Group Policy Objects (GPOs) in a managed domain - one for the AADDC Computers container, and one for the AADDC Users container. You can customize these GPOs to configure group policy as needed within your managed domain.

In the Group Policy Management console, expand the Forest: aaddscontoso.com node. Next, expand the Domains nodes.

Two built-in containers exist for AADDC Computers and AADDC Users. Each of these containers has a default GPO applied to them.
These built-in GPOs can be customized to configure specific group policies on your managed domain. Right-select one of the GPOs, such as AADDC Computers GPO, then choose Edit....
The Group Policy Management Editor tool opens to let you customize the GPO, such as Account Policies:

When done, choose File > Save to save the policy. Computers refresh Group Policy by default every 90 minutes and apply the changes you made.

Create a custom Group Policy Object

To group similar policy settings, you often create additional GPOs instead of applying all of the required settings in the single, default GPO. With Domain Services, you can create or import your own custom group policy objects and link them to a custom OU. If you need to first create a custom OU, see create a custom OU in a managed domain.

In the Group Policy Management console, select your custom organizational unit (OU), such as MyCustomOU. Right-select the OU and choose Create a GPO in this domain, and Link it here...:
Specify a name for the new GPO, such as My custom GPO, then select OK. You can optionally base this custom GPO on an existing GPO and set of policy options.
The custom GPO is created and linked to your custom OU. To now configure the policy settings, right-select the custom GPO and choose Edit...:
The Group Policy Management Editor opens to let you customize the GPO:

When done, choose File > Save to save the policy. Computers refresh Group Policy by default every 90 minutes and apply the changes you made.