Administer Group Policy in an Azure AD Domain Services managed domain

Settings for user and computer objects in Azure Active Directory Domain Services (Azure AD DS) are often managed using Group Policy Objects (GPOs). Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. Members of the Azure AD DC administrators group have Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). More more information on what Group Policy is and how it works, see Group Policy overview.

This article shows you how to install the Group Policy Management tools, then edit the built-in GPOs and create custom GPOs.

Important

Enable password hash synchronization to Azure AD Domain Services, before you complete the tasks in this article.

Follow the instructions below, depending on the type of users in your Azure AD directory. Complete both sets of instructions if you have a mix of cloud-only and synced user accounts in your Azure AD directory. You may not be able to carry out the following operations in case you are trying to use a B2B Guest account (example , your gmail or MSA from a different Identity provider which we allow) because we do not have the password for these users synced to managed domain as these are guest accounts in the directory. The complete information about these accounts including their passwords would be outside of Azure AD and as this information is not in Azure AD hence it does not even get synced to the managed domain.

Before you begin

To complete this article, you need the following resources and privileges:

Install Group Policy Management tools

To create and configure Group Policy Object (GPOs), you need to install the Group Policy Management tools. These tools can be installed as a feature in Windows Server. For more information on how to install the administrative tools on a Windows client, see install Remote Server Administration Tools (RSAT).

  1. Sign in to your management VM. For steps on how to connect using the Azure portal, see Connect to a Windows Server VM.

  2. Server Manager should open by default when you sign in to the VM. If not, on the Start menu, select Server Manager.

  3. In the Dashboard pane of the Server Manager window, select Add Roles and Features.

  4. On the Before You Begin page of the Add Roles and Features Wizard, select Next.

  5. For the Installation Type, leave the Role-based or feature-based installation option checked and select Next.

  6. On the Server Selection page, choose the current VM from the server pool, such as myvm.contoso.com, then select Next.

  7. On the Server Roles page, click Next.

  8. On the Features page, select the Group Policy Management feature.

    Install the 'Group Policy Management' from the Features page

  9. On the Confirmation page, select Install. It may take a minute or two to install the Group Policy Management tools.

  10. When feature installation is complete, select Close to exit the Add Roles and Features wizard.

Open the Group Policy Management Console and edit an object

Default group policy objects (GPOs) exist for users and computers in an Azure AD DS managed domain. With the Group Policy Management feature installed from the previous section, let's view and edit an existing GPO. In the next section, you create a custom GPO.

Note

To administer group policy in an Azure AD DS managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. From the Start screen, select Administrative Tools. A list of available management tools is shown, including Group Policy Management installed in the previous section.

  2. To open the Group Policy Management Console (GPMC), choose Group Policy Management.

    The Group Policy Management Console opens ready to edit group policy objects

There are two built-in Group Policy Objects (GPOs) in an Azure AD DS managed domain - one for the AADDC Computers container, and one for the AADDC Users container. You can customize these GPOs to configure group policy as needed within your Azure AD DS managed domain.

  1. In the Group Policy Management console, expand the Forest: contoso.com node. Next, expand the Domains nodes.

    Two built-in containers exist for AADDC Computers and AADDC Users. Each of these containers has a default GPO applied to them.

    Built-in GPOs applied to the default 'AADDC Computers' and 'AADDC Users' containers

  2. These built-in GPOs can be customized to configure specific group policies on your Azure AD DS managed domain. Right-select one of the GPOs, such as AADDC Computers GPO, then select Edit....

    Choose the option to 'Edit' one of the built-in GPOs

  3. The Group Policy Management Editor tool opens to let you customize the GPO, such as Account Policies:

    Customize GPO to configure settings as required

    When done, choose File > Save to save the policy. Computers refresh Group Policy by default every 90 minutes and apply the changes you made.

Create a custom Group Policy Object

To group similar policy settings, you often create additional GPOs instead of applying all of the required settings in the single, default GPO. With Azure AD DS, you can create or import your own custom group policy objects and link them to a custom OU. If you need to first create a custom OU, see create a custom OU in an Azure AD DS managed domain.

  1. In the Group Policy Management console, select your custom organizational unit (OU), such as MyCustomOU. Right-select the OU and choose Create a GPO in this domain, and Link it here...:

    Create a custom GPO in the Group Policy Management console

  2. Specify a name for the new GPO, such as My custom GPO, then select OK. You can optionally base this custom GPO on an existing GPO and set of policy options.

    Specify a name for the new custom GPO

  3. The custom GPO is created and linked to your custom OU. To now configure the policy settings, right-select the custom GPO and choose Edit...:

    Choose the option to 'Edit' your custom GPO

  4. The Group Policy Management Editor opens to let you customize the GPO:

    Customize GPO to configure settings as required

    When done, choose File > Save to save the policy. Computers refresh Group Policy by default every 90 minutes and apply the changes you made.

Next steps

For more information on the available Group Policy settings that you can configure using the Group Policy Management Console, see Work with Group Policy preference items.