In this lab, I demonstrate how to use Group Policy Objects (GPOs) on Windows Server 2022 to enforce enterprise-style restrictions on a domain-joined workstation, including hiding system icons, enforcing a corporate wallpaper, blocking Control Panel, Settings, Command Prompt, PowerShell, software uninstallation, network settings, and USB drives. Using loopback processing (Merge mode) and proper security filtering, user restrictions are applied based on the computer context, while administrative accounts remain unaffected. This lab showcases real-world GPO management, layered restrictions, and troubleshooting techniques to ensure policies are correctly enforced.
A Group Policy Object (GPO) is a collection of policy settings that define how computers and users behave within a Windows domain environment. Companies use GPOs to enforce security, standardize settings, restrict unauthorized actions, deploy software, and automate management across all workstations efficiently.
To provide a detailed point of view, in this lab, I implement strict endpoint restrictions for all computers within the UserPCs OU using Group Policy. Any user from departments such as Finance, HR, Marketing, Operations, Sales, Security, and Technology will have these restrictions applied when logging into these machines. However, Executives and IT personnel are explicitly excluded, ensuring they retain full access on the same machines. This demonstrates a real-world approach to applying security policies while maintaining necessary administrative privileges.
First, we need to create the GPO. From Server Manager Dashboard > Tools > Group Policy Management. Find the UserPCs OU from the list, as we will implement the GPO here. Right-click> Create GPO in this domain and Link it here.
.PNG)
Give it a name. I named it "User Restriction."
.PNG)
Right-click > Edit to open Group Policy Management Editor.
.PNG)
User Configuration > Policies > Administrative Templates > Double-click Desktop folder. Find "Remove Recycle Bin icon from desktop". Notice that the state is "Not configured". Double-click to edit.
.PNG)
Set to "Enabled" > Apply > OK. Once you've done it, you will see that the state changes into "Enabled".
.PNG)
The Recycle Bin is still accessible via File Explorer even if hidden from the desktop. Hiding the Recycle Bin is a common customization in managed environments, reinforcing the idea of a restricted, policy-driven environment, where users have only the access they truly need.
Download an image that you want to set as a wallpaper and put it in a shared folder. I used Image by jigsawstocker on Freepik, renamed it as "users.jpg" and shared the image through the Deployment$ folder, which was created in the previous lab: Software-Deployment-with-Group-Policy
.PNG)
Go back to Group Policy Management Editor. User Configuration > Policies > Administrative Templates > Desktop > Desktop. Double-click on "Desktop Wallpaper"
.PNG)
Click on "Enabled". Type the path for the image; in our case, it is \\DC01\Deployment$\users.jpg Choose "Fill" for the Wallpaper style.
.PNG)
As we set a wallpaper, we don't want the users to change it. User Configuration > Policies > Administrative Templates > Control Panel > Personalization
.PNG)
We will enable "Prevent changing theme", "Prevent changing color and appearance", and "Prevent changing desktop background".
.PNG)
To maintain system stability and security, users are restricted from changing system settings or uninstalling applications. This is enforced by blocking access to the Control Panel and system settings, ensuring that critical configurations remain consistent and protected.
User Configuration > Policies > Administrative Templates > Control Panel > Enable: "Prohibit access to Control Panel and PC settings".
.PNG)
User Configuration > Policies > Administrative Templates > System. We will enable "Prevent access to the command prompt" and "Prevent access to registry editing tools".
.PNG)
In addition, we can also block PowerShell, but we will do that in a future lab with AppLocker.
User Configuration > Policies > Administrative Templates > Network > Network Connections
We will enable "Prohibit access to properties of a LAN connection".
.PNG)
Blocking USBs and external hard drives is a very strong and common security practice in enterprise environments. Removable media can easily be used to copy sensitive company data or introduce malicious software into the system, bypassing traditional network defenses. Thus, it significantly reduces the risk of data breaches and malware infections. It also helps enforce data control and compliance policies, ensuring that confidential information stays within authorized systems. Overall, restricting external storage devices strengthens endpoint security and minimizes human error or insider threats.
To block USBs and external hard drives: User Configuration > Policies > Administrative Templates > System > Removable Storage Access > Enable: "All Removable Storage classes: Deny all access".
.PNG)
So far, we have only enabled user-based configurations for this GPO. If we deploy it, it will not work as "UserPCs" OU contains only computer objects (only PC1 in our case). Since user policies apply based on user location in Active Directory, the GPO will not be processed. This issue would be resolved by either moving a user object into this OU or enabling loopback processing to apply user policies based on the computer context. As we want user policies to apply to computers, we will use Loopback Processing.
Computer Configuration> Administrative Templates > System > Group Policy. Double-click.
.PNG)
Check "Enabled". Select "Merge" for the mode option. Apply and OK.
.PNG)
Right now, if we deploy this GPO, any user who logs on to this computer (PC1) will be affected by these restrictions: Recycle Bin hidden, Control Panel and Settings blocked, CMD and Registry Editing Tools blocked, Network settings restricted, and USB drives disabled. So, exclusions for Executives and IT personnel must be configured to maintain administrative access.
In this lab environment, Frank (our user with admin rights) is located under the "Admins" OU. Therefore, he won't be affected when we target the "All Employees" group.
Return to Groups Policy Management. Find the GPO, "PC1Restriction" in this case, double-click it. Under the "Scope" tab, find "Security Filtering". Remove "authenticated Users" as it covers all the users in the domain.
.PNG)
Click on the "Add" button, type "All Employees", and click OK to add the users. Now, all users under "All Employees" will be affected. However, we want to give "Executives" exclusions.
.PNG)
Click on the "Delegation" tab, then the "Advanced" button.
.PNG)
Click on the "Add" button, type "Executive" in the new window, and click OK.
.PNG)
Then, click on "Executive". Scroll down to find "Apply group policy" permission and check "Deny". This will give the exclusion to the Executive group.
.PNG)
If we check the same permission for the "All Employees", we can see that the Apply Group Policy permission is allowed.
.PNG)
Lastly, we need to add "Domain Computers" as well, so computers can read this GPO. Scope tab > Add > Type "Domain Computers" and OK.
.PNG)
To deploy the GPO, type gpupdate /force in CMD and restart the PC.
.PNG)
Let's log in with Bobby Drake (Username: Iceman) – Creative Marketing Director from the Marketing Department.
.PNG)
Recycle Bin is hidden, and the Wallpaper was changed.
.PNG)
When we want to change Display Settings...
.PNG)
... it is blocked.
.PNG)
When we want to "Personalise", it is blocked.
.PNG)
Control panel...
.PNG)
...is blocked.
.PNG)
CMD ...
.PNG)
...is blocked.
.PNG)
When we want to open "Network Settings"...
.PNG)
...nothing happens
However, if we log in with Hank McCoy (Username: Beast), Chief Technology Officer from the Executive department.
.PNG)
Wallpaper is the default, and the recycle bin is not hidden.
.PNG)
We can access CMD, Registry Editor, and Control Panel.
.PNG)
This lab demonstrates how Group Policy Objects (GPOs) can be used to enforce security, standardization, and administrative control within a Windows domain environment. A key challenge in this lab involved configuring the GPO application with Loopback Processing, which is essential for applying user restrictions based on the computer context. Furthermore, executive accounts were excluded from these restrictions using GPO delegation with deny permissions, demonstrating a real-world approach to maintaining security for standard users while preserving full access for privileged accounts. This lab can be extended further to simulate a more advanced enterprise environment, such as implementing AppLocker for application whitelisting and applying different GPO rules for specific departments or roles, and enforcing more granular security and compliance policies across the network.