← All Learning Pathways

Group Policy

GPMC, gpupdate / gpresult, LSDOU precedence, security baselines, preferences, LAPS, and the troubleshooting flow when a policy doesn't apply where you thought it would.

2 articles • follow them in order

  1. 1
    Systems Admin

    Rename Administrator Account with Group Policy

    The built-in local Administrator account ships with two predictable properties: well-known RID 500 (predictable SID) and the literal name 'Administrator'. The Accounts: Rename administrator account security policy lets you change the name across every domain-joined computer with one GPO. This article walks the workflow: create a Computer-scoped GPO linked to the OU containing your endpoints, navigate to Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options, set Accounts: Rename administrator account with a deliberately neutral name (Operator, BuildAcct, etc.), run gpupdate /force on a target, verify in Computer Management - Local Users and Groups. Includes the GPO naming convention (C_ / U_ / CU_), the names to avoid (Admin, SuperUser, anything containing 'admin'), and the common pitfalls (linking at the domain root, picking a guessable name, confusing the local rename with the Domain Administrator rename).

    8 min Read step 1 →
  2. 2
    Systems Admin

    Automatically Map a Network Drive by Group Membership with Group Policy

    The classic 'net use' line in a logon script stalled the desktop, did not scale to multiple departments, and was painful to clean up when someone changed teams. Group Policy Preferences Drive Maps + item-level targeting replaces all of it: declarative, parallel, and scoped to AD group membership. This article walks the full workflow - create the security group in dsa.msc, share the folder with matching share + NTFS ACLs, create and link a GPO to the user OU, add a Drive Maps preference (Action: Create, Reconnect: yes, Drive Letter: S, Label as: Sales Group), then move the membership check off the OU link and onto the preference itself via Common - Item-level targeting - Security Group - User in group. Verifies with gpresult and Get-PSDrive on a domain-joined client. Includes the common pitfalls (linking to the computer OU, skipping share permissions, picking a domain-local group, forgetting the User-in-group vs Computer-in-group choice).

    10 min Read step 2 →