Group Policy Management
Group Policy Management
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.
GPOs apply to objects when they are linked to containers and configured with specific settings.
- GPOs can be linked to Active Directory domains or organizational units (OUs). Built-in containers (such as the Computers container) cannot have GPOs linked to them.
- A GPO only affects the users and computers beneath the object to which the GPO is linked.
- A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network.
- A specific setting in a GPO can be:
- Undefined, meaning that the GPO has no value for that setting and does not change the current setting.
- Defined, meaning that the GPO identifies a new value to enforce.
- GPOs are applied in the following order:
- The Local Group Policy on the computer
- GPOs linked to the domain that contains the User or Computer object
- GPOs linked to the organizational unit(s) that contain(s) the User or Computer object (from the highest-level OU to the lowest-level OU).
- Individual settings within all GPOs are combined to form the effective Group Policy setting as follows:
- If a setting is defined in one GPO and undefined in another, the setting will be enforced (regardless of the position of the GPO in the application order).
- If a setting is configured in two GPOs, the setting in the last-applied GPO will be used.
Each GPO has a common structure, with hundreds of configuration settings that can be enabled and configured. Settings are divided into two categories:
- Computer Configuration
- User Configuration
Group Policy - Computer Configuration
Computer policies (also called machine policies) are enforced for the entire computer, and are initially applied when the computer boots. Computer policies include:
- Software that should be installed on a specific computer
- Scripts that should run at startup or shutdown
- Password restrictions that must be met for all user accounts
- Network communication security settings
- Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree)
Computer policies also include a special category of policies called user rights. User rights identify system maintenance tasks and the users or groups who can perform these actions. Actions include:
- Changing the system time
- Loading and unloading device drivers
- Removing a computer from a docking station
- Shutting down the system
Computer policies are initially applied as the computer boots, and are enforced before any user logs on.
Group Policy - User Configuration
User policies are enforced for specific users, and are initially applied when the user logs on. User policy settings include:
- Software that should be installed for a specific user
- Scripts that should run at logon or logoff
- Internet Explorer user settings (such as favorites and security settings)
- Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree)
User policies are initially applied as the user logs on, and often customize Windows based on user preferences.