| Group Policy enables you to define a standard collection of settings and apply them to some or all the computers and/or users in your enterprise. Group Policy has the capability to provide centralized control of a variety of components of a Windows network, such as security, application deployment and management, communications, and the overall user experience. Group Policy is applied by creating an object that contains the settings that control the users' and computers' access to network and machine resources. This Group Policy Object (GPO) is created from templates that are stored on the workstation or server. These GPOs are linked to a container that holds Active Directory objects such as users, groups, workstations, servers, and printers. The settings in these GPOs will be applied to the objects in the container. The container can be an OU, a domain, or a site. GPOs can also be applied to a single computer through the use of Local Policy. You can apply multiple GPOs to a containerin this case, the settings will be merged. If there is a conflict in the settings between GPOs, the last setting applied wins. Group Policy works by manipulating Registry and security settings on the workstation or server. Unlike the System Policies used in Windows NT, Group Policy does not permanently (tattoo) change the Registry. After Group Policy is removed, the Registry settings return to their defaults. Each Group Policy object has two separate sections: User and Computer configuration. Group Policy for users includes settings for User settings are applied at user logon and during the periodic Group Policy refresh cycle. When these settings are applied to a user, they apply to that user at whatever computer the user logs on to. Group Policy for computers includes settings for Operating system behavior Desktop settings Security settings Application settings Application installation Folder redirection settings Computer startup and shutdown scripts
The following are some important things to remember about Group Policy: A lot of the same settings are available via both user and computer settings. When the settings between user and computer conflict, user settings generally take precedence. GPOs are stored in two partsas part of a Group Policy Template (GPT) and as objects inside a container in Active Directory called a Group Policy Container (GPC). GPTs contain settings related to software installation policies and deployments, scripts, and security information for each GPO. They are stored in the %SystemRoot%\SYSVOL\domain\Policies directory on every domain controller. The GPTs usually contain subfolders called Adm, USER, and MACHINE to separate the data to be applied to different portions of the Registry. The USER portion is applied to keys in HKEY_CURRENT_USER, and the MACHINE portion is applied to keys in HKEY_LOCAL_MACHINE. The Adm portion can contain settings for either branch of the Registry. GPOs can be used to control only Windows 2000 or later servers and workstations.
Changes made to existing GPOs and new GPOs will be applied during the refresh cycle. The exceptions are the following: Software installation settings will be updated only at reboot or logon. Folder redirection settings will be updated only at reboot or logon. Computer configuration changes will be refreshed every 16 hours whether or not they have been changed. Domain controllers refresh Group Policy every five minutes, so that critical settings, such as security settings, are not delayed.
Changes can be implemented immediately using the gpupdate tool. Table 11 shows available command-line options for the tool. Table 11. Command-Line Options for GpupdateValue | Description |
|---|
/Target:{Computer | User} | Specifies that only user or only computer policy settings are refreshed. By default, both user and computer policy settings are refreshed. | /Force | Reapplies all policy settings. By default, only policy settings that have changed are reapplied. | /Wait:{value} | Sets the number of seconds to wait for policy processing to finish. The default is 600 seconds. The value 0 means not to wait. The value -1 means to wait indefinitely. | /Logoff | Causes a logoff after the Group Policy settings are refreshed. This is required for those Group Policy client-side extensions that do not process policy during a background refresh cycle but do process policy when a user logs on. Examples include user-targeted software installation and folder redirection. This option has no effect if no extensions that require a logoff are called. | /Boot | Causes the computer to restart after the Group Policy settings are refreshed. This is required for those Group Policy client-side extensions that do not process policy during a back ground refresh cycle but do process policy when the computer starts. Examples include computer-targeted software installation. This option has no effect if no extensions that require the computer to restart are called. | /Sync | Causes the next foreground policy to be done synchronously. Foreground policy applications occur when the computer starts and when the user logs on. You can specify this for the user, computer, or both by using the /Target parameter. The /Force and /Wait parameters are ignored. |
There are two types of GPOs, Local and Domain. Local GPOs are applied to the computer first. However, as we said earlier, the last GPO applied always wins. The exception is if the settings that you configured on the local GPO are not present in any of the other GPOs applied, the local GPO settings are left in place. Group Policy in Windows 2003 works according to the hierarchy of site  domain  OU, or Windows Server 2003 comes with two default GPOs: Default Domain Policy This policy is linked to the domain and controls the default account policies for things such as Password Policy and Account Lockout. Domain Controllers Policy This policy is linked to the Domain Controllers OU and contains settings strictly for the domain controllers.
It's best to not edit the default GPOs. Any changes should be implemented in new GPOs. The following are some key points to remember about GPOs: The Active Directory objects lower in the hierarchy inherit the settings from those higher in the hierarchy. The Block Policy Inheritance option is set on a per-container basis and will block the inheritance of all policies. It's strictly an all-or-nothing solution. The No Override option in Group Policy is used to prevent a child container from blocking the application of a GPO that is inherited from the parent. Unlike the all or nothing of the Block Policy Inheritance option, the No Override option is set on a per-GPO basis. Group Policy Filtering is used to restrict the application of a GPO. It works by applying permissions on the GPO so that it can be used only by certain users, computers, or groups. For a Group Policy to be applied to an object, that object must have at least Read permissions for the GPO.
|
