NetAdminWorld - Finding network solutions, not excuses.

Group Policy

Group Policy, a feature belonging to the Microsoft Windows NT family of operating systems, are controls for the working environment of user and computer accounts. It provides a centralized management and configuration of operating systems, applications and user's settings in an Active Directory environment.

A very versatile tool, Group Policy can make things overly complicated as well. In SMBs or labs, you can keep things simple by linking all of your GPOs to the domain. Complication, however can be justified. If you have several departments on the domain that have different sets of Policies, you should create the GPO settings that apply only to those two departments and should not be applied to any other department. If you cannot make this justification, then keep things simple by linking the GPO one time to the domain.

Requirements for using Group Policy

There are three basic requirements for the use of Group Policy:

  1. Group Policy can only be use on a Domain Network, and this network must be based on Active Directory Domain Services, (AD DS.) This means that at least one server must have the AD DS role installed.
  2. Computers that you want to manage must be domain-joined. The users that you want to manage must use domain credentials to log on to their computers.
  3. To work on Group Policy, you must have Administrative rights.

Group Policy Management Console

Group Policy Management Console

Group Policy Management Console, (GPMC) is the tool used for managing Group Policy. It is a scriptable Microsoft Management Console (MMC) snap-in that provides a single administrative tool for managing Group Policy.

Group Policy Objects

Policy settings are contained in Group Policy Objects, (GPOs.) Consider GPOs like policy documents. These documents apply their settings to the computers and users within their control.

Group Policy Links

Group Policy Objects have no use unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container.

GPO Processing Precedence

Group Policy is applied in a specific order. The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier. This order of precedence is LSDOU:

  1. Local GPO is applied.
  2. Site linked GPOs are applied.
  3. Domain linked GPOs are applied.
  4. Organizational Units (OU) GPOs are applied.

For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.

Group Policy Inheritance

Group Policy Inheritance occurs when you link a GPO to the domain and applies to the computers and users in every OU and child OU in the domain.

What happens if multiple GPOs contain the same setting? This is where order of precedence comes into play. Again as mentioned previously, the order of processing is site, domain, OU, and child OUs. The order is child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher precedence than GPOs linked to the domain, which have a higher precedence than GPOs linked to the site. A simple way to remember this is that Group Policy applies GPOs from the top down, overwriting settings along the way. In advanced scenarios, however, you can override the order of precedence.

Group Policy Management Editor

Group Policy Management Editor

Group Policy Editor allows you to edit Group Policy, both locally and remotely.

To access GPME, from the Command Line
Click Start , type gpedit.msc in the Start Search box, and then press ENTER.

You can access other computers' local policies by using the following syntax: (In both cases, the machine name must be in quotes.)

  • gpedit.msc /gpcomputer:"targetmachine"

Or...

  • gpedit.msc /gpcomputer:"targetmachine.domain.com"

Resultant Set of Policy (RSoP)

Resultant Set of Policy (RSoP) reports Group Policy settings that are applied to a user or computer.

To access RSoP, (as Administrator):

  • Click Start, Run, and type MMC.
  • On the File menu, click Add/Remove Snap-in.
  • In the Add or Remove Snap-ins dialog box, click Local Group Policy Editor, and then click Add.
  • In the Select Group Policy Object dialog box, click Browse.
  • Click This computer to edit the Local Group Policy object, or click Users to edit Administrator, Non-Administrator, or per-user Local Group Policy objects.
  • Click Finish, click Close, and then click OK. The Local Group Policy Editor opens the Group Policy object (GPO) for you to edit.