Group Policy Overview

by

Before you start

Objectives: learn what is Group Policy and why do we use it, what types of policies exist and when are different policies applied.

Prerequisites: no prerequisites.

Key terms: group policy, settings, policy types, computer settings, user setting, local computer, active directory, gpupdate

Group Policy

A policy is a set of configuration settings that can be applied to users, omputers or groups of users. Group Policy Object (GPO) is a collection of settings that we can apply. This settings may include things like password policies, account lockouts, software deployment, and in general, what the user can do in Windows. For example, do they have access to Windows Registry, Command line, what programs and applications will they be able to run, etc. The Group Policy settings that we create are contained in a Group Policy Object (GPO), which is in turn associated with selected Active Directory containers, such as Sites, Domains, or Organizational Units (OUs). We can edit the Group Policy either at the local level (per computer) or at the domain level (trough Active Directory (AD)). Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains.

Policy Types

There are several types of policies that can be applied. We have policies that can be applied to our users settings, and the policies that can be applied to our computer settings. We also have policies that can be applied to a local computer, and policies that get applied to the containers inside of the Active Directory. Containers inside the AD include Sites, Domains and Organizational Units (OUs). If settings from local level and settings from Active Directory are in conflict, local level policies will be overridden by those on the AD level.

Computer Settings

Computer settings are applied to all users regardless of their login. Any user who logs on to the computer will get the computer settings. Computer settings get applied at the computer boot up, so they are already there when a user logs on. Computer policies can be software that should be installed on a specific computer, scripts that should run at startup or shutdown, password restrictions that must be met for all user accounts, network communication security settings and registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree).

User Settings

Any user settings will depend upon who logs on to Windows. User settings only get applied at the log on of that particular user.

Active Directory Settings

Group Policy is an important component of Active Directory. Through Group Policy we can centrally manage and enforce desktop and other settings for users and computers within our organization. All of the Active Directory policies applied to Sites, Domains and OUs, will override any policies that are applied locally. User policy settings can be software that should be installed for a specific user, scripts that should run at logon or logoff, Internet Explorer user settings or registry settings that apply to the current user (the HKEY_CURRENT_USER subtree). Through Group Policy we can also redirect where our users store their files. Sometimes we may want to redirect certain folders to a server, for easier backup. The most common folder which is redirected is My Documents folder. Rather then having documents stored on a local computer, we can redirect that particular folder to a network share, where we perform regular backups. Users have the ability of doing this by themselves, but we can establish this as a rule in a Group Policy. Once we do that, the first time we apply that particular setting, all the existing files of the redirected folder will be copied to the server. From that point on, any changes that are made will be made on the server. Folder redirection requires Active Directory based Group Policy.

When do Settings get Applied

Generally, GPOs are applied in the following order:

  1. Local
  2. Site
  3. Domain
  4. OU

If GPOs are in conflict, the last GPO to be applied overrides conflicting settings. For example, if we disable the Run command in AD but only on the domain level, that setting will be applied regardless of settings applied at the local level. But if we apply different setting at the OU level, settings at the OU level will be applied regardless of the setting on the domain level. With Organizational Units we have both parent and child OUs, so we can control activities of our users through the application of the GPO. Sometimes we want to control what happens with our settings after we apply them at one level. For example, if we don’t want things overridden or if we want to block certain parameters. For that purposes we have additional settings that we can apply. One of those is No Override setting and another is Block Inheritance. We use the ‘No Override’ setting when we want to force our settings in our parent OU so that it can’t be overridden by any child OU setting. We use the ‘Block Inheritance’ setting when we want to prevent settings from applying to child containers. That way settings in the child OU will not be set by the parent OU.

If we make changes to our Group Policy, computer policies will be updated when the computer reboots. User settings will get applied when the user logs off, and then logs on again. There is also a refresh rate that administrators can set (default is every 90 minutes). If we want to update GPOs right away, we can use command line utility called gpupdate. If we just use the gpupdate command, it will update computer and user settings together. Adding additional switches, we can designate which section we want to update. For example, if we use command gpupdate /target:computer, it will only update the computer section. If we use command gpupdate /target:user, it will update user settings. Additional switches that we can use are:

  • /boot – some settings have to be applied at boot, so we can force a reboot using a /boot switch
  • /logoff – some settings require a user to log off, so we can force it by using a /logoff switch

Examples

For more details we need to see how to work with Group Policy on particular Windows installation:

Keep in Mind

Keep in mind that some Windows don’t come with Group Policy editor. For example, when it comes to Windows 7 editions, Home Premium, Home Basic and Starter don’t come with Group Policy Editor. Only Windows 7 Professional, Enterprise and Ultimate editions come with Group Policy Editor installed.

Remember

Group Policy is a collection of settings that we can apply to computers, users or groups of users. Policies can be applied to particular users or whole computers. We also differentiate local policies and policies that get applied to the containers inside of the Active Directory. Computer settings are applied to all users regardless of their login. User settings only get applied at the log on of that particular user. All of the Active Directory policies applied to Sites, Domains and OUs, will override any policies that are applied locally. Computer policies will be updated when the computer reboots. User settings will get applied when the user logs off, and then logs on again. There is also a refresh rate that administrators can set (default is every 90 minutes). If we want to update GPOs right away, we can use command line utility called gpupdate.

Commands that are mentioned in the article

Commands for the command line utility called gpupdate:

  • gpupdate – update computer and user settings
  • gpupdate /target:computer – update computer settings
  • gpupdate /target:user – update user settings

Additional parameters for the command gpupdate:

  • /boot – force a reboot so certain computer settings can be applied
  • /logoff – force user to log off so certain user settings can be applied

Related Posts: