Group Policy is widely used in
Windows networks of all sizes to manage various user and computer
policies. In this section, we will explore Group Policy and how to
properly deploy it within an AD domain.
1. Overview of Group Policy
Group Policy was first introduced in Windows
Server 2000 AD and was widely adopted as the standard method to manage
user and computer configurations for Windows networks. Group Policy
allows administrators to set and enforce settings on users and
computers within the domain. These settings include security settings,
restricting access to specific parts of the OS, and deploying software.
At the core of the Group Policy is GPOs. GPOs contain the settings you
wish to apply to computers or users and are applied locally or to
sites, domains, or OUs within AD.
Group Policy links and security filtering
GPOs can be linked to AD sites, domains, or
OUs. They can also be set up locally on individual computers. As you
develop your GPOs, you will need to understand what objects you wish to
apply the settings to. For example, if you want to prevent access to
the Windows control panel for all users in the HR department, you could
apply a GPO with those settings to the OU containing all the users in
HR. Maybe you want to configure a specific Internet Explorer homepage
for every user in the New York location. You could create a GPO with
the IE settings defined and apply it to the New York AD site.
In addition to linking GPOs, you can
also filter them based upon security. A user or computer must have read
and apply permissions to a GPO before it applies to him. You can limit
which users or computers can apply a specific GPO by adding or removing
them to the GPO permissions as seen in Figure 1.
Notes from the field
GPOs apply to users and computers only
GPOs apply to users and computers only. They
do not apply to groups. Groups can be used to security-filter GPOs but
you cannot apply a GPO to an AD group.
Group Policy user and Computer Settings and preferences
Every GPO has a User Settings section and a
Computer Settings section which means it can apply settings to user
objects, computer objects, or both. As you expand each section, you
will see various settings that can be applied to user or computer
objects. You can configure the following groups of settings within a
GPO:
-
Software Settings—Software Settings allow you to use GPOs to deploy applications such as Microsoft Office.
-
Windows Settings—Windows
Settings allow you to configure basic windows settings such as startup
and shutdown scripts, folder redirection, and Public Key Policies.
-
Administrative Templates—Administrative
Templates allow registry keys to be modified on systems applying the
policy. This allows administrators to configure detailed settings for
Windows and other applications, including Microsoft Office.
Group Policy Preferences were first
introduced in Windows Server 2008 R1. Group Policy Preferences allow
for even more granular control of various Windows settings. Group
Policy Preferences additionally have better targeting techniques such
as applying the GPO to only specific OSs, specific hardware specs, or
IP address ranges.
Group Policy processing order
It is important that you understand how Group
Policy is applied and the processing order is used to apply GPOs. As
mentioned earlier, GPOs can be set up on the local computer or applied
to AD Sites, Domains, and OUs. When multiple GPOs are configured, the
order in which they are applied to a user or computer is important. In
the event of a conflict, the next policy applied will override the one
that was applied before it. GPOs are applied in the following order:
-
Local Policies created on the computer
-
GPOs applied to AD Sites
-
GPOs applied to Active Directory Domains
-
GPOs applied to AD OUs
-
GPOs applied to AD child OUs
