The gpo policy defines which objects a gpo affects.
Group Policy is an Active Directory feature that provides the means for you to effectively and efficiently manage large numbers of computers. You can manage both user and computer configuration settings centrally, from one position of administration. You can define group policies as being a collection of user and computer configuration settings which you can link to the following components: Show
Once linked, Group Policy defines the manner in which the operating system, network resources, and applications and programs operate for users within the organization. In other words, group policies define the behaviour of the desktops of users. You can use Group Policy for the following administrative operations:
You can define policies that behave differently for a computer, and a user:
Because users and computers in Active Directory can be located in groups, and categorized in Organizational Units (OUs), using group policies can simplify the management of thousands of computers. You can also define policies that affects resources connected to a particular computer (local policy), or you can define policies that affect the Active Directory directory (non-local policies). You need to be familiar with, and understand the concepts that affect Group Policy operations, the different components of Group Policy, and the terminology used with Group Policy in order to implement it within your organization. The remainder of this Article focuses on this. Understanding Group Policy Objects (GPOs)A group policy object (GPO) is an Active Directory object which contains one or more Group Policy settings which affect the configuration settings for users or computers. A GPO acts as a container for the settings configured in Group Policy files. The Active Directory components that can be linked to a GPO are computers, sites, domains, organizational units (OUs). By linking a GPO to sites, domains, and OU actually applies the GPO settings to any user or computer objects within that particular container. As already mentioned, a GPO can be thought of as being a container that contains Group Policy settings. The GPO identifies the following components of Group Policy:
An important Group Policy concept is that Group Policy settings are hierarchical. What this means is that it can be lined and applied at different levels, as illustrated below:
When determining the manner in which Group Policy settings are hierarchically applied, remember the following: All computers and users located beneath the container that the GPO is linked to, is automatically within the scope of the particular GPO. They will therefore be affected by each and every Group Policy setting specified in the GPO. This makes it possible for a user or computer to fall within the scope of numerous GPOs linked to a site, domains, and OUs. The concept, Resultant Set of Policies (RSoP), refers to the total impact of the policies in the GPOs on the user or computer. GPOs can be grouped into the categories listed below. The category into which a GPO falls is determined by the location at which the Group Policy settings originated.
You define one of the following policy types:
Group Policy settings in the GPO are regarded as being cumulative and hierarchical in nature. When a GPO is applied to a site, the GPO is applied to all computers within the site. This is because Active Directory directory information is replicated as follows:
Where a domain level GPO, and OU level GPO applies to the same users, the settings of both GPOs are applied to the user. GPOs are by default cumulative and inherited. You can though configure the following options which either blocks inheritance or forces inheritance, at the different levels to which the GPO is linked:
To configure and manage policy settings in GPOs, and link GPOs to computers, sites, domains and organizational units (OUs), Windows Server 2003 provides the following set of management tools:
The Group Policy Object Editor is the tool used to manage and define the Group Policy settings in each GPO. You can use the Group Policy Object Editor to examine the Group Policy settings for a GPO. You can use the steps below to open the Microsoft Management Console (MMC) for the local GPO.
You can perform the following management tasks for GPOs:
Group Policy SettingsIn Active Directory, Group Policy settings are held within a Group Policy object (GPO). A GPO has a globally unique identifier (GUID) attribute that identifies it within Active Directory. As mentioned previously, you can use the Group Policy Object Editor to examine the Group Policy settings for a GPO. The types of Group Policy settings that exist are categorized into user configuration settings and computer configuration settings. The computer configuration settings are stored in the Computer Configuration node and user configuration settings are stored in the User Configuration.
Both the Computer Configuration and the User Configuration nodes contain the following nodes:
Software SettingsBy default, the Software Settings node under the Computer Configuration node and under the User Configuration node contains the Software Installation extension. This extension is for assisting with the configuration of software policy settings that define how software and applications are installed on computers. You can use software settings to deploy new applications to end users, and define a computer as the location for an application. Software settings defined under the User Configuration node can be used to make a specific application available to only a particular user, irrespective of the actual computer the user logs on to. Only the designated user would be able to view and execute the application. You can also use software policies to deploy new applications in the network, and make them accessible to users. You can control the default configuration for these applications as well. Windows SettingsThe Windows Settings node in the Computer Configuration node and in the User Configuration node contains the following:
The policy settings which you can define are determined by whether they are applied in the Computer Configuration node, or the User Configuration node.
Administrative TemplatesThe policy settings that are contained in the Administrative Templates node of the Computer Configuration node and the User Configuration node are Registry based settings. Group Policy settings for user configuration are stored in the HKEY_CURRENT_USER (HKCU) registry key. Group Policy settings for computer configuration are stored in the HKEY_LOCAL_MACHINE (HKLM) registry key. The Administrative templates node contains Group Policy settings for:
In fact, more than 500 Registry based Group Policy settings can be set under User Configuration. A few examples are Start Menu settings, Shared folder settings, Control Panel settings, and Desktop settings. The locations which contain a description on these Group Policy settings are listed below:
The Administrative templates node of both the User Configuration node and Computer Configuration node have the following nodes:
Only the Administrative templates node located beneath the Computer Configuration node has a Printers node which contains Group Policy settings that can be set for printers. Only the Administrative templates node located beneath the User Configuration node has Start menu and task bar, desktop, Control Panel and shared folders nodes. A Group Policy setting in the Administrative Templates node has one of the following states or settings:
As previously mentioned, Group Policy settings for user configuration are stored in the HKEY_CURRENT_USER (HKCU) registry key, and Group Policy settings for computer configuration are stored in HKEY_LOCAL_MACHINE (HKLM) registry key. Each in turn stores Group Policy specific registry information in one of the following reserved trees:
What are Administrative Templates?Administrative templates in Wndows 2000 and Windows Server 2003 are Unicode based text files that have a .adm file name extension. An administrative template can be defined as the text file which creates the user interface for the Group Policy settings which you can configure using the Group Policy Object Editor. The three types of administrative templates which exist are:
Understanding the Group Policy Processing SequenceThe process listed below is executed when computer configuration settings and user configuration settings are applied at computer startup, and user log on.
Understanding the order in which Group Policy settings are processedNonlocal GPOs or Active Directory based GPOs are applied in a hierarchical manner. The end configuration of the user or compute is actually the result of the GPOs which are linked to a particular site, domain and OU. Group policy settings are processed in the order specified below:
The order specified above is affected by the a few exceptions, which are noted below:
Understanding Group Policy InheritanceWhen discussing Group Policy, the concept of Inheritance signifies that Group Policy settings which affect user configuration and computer configuration are the resultant set of policies inherited from parent containers. Policies are usually passed down from a parent container to its associated child containers. The exception being that a Group Policy setting defined for a child OU overrides the same setting which it inherited from its parent OU. A child OU does not inherit its parent OU policy settings in the following instances:
The ways in which Group Policy settings can be inherited are listed below:
Delegating Administrative Control of GPOsConfiguring the appropriate security settings on GPOs is important for the following reasons:
To simplify the management of Group Policy, you can delegate administrative control of the following administrative tasks:
Filtering Group PoliciesAs mentioned on numerous occasions throughout this Article, group policies are linked to sites, domains and OUs, and are then applied to user and computer objects, based on where they are located within Active Directory. Group policies are therefore never directly linked to security groups. An option does though exist, whereby which you can apply a GPO to a designated security group(s) through a process known as filtering the GPO. When filtering the GPO, you can specify that it is only applicable when a user or computer is a member of the security group. You can define filtering as being the process by which certain security groups are either included or excluded from the Group Policy settings of the GPOs. This allows you to filter Group Policy to affect those computers and users which you set for being influenced by Group Policy. Because the Group Policy settings in a nonlocal or Active Directory based GPO is only relevant to users that have the Read (Allow) permission and Apply (Allow) permission for the GPO, you can set the necessary permissions for security groups to include only certain computers and users. When filtering Group Policy remember that the filter would only apply if the users in the security group are in the scope of the GPO. Windows Management Instrumentation (WMI) is a management tool which Windows Server 2003 utilizes in a number of ways to monitor and manage network objects. WMI can be used to filter a GPO based on the results of a WQL query. This is a new Windows Server 2003 Group Policy feature. You cannot howeer filter individual elements of a GPO. You can also only choose one WMI filter for any specified GPO. When a WMI query is utilized to filter the scope of a GPO, the GPO is applied based on properties available in WMI that are located in the WMI query. The WMI components are listed below:
Resultant Set of Policies (RSoP)Because, GPOs can be linked, blocked, filtered and its settings inherited; it can be quite a time consuming and complex task to determine which Group Policy settings are applied to a user or computer. Windows Server 2003 however includes the Resultant Set of Policy (RSoP) tool which simplifies group policy management. You can use the Resultant Set of Policy (RSoP) tool to determine what occurs with group policies when a particular user logs on to the computer. Through RSoP, you can determine the following:
The tool can also be used to assist in the planning of a Group Policy implementation, and to troubleshoot Group Policy settings. What defines which objects are affected by settings in a GPO?What defines which objects are affected by settings in a GPO? Set-GPPermission. Which PowerShell cmdlet below can be used to set permissions for a security principal to a GPO or to all GPOs? Computer Configuration\Policies\Administrative Templates\System\Group Policy.
What is the purpose of a group policy object GPO?Microsoft's Group Policy Object (GPO) is a collection of Group Policy settings that defines what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Management Console (GPMC).
What is a policy in GPO?A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID. Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory.
When a GPO is linked to a site object what will be affected?If you link a GPO to a site, its settings will apply to all objects in that site; the objects are said to fall into the GPO's scope of management. More than one GPO can be linked to a given site, and those GPOs could have conflicting settings.
|