An Example of Group Policy Application | Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)

At this point, it's best not to jump directly into adding, deleting, or modifying our own GPOs. Right now, it's better to understand how Group Policy works "on paper." This is especially true if you're new to the concept of Group Policy, but perhaps also if Group Policy has been deployed by other administrators in your Active Directory.

By walking through a fictitious organization that has deployed GPOs at multiple levels, you'll be able to better understand how and why policy settings are applied by the deployment of GPOs. Let's start by taking a look at Figure 1.2, the organization for our fictitious example company, Corp.com.

Figure 1.2: This fictitious Corp.com is relatively simple. Your environment may be more complex.

This picture could easily tell 1000 words. For the sake of brevity, I've kept it down to around 200. In this example, the domain Corp.com has two Domain Controllers. One DC, named CORPDC1, is physically located in the California site. Corp.com's other Domain Controller, CORPDC2, is physically located in the Phoenix site. Using Active Directory Sites and Services, a schedule can be put in place to regulate communication between CORPDC1 located in California and CORPDC2 located in Phoenix. That way the administrator controls the chatter between the two Corp.com Domain Controllers, and it is not at the whim of the operating system.

Inside the Corp.com domain are two OUs: Human Resources, and (inside Human Resources ) another OU called High Security . FredsPC is located inside the Human Resources OU, as are Dave's user account and Jane's user account. There is one PC, called AdamsPC, inside the High Security OU. There is also JoesPC, which is a member of the Corp.com domain. It physically resides at the Phoenix site and isn't a member of any OU.

Another domain, called Widgets.corp.com, has an automatic transitive two-way trust to Corp.com. There is only one Domain Controller in the Widgets.corp.com domain, named WIDDC1, and it physically resides at the Phoenix site. Last, there is MarksPC, a member of the Widgets.corp.com domain, which physically resides in the New York site and isn't in any OU.

Understanding where your users and machines are is half the battle. The other half is understanding which policy settings are expected to appear when they start logging on to Active Directory.