Overview of Group Policy

In a nutshell, group policy allows an administrator to apply settings to users and computers on the network in a managed and granular fashion. Specifically, the tasks listed in Table 20.1 can be managed through group policy.

As Table 20.1 implies, some group policy settings apply to computers, and some apply to users. Logon and logoff scripts would only apply to users when they log on and off the network. Startup and shutdown scripts would only apply to computers. This is only one way that group policy is broken down into logical parts. The next section discusses in more detail the different components that make up group policy.

Group Policy Elements

Each user or computer policy has three main sections: Software Settings, Windows Settings, and Administrative Templates. Each individual policy element is stored in one of these three areas in either the user or computer policy group.

Software Settings

Policy elements under this section relate to the installation, update, or removal of software on computers on the network. Software policies enabled in the computer configuration apply to all users who log on to the workstation affected by the policy. This is useful to make an application available to all users of a workstation. Software policies enabled in the user configuration apply to the users identified in the group policy object (GPO) no matter which workstation they use. If a user needs to have an application available to her wherever she logs in, you would set the policy element in the user configuration.

Windows Settings

Policy elements under this section relate to scripts, security settings, folder redirection, and many other settings stored in this area. There is a significant difference in the settings between the computer configuration and user configuration. Table 20.2 lists and describes some of the policy elements and whether they apply to users or computers.

Administrative Templates

Policy settings in this section generally apply to the environment the user or computer account operates in. Settings applied through Administrative Templates are stored in the computer's Registry: User configuration settings are placed in the HKEY_CURRENT_USER (HKCU) hive, and computer configuration settings are placed in the HKEY_LOCAL_MACHINE (HKLM) hive. Settings in the computer configuration apply to all users who log on to the workstation, and settings in the user configuration apply to the user no matter which workstation in the domain he uses.

Group Policy Scope and Order of Application

One of the most important features of group policy is that more than one policy can be applied depending on the domain configuration. This aids in the management and planning of policy for the entire network while affording a level of granularity not possible prior to Active Directory.

Each group of settings is bundled into a GPO. The GPO contains not only the computer and user policy settings but also the security settings and filters that determine whether the policy gets applied to a specific user or computer.

Specific rules determine the order in which policy elements are applied: local, site, domain, and organizational unit (OU). The following list describes the function of each:

• Local settingsEach computer has a set of local policies applied at boot time before any other policies. Each computer contains only one local policy object.

• Site settingsEach Active Directory site can contain a set of policy objects. Multiple GPOs can be assigned at the site level. A default SBS installation has no site-level GPOs.

• Domain settingsEach domain object in Active Directory can contain another set of GPOs, which are processed after the site settings. A default SBS installation has multiple GPOs defined at the domain level. See the "Default SBS Group Policy Objects" section later in the chapter for more information.

• Organizational unit settingsOrganizational units can contain multiple sets of GPOs as well. GPOs associated with OUs are processed last.

Note

Group policy can be applied only to organizational units, not containers. This is why the SBS wizards do not place user and computer objects into the Users and Computers containers. When users or computers are added manually in Active Directory and placed into these containers, the only GPOs that will be applied are the Local, Site, and Domain GPOs. No further fine-tuning of group policy can then take place.

If settings conflicts occur between multiple GPOs, the settings in the most recently applied GPO take precedence. Figure 20.1 shows the processing order of GPOs in the SBS environment.

Figure 20.1. Group Policy processing order.

Group Policy Filtering

Besides achieving some level of granularity in group policy assignment by assigning policies at different OU levels, you can also further control the application of group policy by security group and Windows Management Instrumentation (WMI) filters. In general, this level of granularity is probably not needed in the SBS environment, but it's nice to know it's available to you should you need it.

Note

WMI filtering of group policy was introduced with Windows XP. Windows 2000 workstations do not understand WMI filtering and as a result will not process any policy objects that have a WMI filter attached.

Group Policy Inheritance

Group policy inheritance can be thought of in the same way as NTFS security inheritance. Policies that are set at a higher level in the processing order apply to objects later in the processing order. In some ways, this is really a misnomer because policies set at the domain level aren't really "inherited" by the lower-level objects. If a lower-level object does not override the settings, those settings will remain.

Overriding Group Policy Processing Order

There may be times when you want to have a domain-level policy apply no matter what settings are applied at the OU level. To achieve this, you would need to mark the policy object as Enforced. When a policy object is enforced, no subsequent policy settings can override settings contained in the enforced object.

For example, a system administrator has set a policy in a domain GPO that sets all user desktop backgrounds to be a specific image file. Another administrator creates an OU GPO that sets the desktop background to be a different image file. Because the OU policy processes after the domain policy, the image set in the OU policy is what appears on the desktop of user objects within that OU. If the main administrator wants to have the domain GPO apply no matter what settings are changed in the OU GPO, the administrator can set the domain GPO as Enforced. Then when the OU GPO is processed, if any settings conflict between the OU GPO and the domain GPO, the settings in the domain GPO will still apply.

Note

Setting a GPO as Enforced only applies to settings defined in that GPO. A subsequent policy object can change any policy items that are undefined in a GPO that has been set as Enforced.