So far, we've joined our client computers to our domain. They can access shares that they have the proper permissions to, and are denied access to folders in which they have no permission. But we can do more. Imagine the following scenario, using our three departments of Marketing, Art, and Accounting:
The Art department in the East Wing develops custom themes for Windows XP. They need to test these themes on a variety of hardware configurations to make sure that video performance and visual aesthetics work in harmony with each other. They therefore need to be able to constantly alter the look and feel of their computers. However, we wish to restrict its members from editing the "guts" of the Windows subsystem (Registry Editor, command prompt, and Add/Remove Programs).
Our Marketing department in the South Wing has just the opposite requirements as the Art Department. They need to have access to the inner workings of their systems with programs such as the Registry Editor, but they do not need to adjust the appearance of their system with desktop themes.
Our Accounting department in the North Wing needs to be securely locked down; its members need only the bare essentials.
In all departments, we need to brand all Internet Explorer windows with our company's name and logo.
So how can we force these departments' computers to take on the attributes described here? This can be done by using the Group Policy Object ( GPO ). The GPO is a set of rules that govern a computer's behavior in an Active Directory domain. Simply put, it's client management.
GPOs can be applied using Active Directory Users and Computers ( recall that we've already used this console when creating our OUs, users, and groups ), or Active Directory Sites and Services , discussed in the next chapter. You may apply a number of GPOs in the same domain, and they all take on an inheritance behavior similar to NTFS permissions. In Active Directory Users and Computers, for example, GPOs are applied from top to bottom, with each child object inheriting the traits of its parent. For example, our South Wing OU contains three sub-OUs named Users, Groups, and Shared Folders. If we were to apply a GPO to the parent OU South Wing, all three sub-OUs ( and their contents ) inherit South Wing's GPO settings, as shown here: