What is a group policy?

Monday, August 24, 2009

The Microsoft Windows 2003 Active Directory glossary states that a group policy “refers to applying policy to groups of computers and/or users contained within Active Directory containers. The type of policy includes not only registry-based policy found in Windows NT Server 4.0, but is enabled by Directory Services to store many types of policy data, for example: file deployment, application deployment, logon/logoff scripts and startup/shutdown scripts, domain security, Internet Protocol security (IPSec), and so on. The collections of policies are referred to as Group Policy objects (GPOs).”
A group policy object (GPO) is defined as “a virtual collection of policies. It is given a unique name, such as a globally unique identifier (GUID). GPOs store group policy settings in two locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The GPC is an Active Directory object that stores version information, status information, and other policy information (for example, application objects). The GPT is used for file-based data and stores software policy, script, and deployment information. The GPT is located on the system volume folder of the domain controller. A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can have more than one associated GPO.”
A GPO is broken into two major sections, the Computer Configuration and the User Configuration. The Computer Configuration holds policies that are relevant only to the machine itself. The Computer Configuration can control printers, network settings, Startup and Shutdown scripts. One of the more useful policies based under the Computer Configuration setting is the loopback policy, which allows User Configurations policies to be applied to a computer, regardless of the user (unless the user is denied the GPO). Under the
User Configuration, logon and logoff scripts can be configured, folders can be redirected, and security settings can be tweaked.