Group Policy
Encyclopedia
Group Policy is a feature of the Microsoft Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...

 family of operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

s. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....

environment. In other words, Group Policy in part controls what users can and cannot do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses, and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager
Windows Task Manager
Windows Task Manager is a task manager application included with the Microsoft Windows NT family of operating systems that provides detailed information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and...

, restrict access to certain folders, disable the downloading of executable files, and so on.

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles, folder redirection
Folder redirection
In computing, and specifically in the context of Microsoft Windows operating systems, Microsoft refers to Folder Redirection when automatically re-routing I/O to/from standard folders to use storage elsewhere on a network...

, and offline files.

Group Policy Objects do not necessarily need Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....

; Novell
Novell
Novell, Inc. is a multinational software and services company. It is a wholly owned subsidiary of The Attachmate Group. It specializes in network operating systems, such as Novell NetWare; systems management solutions, such as Novell ZENworks; and collaboration solutions, such as Novell Groupwise...

 has supported roaming profiles since Windows 2000 with their ZENworks Desktop Management software package, and starting with Windows XP also supports group policy objects.

Overview

Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation is a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification...

 (WMI) filtering
is the process of customizing the scope of the GPO by choosing a WMI filter to apply.

GPO (Group Policy Object) refresh

The Group Policy client will refresh the policy settings for workstations and servers on a "pull" model - every 90 minutes (by default) (Domain Controllers every 5 minutes) with a random +30 min offset. During this refresh period it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs that will thereafter affect the behavior of policy-enabled operating system components. Some settings, however, are only applied during reboot and/or logon of the user to the computer (e.g. Software Installation for computers and drive mapping for users).

Since Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...

, a refresh of the group policy can be manually initiated by the user using the "gpupdate" command from a command prompt.

Local Group Policy

Local Group Policy (LGP) is a more basic version of the Group Policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the Group Policy for a single local computer, but unlike Active Directory Group Policy, can not make policies for individual users or groups. It also has far fewer options overall than Active Directory Group Policy. The specific-user limitation can be overcome by using the Registry Editor
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

 to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users. The same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure Group Policy available on TechNet
Microsoft TechNet
Microsoft TechNet is a Microsoft program and resource for technical information, news, and events for IT professionals. Along with a website, they also produce a monthly subscription magazine titled "TechNet Magazine"....

. LGP can be used on a computer on a domain, and it can be used on Windows XP Home Edition.

Windows Vista supports Multiple Local Group Policy objects (MLGPO), which allows setting local Group Policy for individual users.

Processing order for policy settings

Group policies are processed in the following order:
  1. Local Group Policy objects - This applies to any settings in the computer's local policy (accessed by running gpedit.msc). Previous to Windows Vista, there was only one local group policy stored per computer. There are now individual group policies settable per account of a Windows Vista and 7 machine.
  2. Site - Next, the computer processes any group policies that are applied to the site the computer is currently in. If multiple policies are linked to a site, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
  3. Domain - Any policies applied at the domain level (default domain policy) are processed next. If multiple policies are linked to a domain, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.
  4. Organizational Unit - Last, group policies assigned to the organizational unit that contains the computer or user are processed. If multiple policies are linked to an organizational unit, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence.

  • Inheritance - Inheritance can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed.


Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured, then the value of the Group Policy Setting will take precedence.

Group Policy Preferences

They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.

Group Policy Preferences adds a number of new configuration items. These items also have a number of additional targeting options that can be used to granularly control the application of these setting items.

Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003, and Windows Vista with the addition of the Client Side Extensions (also known as CSE).
Client Side Extensions are now included in Windows Server 2008, Windows 7, and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...

.

Group Policy Management Console

Originally, Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console
Microsoft Management Console
Microsoft Management Console is a component of Windows 2000 and its successors that provides system administrators and advanced users an interface for configuring and monitoring the system.- Snap-ins and consoles :...

 (MMC) snap-in, but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...

 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...

 and Windows 7.

Advanced Group Policy Management

Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

 has also released a tool to make changes to Group Policy called Advanced Group Policy Management (a.k.a. AGPM). This tool available for any organisation that has licensed the Microsoft Desktop Optimization Pack
Microsoft Desktop Optimization Pack
Microsoft Desktop Optimization Pack is a suite of utilities for Microsoft Windows customers who have subscribed to Microsoft Software Assurance program...

 (a.k.a. MDOP). This advanced tool allows administrators to have a check in/out process for modification Group Policy Objects, track changes to Group Policy Objects, and implement approval workflows for changes to Group Policy Objects.

To use this software you must license all of your Windows Active Directory clients for MDOP.

Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function without disabling lower-level means of accessing it.

Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.

See also

  • Group Policy improvements in Windows Vista
  • Administrative Templates

External links

General information

Lists of Group Policy settings and (where applicable) registry equivalents
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK