Jump to content

Group Policy

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Jeronim (talk | contribs) at 01:13, 30 January 2006 (→‎External links: removing scriptlogic advertisement). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Group Policy is part of Microsoft's IntelliMirror technology which aims to reduce the overall cost of supporting users of Windows. Group policy provides centralised management of computers and users in an Active Directory environment.

Group policy can control a target object's (user or computer) registry (HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER), registry and NTFS security, audit and security policy, software installation, logon/logoff scripts, folder redirection, and Internet Explorer settings. The policy settings are stored in Group Policy Objects (GPOs). Each GPO may be linked to multiple sites, domains or organizational units. In this way, potentially thousands of machines or users can be updated via a simple change to a single GPO. This reduces the administrative burden and costs associated with managing these resources.

User and computer objects may only exist once in the Active Directory but often fall into the scope of several GPOs. The user or computer object applies each applicable GPO. Conflicts between GPOs are resolved at a per attribute level.

Group Policy is also used as the basis for management of a group of technologies, referred to as IntelliMirror. These technologies relate to management of disconnected machines or roaming users and include Roaming User Profiles, Folder Redirection and Offline Folders.

Group Policies are analysed and applied at startup for computers and during logon for users. The client machine refreshes periodically (90-120 minutes, although this number is configurable as a GP setting) most of the Group Policy settings.

Group Policy is supported on Windows 2000, Windows XP (Professional) and Windows Server 2003.

Group Policy Extensions

Group Policy supports the concept of a Client Side Extension (CSE). These are extensions to the Group Policy framework that provide specifical functionality to the Group Policy administrator (for the most part, CSEs are transparent to the administrator since the GPMC and GPEdit merge them into a unified "namespace"). The following extensions are supplied with the operating system:

  • Administrative Templates extension - for the modification of registry keys
  • Software installation extension - the centralized management of software
  • Security extension - control of security policy
  • Internet Explorer Maintainence - management of Internet Explorer
  • Scripts extension - invocation of machine and user scripts.

The Three Phases of Using Group Policy

Group Policy can be considered in three distinct phases - GPO creation, targeting of the GPO and application of the GPO.

Creating and Editing GPOs

GPOs are created and edited through two tools - the Group Policy Object Editor (GPEdit) and the freely downloadable Group Policy Management Console (GPMC). GPEdit is used to create and edit single Group Policy Objects one at a time. Prior to GPMC administrators wanting to document/inventory previously deployed GPOs would have to use Active Directory Users and Computers (ADUC) to interrogate each organisational unit one right-click at a time. The GPMC enhances GPO management by providing 'big picture' tools for group policies. GPMC provides GPO settings summarisation, a simplied security pane for group filtering, GPO backup/restoration/cloning and more within a GUI that mimics ADUC. Editing a GPO from within GPMC still launches GPEdit.

Targeting GPOs

After a GPO has been created it can be linked to an Active Directory site, domain or OU. It is most common for GPOs to be linked to OUs.

GPO Application

The Group Policy client operates on a "pull" model - every so often (a randomized delay of between 90 and 120 minutes, although this delay is configurable via Group Policy) it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs which will thereafter affect the behavior of policy-enabled operating system components and applications.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Group_Policy&oldid=37289969"