Group Policy overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy overview

To begin using Group Policy immediately, see Ways to open Group Policy Object Editor.

Group Policy settings define the various components of the user's desktop environment that a system administrator needs to manage, for example, the programs that are available to users, the programs that appear on the user's desktop, and options for the Start menu. To create a specific desktop configuration for a particular group of users, use Group Policy Object Editor. Group Policy settings that you specify are contained in a Group Policy object, which is in turn associated with selected Active Directory® objects--sites, domains, or organizational units.

Group Policy applies not only to users and client computers, but also to member servers, domain controllers, and any other Microsoft® Windows® 2000 computers within the scope of management. By default, Group Policy that is applied to a domain (that is, applied at the domain level, just above the root of Active Directory Users and Computers) affects all computers and users in the domain. Active Directory Users and Computers also provides a built-in Domain Controllers organizational unit. If you keep your domain controller accounts there, you can use the Group Policy object Default Domain Controllers Policy to manage domain controllers separately from other computers.

Group Policy includes policy settings for User Configuration, which affect users, and for Computer Configuration, which affect computers. For more information, see User Configuration and Computer Configuration.

With Group Policy you can do the following:

• Manage registry-based policy with Administrative Templates. Group Policy creates a file that contains registry settings that are written to the User or Local Machine portion of the registry database. User profile settings that are specific to a user who logs on to a given workstation or server are written to the registry under HKEY_CURRENT_USER (HKCU), and computer-specific settings are written under HKEY_LOCAL_MACHINE (HKLM). For procedural information, see Use Administrative Templates. For technical details, see "Implementing Registry-based Policy" at the Microsoft Web site.

• Assign scripts. This includes such scripts as computer startup, shutdown, logon, and logoff. For more information, see Use Startup, Shutdown, Logon, and Logoff Scripts.

• Redirect folders. You can redirect folders, such as My Documents and My Pictures, from the Documents and Settings folder on the local computer to network locations. For more information about Folder Redirection, see Use Folder Redirection.

• Manage applications. With Group Policy you can assign, publish, update, or repair applications by using Group Policy Software Installation. For more information, see Use Group Policy Software Installation.

• Specify security options. To learn about setting security options, see Security Settings extension to Group Policy.

Group Policy objects that exist by default

Each computer that runs Windows 2000, Microsoft® Windows® XP Professional , or Windows Server 2003 operating systems has exactly one Group Policy object stored locally. This local Group Policy object contains a subset of the settings that are available in nonlocal Group Policy objects. For more information, see Local Group Policy.

By default, when Active Directory is set up, two nonlocal Group Policy objects are created:

• Default Domain Policy is linked to the domain, and it affects all users and computers in the domain (including computers that are domain controllers) through policy inheritance. For more information, see Policy inheritance.

• Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, and it generally only affects domain controllers, because computer accounts for domain controllers are kept exclusively in the Domain Controllers organizational unit.

Caution

• If you move a domain controller outside of the Domain Controllers organizational unit, the default Domain Controllers policy is no longer applied. If you need to keep a domain controller in a different organizational unit, link the default Domain Controllers policy to that organization unit.

How and when Group Policy is applied

To view a detailed chronology for the application of policy, see Order of events when starting up and logging on.

User and computer policy

User policy settings are located under User Configuration in Group Policy, and they are obtained when a user logs on. Computer policy settings are located under Computer Configuration, and they are obtained when a computer starts. For more information, see User Configuration and Computer Configuration.

Users and Computers are the only types of Active Directory objects that receive policy. Specifically, policy does not apply to security groups. Instead, for performance reasons, security groups are used to filter the policy by means of an Apply Group Policy access control entry (ACE), which can be set to Allow or Deny or left unconfigured. For more information, see Filter the scope of Group Policy according to security group membership.

Order of application

Policies are applied in this order:

1. The unique local Group Policy object.

2. Site Group Policy objects, in administratively specified order.

3. Domain Group Policy objects, in administratively specified order.

4. Organizational unit Group Policy objects, from largest to smallest organizational unit (parent to child organizational unit) and in administratively specified order at the level of each organizational unit.

For more information, see Order of processing settings.

By default, policies that are applied later overwrite previously applied policies when the policies are inconsistent. If the policies are not inconsistent, however, earlier and later policies both contribute to the effective policy. For more information, see Group Policy Precedence.

Filtering policy by security group membership

A security group ACE on a Group Policy object can be set to Not configured (no preference), Allowed, or Denied. Denied takes precedence over Allowed. For more information, see Filter the scope of Group Policy according to security group membership.

Blocking policy inheritance

Policies that would otherwise be inherited from higher sites, domains, or organizational units can be blocked at the site, domain, or organizational unit level. For more information, see Block policy inheritance.

Enforcing policy from above

You can set policies that would otherwise be overwritten by policies in child organizational units to No Override at the Group Policy object level. For more information, see Prevent a Group Policy object from being overridden.

Notes

• Policies set to No Override cannot be blocked.

• The No Override and Block options should be used sparingly. Casual use of these advanced features complicates troubleshooting. For tips about using Group Policy, see Troubleshooting Group Policy and Group Policy Best Practices (pre-GPMC).