Group Policy objects overview for GPMC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group Policy objects
Policy settings are stored in Group Policy objects (GPOs). Settings for each GPO are edited using the Group Policy Object Editor. After installation of the Group Policy Management Console (GPMC), Group Policy Object Editor is usually opened from GPMC. For information about Group Policy Object Editor, see Group Policy object editor overview for GPMC. For information about GPMC, see Group Policy Management Console Overview.
There are two kinds of GPOs:
Active Directory-based GPOs. These are stored in a domain and replicate to all the domain controllers for the domain. They are available only in an Active Directory environment. They apply to users and computers in a site, domain, or organizational unit to which the Group Policy object is linked. This is the primary mechanism through which Group Policy is used in an Active Directory environment.
Local GPOs. There is just one local GPO stored on each computer. Local GPOs are the least influential GPOs in an Active Directory environment, and local GPOs have only a subset of the settings found in Active Directory-based GPOs. For information about local GPOs, see Local Group Policy objects overview for GPMC.
Active Directory-based GPOs
Active Directory-based GPOs can be linked to a domain, site, or organizational unit to apply their settings.
A GPO can be linked to more than one site, domain or organizational unit.
A site, domain or organizational unit can have more than one GPO linked to it. In that case there are rules that determine which settings prevail in case of conflict. See Group Policy processing and precedence for information about these rules. In the case where multiple GPOs are linked to a particular site, domain, or organizational unit, you can prioritize the order and therefore the precedence with which these GPOs are applied. By default, the last applied configured setting is used. Settings are applied in this order: Local, Site, Domain, and organizational unit. For example, suppose Add Logoff to the Start Menu were configured in GPOs as follows:
| The local GPO | Site-linked GPO | Domain-linked GPO | Organizational unit-linked GPOs |
|---|---|---|---|
Disabled |
Not Configured |
Disabled |
Enabled for the first applied (link order 2) GPO, and Not Configured for the second applied GPO (link order 1) |
In that case Enabled wins, and Logoff will appear on the user's start menu.
GPMC introduces support for copy, import, backup, and restore of GPOs. See Back Up, Restore, Copy, and Import and Backup, Restore, Import, Copy, and Migration Tables for information about GPMC support for these tasks.
For information on modifying the scope of a GPO, see Controlling the Scope of Group Policy Objects using GPMC.
User settings and computer settings
GPO settings are divided between User Configuration, which holds settings that are applied to users when they log on, and Computer Configuration, which holds settings that are applied to computers when they start up (boot). Most settings are found in only one section, but a few, like Run logon scripts synchronously, are found in both. If they are found in both, and there is a disagreement, the computer setting is used.
User Configuration and Computer Configuration are further subdivided into a customizable set of MMC extensions to Group Policy. To learn about the default extensions, see Group Policy Object Editor Extensions.
Changing the status of a GPO
The status of a GPO is Enabled by default. It can be changed to User settings disabled, which disables the User Configuration of the GPO, or Computer settings disabled, which disables the Computer Configuration of the GPO, or All settings disabled, which disables the entire GPO. When a client computer processes a GPO, disabled portions of the GPO are not evaluated.
The status of a GPO is Enabled by default. It can be changed to User settings disabled, which affects all settings under User Configuration, or Computer settings disabled, which affects all settings under Computer Configuration, or All settings disabled, which disabled the entire GPO.
When you change the status of a GPO, all sites, domains and organizational units that get policy from the GPO are affected. Thus, disabling a GPO is more far-reaching than disabling one of it links.
Notes
Enforce (previously known as "no override") on a GPO link takes precedence over Block Inheritance on a domain or organizational unit.
If you turn on Enforced and turn off Link Enabled for a GPO link, then the GPO does not apply.
Block Inheritance does not deflect Group Policy settings from GPOs that are linked directly to the domain or organizational unit that has Block Inheritance enabled.
Default permissions on GPOs
The default permissions on Group Policy objects are shown in the following table.
| Security group | Default permissions as shown in GPMC |
|---|---|
Authenticated Users |
Security Filtering on GPO Scope tab; "Read (from Security Filtering)" on Delegation tab |
SYSTEM |
Edit settings, delete, modify security |
Domain Admins |
Edit settings, delete, modify security |
Enterprise Admins |
Edit settings, delete, modify security |
ENTERPRISE DOMAIN CONTROLLERS |
Read |
Note
- The Enterprise domain controllers group is not granted any permissions on GPOs in a pure Windows 2000 forest that does not have the Windows Server 2003 schema.
The special Group Policy objects Default Domain Policy and Default Domain Controllers Policy cannot be deleted. The purpose of this restriction is to prevent the accidental deletion of these Group Policy objects, which contain important and required settings for the domain.
See Also
Concepts
Create or delete a Group Policy object
Copy a Group Policy object using GPMC
Control Group Policy Object Scope