What Is Group Policy Object Editor?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Group Policy Object Editor is a Microsoft Management Console (MMC) snap-in used for configuring and modifying Group Policy settings within Group Policy objects (GPOs).
Administrators need to be able to quickly modify Group Policy settings for multiple users and computers throughout a network environment. The Group Policy Object Editor provides administrators with a hierarchical tree structure for configuring Group Policy settings in GPOs. These GPOs can then be linked to sites, domains, and organizational units (OU) containing computer or user objects.
Group Policy Object Editor consists of two main sections: User Configuration, which holds settings that are applied to users (at logon and periodic background refresh), and Computer Configuration, which holds settings that are applied to computers (at startup and periodic background refresh). These sections are further divided into the different types of policies that can be set, such as Administrative Templates, Security, or Folder Redirection.
To work efficiently, administrators need to have immediate access to information about the function and purpose of individual policy settings. For Administrative Templates policy settings, Group Policy Object Editor provides information about each policy setting directly in the Web view of the console. This information is called explain text. Explain text shows operating system requirements, defines the policy setting, and includes any specific details about the effect of enabling or disabling the policy setting.
In addition, developers should be able to quickly and easily add Group Policy support to their software products. The Group Policy Object Editor is designed to be extensible. The easiest way for developers to extend Group Policy Object Editor for their applications is to write custom Administrative Template files that “plug in” to Group Policy Object Editor.
Group Policy Object Editor Core Scenarios
There are two core scenarios for Group Policy Object Editor: editing GPOs, and extending the user interface (UI) to accommodate new applications or features. Both of these scenarios are described in detail in the following section.
Editing Group Policy Objects
Group Policy Object Editor is the primary tool used for configuring policy settings within a GPO. Group Policy Object Editor operates as an extension to Group Policy Management Console (GPMC). When an administrator elects to edit a GPO from within GPMC, Group Policy Object Editor appears, displaying the settings for that particular GPO. If GPMC is not available, Group Policy Object Editor operates as an extension to Active Directory management tools, such as the Active Directory Users and Computers snap-in or the Active Directory Sites and Services snap-in. Regardless of the tool an administrator uses to call Group Policy Object Editor, the primary function of Group Policy Object Editor is to edit settings within GPOs.
In addition to editing Active Directory-based GPOs, Group Policy Object Editor can also edit the local Group Policy object (local GPO). There is a local GPO stored on each computer running Windows 2000, Windows XP Professional, Windows XP 64-Bit Edition, or Windows Server 2003, regardless of whether the computers are part of an Active Directory environment. Local GPOs are always processed, but are the least influential GPOs in an Active Directory environment, because Active Directory-based GPOs have precedence.
Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of Group Policy Object Editor does not support remote management of local GPOs.
Extending Group Policy Object Editor
The Group Policy Object Editor is designed so that it can be extended. This architecture enables developers to create applications and features that can be administered with Group Policy. All of the nodes in the Group Policy Object Editor are themselves MMC snap-in extensions. These extensions include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, and Internet Explorer Maintenance. Extension snap-ins can in turn be extended. For example, the Security Settings snap-in includes several snap-in extensions.
Writing Group Policy extensions allows developers to use their own data store for policy settings, create a richer UI through the Group Policy Object Editor, or implement their own client-side processing for Group Policy. Developers can provide any one or all of the previous elements, or combine them with existing parts of the Group Policy infrastructure. For example, a developer could write a server-side extension snap-in to the Group Policy Object Editor that provides a UI on the server and a corresponding client-side extension that processes your data on the client. Alternately, a developer could write only a client-side extension and allow an existing Group Policy Object Editor extension to provide the UI, or vice versa.
Extending Registry-Based Policy
Registry-based policy is the least complex method to implement policy, and for administrators, registry-based policy settings are easy to configure and deploy. In addition, registry-based policy settings managed through administrative template (.adm) files automatically support Resultant Set of Policy (RSoP) capabilities.
Registry-based policy settings work by modifying the registry on the client computer. They utilize the Administrative Templates node of Group Policy Object Editor for a UI, and the default client side extension for registry-based policy to implement settings on the client. In addition to these components, registry-based policy settings also utilize an administrative template file. Written by the developer, an .adm file is a text file that specifies the registry-based policy that users modify through the Group Policy Object Editor. This file is then loaded into the Group Policy Object Editor. The Group Policy Object Editor displays the information contained in loaded .adm files as administrators navigate through the Administrative Templates node.
Group Policy Object Editor Dependencies
You must have edit rights on a GPO in order to open it in Group Policy Object Editor.