Group Policy Infrastructure and Mechanics

In this section you learn about Group Policy objects, links to make them exert their effects, the snap-in you use to edit them, and security groups to refine their scope.

Group Policy Objects and the Group Policy Snap-in

You can think of Group Policy objects as the documents associated with the Group Policy snap-in. This is somewhat analogous to the association of .doc files with Microsoft® Word, or .txt files with Notepad; however, the analogy is not perfect.

Changes to a Group Policy object are not deferred until an explicit Save is executed, but take place during the actual edit.

note-iconNote

You cannot open Group Policy objects in read-only mode.

You can link Group Policy objects to specific sites domains, or organizational units, thus maximizing and extending the power of Active Directory. Data within Group Policy objects is evaluated by the affected clients, which exploit the hierarchical nature of Active Directory to determine precedence of Group Policy settings in cases of conflict.

Access to the Group Policy Snap-in

You create a non-local Group Policy object by using the Group Policy snap-in, either as an extension to Active Directory snap-ins, or as a stand-alone MMC console.

The most common route to the Group Policy snap-in is from Active Directory Users and Computers. This allows you to link Group Policy objects to domains or organizational units. You can also access Group Policy through Active Directory Sites and Services. This is how you link Group Policy objects to sites. From these two Active Directory consoles, Group Policy is accessible by means of a context menu. You right-click the site, domain, or organizational unit, point to Properties, and then click the Group Policy tab. For specific examples on how to create a Group Policy object, see Windows 2000 Help.

Filtering by Security Group Membership

You can filter the effects of Group Policy on computers and users by using membership in security groups and setting discretionary access control list (DACL) permissions. This implementation ensures faster processing of Group Policy objects than would otherwise be possible. Furthermore, by using security groups, you can limit who in your organization can create Active Directory links to Group Policy objects, as well as who has access to create and modify Group Policy objects.

For details, see "Using Security Groups to Filter and Delegate Group Policy" later in this chapter.