Group Policy Infrastructure

Group Policy is a feature of Windows that enables you to manage change and configuration for users and computers from a central point of administration. Group policies are designed to simplify and centralize the configuration and management of Windows systems. There are two types of policy settings user and computer. The policy settings in the computer settings can be used to configure file system permissions, user password policies, and network configurations and so on.

The user configuration settings can be used to manage desktop environments for example a standard corporate desktop. Every computer has a single Local GPO that is always processed regardless of whether the computer is part of a domain or is a stand-alone computer. The Local GPO can not be blocked by domain-based GPOs. But, settings in domain GPOs always take precedence since they are processed after the Local GPO. Prior to Windows Vista you could only have one local policy but Vista and Windows 2008 supports multiple local group policies for user accounts.

Applying Group Policy

Application of Group Policy begins with user and computer logon. Group Policy for computers is applied at computer startup. For users, Group Policy is applied when they log on. To apply a GPO to a specific group, you must both have the Read and Allow Group Policy access. Group Policy is processed in the following order: Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

Background Refresh of Group Policy

In addition to the initial processing of Group Policy, when the computer starts and when the user logs on the, system periodically applies Group Policy in the background. During a refresh, policy settings are applied asynchronously. By default, a refresh occurs every 90 minutes. The system may add a random time of up to 30 minutes to the refresh interval. These values can be changed.

If a policy is changed and the user or computer is still logged on the process of updating the policy begins within 5 minutes on domain controllers and 90 minutes on member computers. You can also trigger a background refresh of Group Policy on demand from the client. On Windows 2000, you can use Secedit with the /refreshpolicy option on Windows XP and Windows Server 2003, you can use Gpupdate. The security settings are applied every 16 hours regardless of there has been a change or not.

Linking GPOs

A GPO can be associated to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one GPO linked to it. If multiple GPOs are linked to one container, you can prioritize the order in which GPOs are applied. If a conflict exists the last settings applied wins. A policy setting can have three states: not configured, enabled, and disabled. Not configured means that the GPO will not modify the existing configuration of that particular setting for a user or computer. If you disable or enable a policy setting a change will be made to the configuration of the user or computer to which the GPO is applied.

Overriding and Blocking Group Policy

To enforce the Group Policy settings in a specific GPO, you can specify the No Override option. If you specify this option, policy settings in GPOs that are in lower-level Active Directory containers cannot override the policy. To block inheritance of Group Policy from parent Active Directory containers, you can specify the Block inheritance option. Be aware that the No Override option always takes precedence over the Block inheritance option.

Filtering the Scope of a GPO.

By default, a GPO affects all users and computers that are contained in the linked site, domain, or organizational unit. The administrator can further specify the computers and users that are affected by a GPO by using membership in security groups.