A group of settings that are applied to a subset of Active Directory objects in Microsoft Windows 2000. Group policies are created and assigned using Group Policy, a snap-in for the Microsoft Management Console (MMC). Group policies are typically used to simultaneously configure the desktop working environments of a group of users, but they have many other uses as well. Group policies can be used to:
Group policies can be assigned to domains, sites, or organizational units (OUs). To create and configure a group policy, use Group Policy to create a new Group Policy object (GPO). Group policies are applied to users when they log on and to computers when they boot up. If two policies apply to a user or computer, and they do not conflict, they are applied in a cumulative fashion. Users are subject to group policies that apply to them as users and to group policies that apply to the computer at which they are working.
Every Windows 2000 domain has a default group policy that applies to all users and computers in the domain. Computers that are moved to a different domain lose the GPO of their original domain and have the GPO of their new domain applied to them. The default GPO for a domain is the only GPO on which you can configure password restrictions, lockout restrictions, Kerberos, the Encrypting File System (EFS), and Internet Protocol (IP) security settings.
Group policies set for machines running Windows 2000 do not apply to downlevel Windows NT, Windows 95, or Windows 98 clients.
A typical use for group policies is to enforce a written company policy across all users in a specific site or domain.