Group Policy

Group Policy is a group of settings that are applied to a subset of Active Directory objects in Microsoft Windows Server.

What is Group Policy?

A group of settings that are applied to a subset of Active Directory objects in Microsoft Windows 2000. Group policies are created and assigned using Group Policy, a snap-in for the Microsoft Management Console (MMC). Group policies are typically used to simultaneously configure the desktop working environments of a group of users, but they have many other uses as well. Group policies can be used to:

  • Manage applications - for example, by configuring policies to allow users to install applications published in Active Directory, or to automatically install or upgrade applications on their machines
  • Redirect folders from the Documents and Settings folder on a user’s local machine to a share on the network
  • Assign scripts for startup, shutdown, logon, and logoff events
  • Manage security - for example, to control users’ access to files and folders, control user logon rights, and configure account lockout restrictions
  • Manage software - for example, to configure user profiles such as desktop settings, Start menu, and other common settings

Group policies can be assigned to domains, sites, or organizational units (OUs). To create and configure a group policy, use Group Policy to create a new Group Policy object (GPO). Group policies are applied to users when they log on and to computers when they boot up. If two policies apply to a user or computer, and they do not conflict, they are applied in a cumulative fashion. Users are subject to group policies that apply to them as users and to group policies that apply to the computer at which they are working.

NOTE

Every Windows 2000 domain has a default group policy that applies to all users and computers in the domain. Computers that are moved to a different domain lose the GPO of their original domain and have the GPO of their new domain applied to them. The default GPO for a domain is the only GPO on which you can configure password restrictions, lockout restrictions, Kerberos, the Encrypting File System (EFS), and Internet Protocol (IP) security settings.

NOTE

Group policies set for machines running Windows 2000 do not apply to downlevel Windows NT, Windows 95, or Windows 98 clients.

TIP

A typical use for group policies is to enforce a written company policy across all users in a specific site or domain.