Group Policy Facts
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of settings that includes registry settings, scripts, templates, and software-specific configuration values.
Each GPO has a common structure, with hundreds of configuration settings that can be enabled and configured. Settings are divided into two categories:
|Computer Configuration||Computer policies (also called machine policies) are enforced for the entire computer. Computer policies include:
Computer policies are initially applied as the computer boots, and are enforced before any user logs on.
|User Configuration||User policies are enforced for specific users. User policy settings include:
User policies are initially applied as the user logs on, and often customize Windows based on user preferences.
Windows Server 2008 offers the Group Policy functionality enhancements described in the table below.
|ADMX and ADML files||The XML-based file format allows multilanguage support and version control. This means that Group Policy tools are displayed in the administrator’s operating system language and facilitates either automated or manual change management processes.
Administrators also have the option of storing all the ADMX files in a central location: a domain-wide directory created in the Sysvol. This reduces replication traffic as the number of GPOs grows, and it reduces the need for additional storage associated with large numbers of decentralized GPOs.
|Network Location Awareness||Network Location Awareness allows clients to be aware of and respond to changing network conditions. With Network Location Awareness, Group Policy uses the operating system’s resource detection and event notification capabilities, such as recover from hibernation and standby, moving in and out of a wireless network, or a new VPN connection. As an example of the latter event, Group Policy can detect when a mobile user connects to a corporate network and detect the availability of a domain controller. Group Policy can initiate a background refresh over the VPN connection to update user and computer policy.|
|Group Policy preferences||Group Policy preference extensions are several (more than 20) Group Policy extensions that expand the range of configurable settings in a GPO. Preference settings differ from policy settings in that preference settings are not enforced, allowing the end user to change any preference setting applied through a GPO. The end user cannot, however, change policy settings. Preference items should work as supplements to your policy settings.|
You should know the following Group Policy facts:
- A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network.
- Group Policy objects created in Active Directory are linked to Active Directory sites, domains, or organizational units (OUs). Built-in containers (such as the Computers container) cannot have GPOs linked to them.
- GPOs contain hundreds of configuration settings that can be configured.
- Settings within a GPO in Active Directory apply to the users and computers beneath the object to which the GPO is linked. Through inheritance, the settings apply to users and computers in all child OUs beneath the object where the GPO is linked.
- Group policy settings take precedence over user profile settings. Group policy settings in Active Directory take precedence over settings in the local GPO.