Group Policy

What is Group Policy?

Group Policy is a management feature in Microsoft's Active Directory (AD) that enables network and system administrators to configure and assign user and computer settings in an AD environment. Group Policy provides a centralized, policy-based approach to system management that can be applied at different AD container levels, such as domains, sites or organizational units (OUs).

Group Policy is often viewed as a security tool, and certainly a large portion of the settings apply to user and computer security. However, Group Policy also offers a variety of other options. For example, administrators can configure settings related to driver installation, folder redirection, network connections, shared folders, logon scripts, printers and much more.

Group Policy settings are specific to either users or computers. Computer settings are applied when a computer starts up, and user settings are applied when a user logs onto the system. Computer settings take precedence over user settings.

In Active Directory, Group Policy settings are organized into Group Policy Objects (GPOs) for administrative purposes. A GPO is a logical collection of settings that is assigned a unique name. Administrators often use the Group Policy Management Console (GPMC) to manage and deploy Group Policy Objects throughout the AD environment. The GPMC is a Microsoft Management Console (MMC) snap-in that provides a graphical user interface for configuring GPOs.

Administrators can also use command-line tools, such as gpresult and gpupdate, when working with GPOs. In addition, many administrators now leverage Microsoft PowerShell to manage GPOs. PowerShell includes multiple Group Policy cmdlets that enable administrators to create GPO-related scripts and automate management tasks, which can be especially beneficial for large-scale deployments.

Group Policy processing order

Group policy settings can be applied to different container levels within the AD hierarchy. For example, administrators can assign GPOs to domains, OUs, child OUs or any combination of these. The policy settings are inherited and accumulative. They affect all users and computers assigned to that container and the container's children.

The policy settings are processed in a specific order, based on the container level on which they're applied. Active Directory processes the settings in the following order:

• Local policies.
• Site-specific policies.
• Domain-specific policies.
• OU-specific policies.

This processing order is sometimes referred to as LSDOU: local, site, domain, organization unit. Local policies are always processed before domain policies. If there are any conflicts between settings, the last applied settings override the previous settings, which means that AD-based policy settings always take precedence over local policy settings. If an AD implementation includes nested OUs, the service first processes the parent OU, followed by the child OUs, with those closest to the root always applied first.

Group Policy extensibility

The native settings in Group Policy are specific to the Windows operating system. An administrator might, for instance, use them to enforce a minimum password length, hide the Windows Control Panel from users or force the installation of security patches.

However, Group Policy can be extended through the use of administrative templates. The templates enable administrators to configure Group Policy settings specific to certain types of applications. For example, administrative templates are available for Microsoft Office and Microsoft Office 365 Suite apps.

Administrative templates consist of two file types: ADMX and ADML. An ADMX file is an Extensible Markup Language (XML) file that contains all of the Group Policy settings associated with the template. A corresponding ADML file acts as a language file that makes it possible to display the settings in a specific language.

Local vs. Active Directory Group Policy

In an Active Directory environment, much of the focus on Group Policy is often specific to how the settings are applied through Group Policy Objects. However, Group Policy settings can also be applied locally to a Windows computer and its users through the computer's operating system.

Local Group Policy settings are machine-specific. They can be applied to either standalone computers or to computers managed by a domain controller. Administrators can configure local Group Policy settings directly on a Windows computer by using the Local Group Policy Editor MMC snap-in. They can also use the Group Policy Object Editor snap-in to manage the local settings on remote computers. In addition, administrators can take advantage of tools such as gpupdate to manage local Group Policy settings.

In contrast to local Group Policy settings, AD-based GPOs can be centrally configured and applied to multiple users and computers, but only if they're joined to the AD domain. Administrators often use the Group Policy Management Console when working with AD-based Group Policy settings, but they might use other tools as well.

Many organizations use a combination of local and AD Group Policy objects when managing their computers and users. The local policy settings provide security when the user is not logged into a domain, while Active Directory GPOs are applied as soon as a connected computer starts up or the user logs into the network.

Learn what techniques can be used to troubleshoot common issues in Active Directory, and tips on replication troubleshooting. See how to automate Active Directory jobs with PowerShell scripts. Check out what to do when Group Policy shows an access denied message.