World Library  
Flag as Inappropriate
Email this Article

Group Policy

Article Id: WHEBN0001228095
Reproduction Date:

Title: Group Policy  
Author: World Heritage Encyclopedia
Language: English
Subject: Management features new to Windows Vista, Windows Registry, Windows 2000, Active Directory, Microsoft Management Console
Collection: Active Directory, Windows Administration, Windows Components
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Group Policy

Local Security Policy editor in Windows 7

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy ("LGPO" or "LocalGPO") also allows Group Policy Object management on standalone and non-domain computers.[1][2]

Contents

  • Operation 1
    • Enforcement 1.1
    • Inheritance 1.2
    • Filtering 1.3
  • Local Group Policy 2
  • Group Policy preferences 3
  • Group Policy Management Console 4
  • Advanced Group Policy Management 5
  • Security 6
  • Windows 8 enhancements 7
  • See also 8
  • References 9
  • Further reading 10
  • External links 11

Operation

Group Policy, in part, controls what users can and cannot do on a computer system: for example, to enforce a password complexity policy that prevents users from choosing an overly simple password, to allow or prevent unidentified users from remote computers to connect to a network share, to block access to the Windows Task Manager or to restrict access to certain folders. A set of such configurations is called a Group Policy Object (GPO).

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles, folder redirection, and offline files.

Enforcement

To accomplish the goal of central management of a group of computers, machines should receive and enforce GPOs. A GPO that resides on a single machine only applies to that computer. To apply a GPO to a group of computers, Group Policy relies on Active Directory (or on third-party products like ZENworks Desktop Management) for distribution. Active Directory can distribute GPOs to computers which belong to a Windows domain.

By default, Microsoft Windows refreshes its policy settings every 90 minutes with a random 30 minutes offset. On Domain controllers, Microsoft Windows does so every five minutes. During the refresh, it discovers, fetches and applies all GPOs that apply to the machine and to logged-on users. Some settings - such as those for automated software installation, drive mappings, startup scripts or logon scripts - only apply during startup or user logon. Since Windows XP, users can manually initiate a refresh of the group policy by using the gpupdate command from a command prompt.[3]

Group Policy Objects are processed in the following order (from top to bottom):[4]

  1. Local - Any settings in the computer's local policy. Prior to Windows Vista, there was only one local group policy stored per computer. Windows Vista and later Windows versions allow individual group policies per user accounts.[5]
  2. Site - Any Group Policies associated with the Active Directory site in which the computer resides. (An Active Directory site is a logical grouping of computers, intended to facilitate management of those computers based on their physical proximity.) If multiple policies are linked to a site, they are processed in the order set by the administrator.
  3. Domain - Any Group Policies associated with the Windows domain in which the computer resides. If multiple policies are linked to a domain, they are processed in the order set by the administrator.
  4. Organizational Unit - Group policies assigned to the Active Directory organizational unit (OU) in which the computer or user are placed. (OUs are logical units that help organizing and managing a group of users, computers or other Active Directory objects.) If multiple policies are linked to an OU, they are processed in the order set by the administrator.

The resulting Group Policy settings applied to a given computer or user are known as the Resultant Set of Policy (RSoP). RSoP information may be displayed for both computers and users using the gpresult command.[6]

Inheritance

A policy setting inside a hierarchical structure is ordinarily passed from parent to children, and from children to grandchildren, and so forth. This is termed inheritance. It can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed.

Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured, then the value of the Group Policy Setting will take precedence.

Filtering

WMI filtering is the process of customizing the scope of the GPO by choosing a Windows Management Instrumentation (WMI) filter to apply. These filters allow administrators to apply the GPO only to, for example, computers of specific models, RAM, installed software, or anything available via WMI queries.

Local Group Policy

Local Group Policy (LGP, or LocalGPO) is a more basic version of Group Policy for standalone and non-domain computers, that has existed at least since Windows XP Home Edition, and can be applied to domain computers. Prior to Windows Vista, LGP could enforce a Group Policy Object for a single local computer, but could not make policies for individual users or groups. From Windows Vista onward, LGP allow Local Group Policy management for individual users and groups as well,[1] and also allows backup, importing and exporting of policies between standalone machines via "GPO Packs" – group policy containers which include the files needed to import the policy to the destination machine.[2]

Group Policy preferences

There is a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[7]

Group Policy Preferences adds a number of new configuration items. These items also have a number of additional targeting options that can be used to granularly control the application of these setting items.

Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003, and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[8][9][10][11][12][13]

Client Side Extensions are now included in Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Group Policy Management Console

Originally, Group Policies were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[14][15][16][17]

Advanced Group Policy Management

Microsoft Desktop Optimization Pack (a.k.a. MDOP). This advanced tool allows administrators to have a check in/out process for modification Group Policy Objects, track changes to Group Policy Objects, and implement approval workflows for changes to Group Policy Objects.

AGPM consists of two parts - server and client. The server is a Windows Service that stores its Group Policy Objects in an archive located on the same computer or a network share. The client is a snap-in to the Group Policy Management Console, and connects to the AGPM server. Configuration of the client is performed via Group Policy.

Security

Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular functions of accessing it.[19]

Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.[20]

Windows 8 enhancements

Windows 8 has been introduced a new feature called Group Policy Update. This feature allows an administrator to force a group policy update on all computers with accounts in a particular Organizational Unit. This creates a scheduled task on the computer which runs the GPUPDATE command within 10 minutes, adjusted by a random offset to avoid overloading the domain controller.

Group Policy Infrastructure Status was introduced, which can report when any Group Policy Objects are not replicated correctly amongst domain controllers.[21]

Group Policy Results Report also has a new feature that times the execution of individual components when doing a Group Policy Update.[22]

See also

References

  1. ^ a b Step-by-Step Guide to Managing Multiple Local Group Policy Objects
  2. ^ a b http://blogs.technet.com/b/secguide/archive/2011/07/05/scm-v2-beta-localgpo-rocks.aspx
  3. ^ Gpupdate
  4. ^
  5. ^ Group Policy - Apply to a Specific User or Group - Windows 7 Forums
  6. ^ Microsoft TechNet: Gpresult
  7. ^ Group Policy Preference Migration Tool (GPPMIG)
  8. ^ Group Policy Preference Client Side Extensions for Windows XP (KB943729)
  9. ^ Group Policy Preference Client Side Extensions for Windows XP x64 Edition (KB943729)
  10. ^ Group Policy Preference Client Side Extensions for Windows Vista (KB943729)
  11. ^ Group Policy Preference Client Side Extensions for Windows Vista x64 Edition (KB943729)
  12. ^ Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
  13. ^ Group Policy Preference Client Side Extensions for Windows Server 2003 x64 Edition (KB943729)
  14. ^
  15. ^ Microsoft Remote Server Administration Tools for Windows Vista
  16. ^ Microsoft Remote Server Administration Tools for Windows Vista for x64-based Systems
  17. ^ Remote Server Administration Tools for Windows 7
  18. ^ Microsoft Windows Enterprise | Enhancing Group Policy
  19. ^ Raymond Chen, "Shell policy is not the same as security"
  20. ^ Mark Russinovich, "Circumventing Group Policy as a Limited User
  21. ^ Updated: What’s new with Group Policy in Windows 8
  22. ^ Windows 8 Group Policy Performance Troubleshooting Feature

Further reading

External links

  • Official website
  • Group Policy Team Blog
  • Group Policy Settings Reference for Windows and Windows Server
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.