This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Group Policy

Group Policy Architecture

Group Policy provides centralized management and configuration of users and computers in an Active Directory environment.

Group Policy Components:

Group Policy Objects (GPOs):

  • Containers holding configuration settings

  • Stored in Active Directory and SYSVOL

  • Can be linked to sites, domains, or OUs

Group Policy Management Console (GPMC):

  • Administrative tool for managing Group Policy

  • Provides centralized view of all GPOs

  • Enables modeling and reporting

Group Policy Client:

  • Service running on client computers

  • Downloads and applies Group Policy settings

  • Processes policies during startup, logon, and refresh cycles

Group Policy Processing

Processing Order (LSDOU):

  1. Local GPO: Policies stored locally on the computer

  2. Site GPOs: Policies linked to Active Directory sites

  3. Domain GPOs: Policies linked to the domain

  4. OU GPOs: Policies linked to organizational units (closest to object wins)

Processing Rules:

  • Last Writer Wins: Later policies override earlier ones for conflicting settings

  • No Override (Enforced): Higher-level policies can be marked as enforced

  • Block Inheritance: Lower-level containers can block inheritance

  • Security Filtering: GPOs can be filtered to specific security groups

Processing Events:

  • Computer Startup: Computer policies process during boot

  • User Logon: User policies process during logon

  • Background Refresh: Policies refresh periodically (default: 90 minutes ± 30 minutes)

  • Manual Refresh: Administrators can force immediate refresh

Group Policy Categories

Computer Configuration:

  • Security Settings (password policies, user rights, audit policies)

  • Software Installation (deploy and manage applications)

  • Administrative Templates (registry-based settings)

  • Scripts (startup and shutdown scripts)

  • Folder Redirection (redirect special folders to network locations)

User Configuration:

  • Software Installation (user-specific applications)

  • Administrative Templates (user interface and application settings)

  • Scripts (logon and logoff scripts)

  • Security Settings (restricted groups, system services)

  • Folder Redirection (redirect user folders to network shares)

Advanced Group Policy Features

Preferences:

  • Configure settings without enforcing them

  • Users can change settings if needed

  • More flexible than traditional Group Policy settings

Item-Level Targeting:

  • Apply preferences based on specific criteria

  • Criteria include: OS version, IP address range, group membership, registry values

Central Store:

  • Centralized location for Administrative Template files

  • Ensures consistent policy definitions across domain controllers

  • Located in SYSVOL at \\domain\SYSVOL\domain\Policies\PolicyDefinitions

PreviousAuthentication and AuthorizationNextAD DNS

Last updated

Was this helpful?