Group Policy overview

To begin using Group Policy immediately, see Ways to open the Group Policy snap-in

Group Policy settings define the various components of the user's desktop environment that a system administrator needs to manage; for example, the programs that are available to users, the programs that appear on the user's desktop, and Start menu options. To create a specific desktop configuration for a particular group of users, you use the Group Policy snap-in. Group Policy settings you specify are contained in a Group Policy object, which is in turn associated with selected Active Directory objects--sites, domains, or organizational units.

Group Policy includes settings for User Configuration, which affect users, and Computer Configuration, which affect computers.

Using Group Policy and its extensions, you can:

Manage registry-based policy through Administrative Templates. Group Policy creates a file that contains registry settings that are written to the User or Local Machine portion of the registry database. User profile settings that are specific to a user who logs on to a given workstation or server are written to the registry under HKEY_CURRENT_USER (HKCU), and computer-specific settings are written under HKEY_LOCAL_MACHINE (HKLM).
Assign scripts (such as computer startup and shutdown, and logon and logoff).
Redirect folders from the Documents and Settings folder on the local computer to network locations.
Manage applications (assign, publish, update, or repair). To do this, you use the Software Installation extension.
Specify security options. To learn about setting security options, see the Security Settings online Help.

How and when Group Policy is applied

User and computer policy

User policy (settings located under the User Configuration node in Group Policy) is obtained when a user logs on.

Computer policy settings are located under Computer Configuration, and are obtained when a computer boots.

Users and Computers are the only types of Active Directory objects that receive policy. Specifically, security groups do not have policy applied to them. Instead, for performance reasons, security groups are used to filter the policy by way of an Apply Group Policy access control entry (ACE), which can be set to Allow or Deny, or left unconfigured.

Order of application

Policies are applied in this order:

The unique local Group Policy object.
Site Group Policy objects
Domain Group Policy objects
Organizational unit Group Policy objects, from largest to smallest organizational unit (parent to child organizational unit), and in administratively specified order at the level of each organizational unit.

By default, policies applied later overwrite previously applied policies when the policies are inconsistent. If the settings are not inconsistent, however, earlier and later policies both contribute to the effective policy.

Policy can be filtered by security group membership

A security group ACE on a Group Policy object can be set to Not configured (no preference), Allowed, or Denied. Denied takes precedence over allowed.

Blocking policy inheritance

Policies that would otherwise be inherited from higher site, domain, or organizational units can be blocked at the site, domain, or organizational unit level.

Enforcing policy from above

Policies that would otherwise be overwritten by policies in child organizational units can be set to No Override at the Group Policy object level.

note Note

Policies set to No Override cannot be blocked.

This section covers: