Group Policy
From Wikipedia, the free encyclopedia
Group Policy is part of Microsoft's IntelliMirror technology which aims to reduce the overall cost of supporting users of Windows. Group policy provides centralized management of computers and users in an Active Directory environment.
Group policy can control a target object's registry, NTFS security, audit and security policy, software installation, logon/logoff scripts, folder redirection, and Internet Explorer settings. The policy settings are stored in Group Policy Objects (GPOs). A GPO is internally referenced by a Globally Unique Identifier (GUID). Each one may be linked to multiple sites, domains or organizational units. In this way, potentially thousands of machines or users can be updated via a simple change to a single GPO. This reduces the administrative burden and costs associated with managing these resources.
User and computer objects may only exist once in the Active Directory but often fall into the scope of several GPOs. The user or computer object applies each applicable GPO. Conflicts between GPOs are resolved at a per attribute level.
Group Policy is also used as the basis for management of a group of technologies, referred to as IntelliMirror. These technologies relate to management of disconnected machines or roaming users and include Roaming User Profiles, Folder Redirection and Offline Folders.
Group Policies are analysed and applied at startup for computers and during logon for users. The client machine refreshes most of the Group Policy settings periodically, the period ranging from 60-120 minutes and controlled by a configurable parameter of the Group Policy settings.
Group Policy is supported on Windows 2000, Windows XP (Professional) and Windows Server 2003.
In June, 2006 Centrify Corporation announced Group Policy support for Mac OS X using their DirectControl software.
Contents |
[edit] Group Policy Extensions
Group Policy supports the concept of a Client Side Extension (CSE). These are extensions to the Group Policy framework that provide specific functionality to the Group Policy administrator (for the most part, CSEs are transparent to the administrator since the GPMC and GPEdit merge them into a unified "namespace"). The following extensions are supplied with the operating system:
- Administrative Templates extension - for the modification of registry keys
- Software installation extension - the centralized management of software
- Security extension - control of security policy
- Internet Explorer Maintenance - management of Internet Explorer
- Scripts extension - invocation of machine and user scripts..
[edit] The Three Phases of Using Group Policy
Group Policy can be considered in three distinct phases - GPO creation, targeting of the GPO and application of the GPO.
[edit] Creating and Editing GPOs
GPOs are created and edited through two tools - the Group Policy Object Editor (GPEdit) and the freely downloadable Group Policy Management Console (GPMC). GPEdit is used to create and edit single Group Policy Objects one at a time. Prior to GPMC, administrators wanting to document or inventory previously deployed GPOs would have to use Active Directory Users and Computers (ADUC) to interrogate each organizational unit individually, a very time consuming and error-prone task. The GPMC simplified GPO management by providing tools to manage large numbers of group policies collectively. GPMC provides a number of features including GPO settings summarisation, a simplified security pane for group filtering, GPO backup/restoration/cloning and more within a GUI that mimics ADUC. Editing a GPO from within GPMC still launches GPEdit. You can also determine the friendly name of a GPO from its GUID by using gpotool.exe . This program outputs all GPO GUIDs and their corresponding friendly name.
[edit] Targeting GPOs
After a GPO has been created it can be linked to an Active Directory site, domain or OU (Organizational Unit). It is most common for GPOs to be linked to OUs.
[edit] GPO Application
The Group Policy client operates on a "pull" model - every so often (a randomized delay of between 90 and 120 minutes, although this offset is configurable via Group Policy) it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs which will thereafter affect the behavior of policy-enabled operating system components and applications (Microsoft).
