Logo

Group Policy Introduction

This video provides an overview of Group Policy. Explaining the basic of how Group Policy works and what can be achieved using Group Policy.

Show lesson content
What is Group Policy
Group Policy is a system that allows central control of your client computers. Using Group Policy you can control the user experience. This includes configuring settings for the user and also settings that affect the computer as a whole. Group Policy can also be used to deploy and configure software.

Text Based Config Files
Before systems like Group Policy were developed, settings were often kept in text files like ini files. In order to make changes to the ini file, software would rewrite the whole file each time a change was made. Text files were not designed for multiple user environments and don’t support rolling back of changes.

Registry
Microsoft introduced the registry to replace text files like ini files. Editing a single value in the registry is a lot easier than editing a single value in a text file. The problem with the registry is that once a change is made, the changes are permanent until overwritten by another value.

Group Policy
Group Policy allows changes to be rolled back when they no longer apply. This means that the effects of Group Policy will be reversed when they no longer are being applied. This means users and computers can be moved around Active Directory and thus the Group Policy for these objects may change. Since Group Policy reverses any previously made changes, the administrator does not need to worry about what settings were previously applied.

Group Policy Mechanics
Group Policy is created and stored on a Domain Controller. Group Policy is downloaded from the Domain Controller to the local computer and applied. For this reason Group Policy is a client driven technology. It is up to the client to download Group Policy and apply it. Group Policy is applied by Client Side Extensions (CSE). Each operating system improves and adds CSE’s, meaning new clients can process some Group Policy settings that the older clients may not be able to process. For a list of all the CSE’s installed on a system, refer the following registry setting.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Group Policy Example
A single Group Policy is divided in two parts called Computer Configuration and User Configuration. Settings that are configured under computer configuration affect the whole computer. Settings configured under user configuration affect only the user that is currently logged in.

The user and computer configuration is divided into two parts called Polices and Preferences. Preferences was a late edition to Windows Server 2008. Microsoft purchased another product called Policy Maker and added this product to Group Policy. The essential different between the two is that Group Policy is mandatory while preferences can often be overwritten by the user.

Polices are divide into 3 parts, Software settings, Windows Settings and Administrative Templates. Software settings, like installations, are done in here. Windows Settings are more broad stroke settings having an effect on how the computer operates at a low level rather than specific functions. Administrative templates contain the bulk of the Group Policy settings.

Summary
Group Policy settings are stored in Active Directory. They are client driven and thus the client is responsible for downloading the group Policy settings and applying them. Group Policy settings are applied to the client by software called client side extensions. If a particular Group Policy settings require a particular client side extension and if that client side extension is not available, the Group policy settings will not be applied to that computer or user. Group Policy itself is divided primarily into two halves, user configuration and computer configuration. Computer configuration is applied when the computer starts up, while user configuration is applied when the user logs into the computer.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg. 250-251, 254
“Group Policy“ http://en.wikipedia.org/wiki/Group_Policy

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Group Policy

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons