Group Policy

Purpose

Group Policy enables policy-based administration that uses Microsoft Active Directory.
Group Policy uses directory services and security group membership to provide
flexibility and support extensive configuration information. Policy settings are
specified by an administrator; unlike profile settings, which are often specified by a
user. Policy settings are created using the Microsoft Management Console (MMC)
snap-in for Group Policy.
Resultant Set of Policy (RSoP) is an enhanced Group Policy infrastructure that uses
Windows Management Instrumentation (WMI) to allow administrators to easily
determine the policy settings that apply to, or will apply to, a user or computer.

Where Applicable

All Windows-based applications can use the Group Policy infrastructure to configure
their policy settings.

About Group Policy

Centralized policy-based administration enables an administrator to control the

following settings:

• Registry-based policy settings.

Specify registry-based settings using the Administrative Templates node of the

Group Policy Object Editor.

• Security settings.

Define security settings for the local computer, domain, and network.

• Software installation.

Deploy applications as either assigned (you mandate the installation) or

published (you provide applications that users can choose to install). Update
or remove applications.

• Scripts.

Specify scripts to run at computer startup and operating system shutdown,

and when a user logs on or logs off.
 • Remote Installation Services.

Control the behavior of the remote installation feature, as displayed to client

computers.

• Internet Explorer maintenance.

Manage and customize Microsoft Internet Explorer on computers running

Microsoft Windows 2000 and later, and export settings for clients running
Windows 95/98/Me or Microsoft Windows NT 4.0.

• Folder redirection.

Redirect Shell special folders to the network.

The administrator can apply these settings to groups of computers or users using the
infrastructure provided by the Microsoft Active Directory. The administrator can
manage these settings from a single location, without physically touching the
computers in the organization.

Application developers should adhere to system-level policy settings. In addition,

they can provide policy settings that are specific to their applications

Group Policy Objects

A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a
unique name, such as a GUID.
Group Policy settings are contained in GPOs. A GPO can represent policy settings in
the file system and in the Active Directory. Settings within GPOs are evaluated by
clients using the hierarchical nature of the Active Directory.
The structure of a GPO can be represented as shown in the following illustration.
To create Group Policy, administrators can use the Group Policy Object Editor, which
can be a stand-alone tool. However, it is recommended that you use the Group Policy
Object Editor as an extension to an Active Directory-related MMC snap-in because
this will allow you to browse the Active Directory for the correct Active Directory
container and define Group Policy based on the selected scope of management
(SOM). Examples of Active Directory-related snap-ins include the Active Directory
Users and Computers snap-in and the Active Directory Sites and Services snap-in.
Note that policy settings are divided into policy settings that affect a computer and
policy settings that affect a user. Computer-related policies specify system behavior,
application settings, security settings, assigned applications, and computer startup
and shutdown scripts. User-related policies specify system behavior, application
settings, security settings, assigned and published applications, user logon and logoff
scripts, and folder redirection. The convention is that computer-related settings
override user-related settings.

Storage of Group Policy objects

Each computer that runs Windows XP Professional, Windows XP 64-bit Edition

(Itanium), or the Windows Server 2003 operating systems, has exactly one local
Group Policy object (GPO). It is stored in systemroot\System32\GroupPolicy.

Group Policy objects, other than the local Group Policy object, are virtual objects. The
policy setting information of a GPO is actually stored in two locations: the Group
Policy container and the Group Policy template. The Group Policy container is an
Active Directory container that stores GPO properties, including information on
version, GPO status, and a list of components that have settings in the GPO. The
Group Policy template is a folder structure within the file system that stores
Administrative Template-based policies, security settings, script files, and information
regarding applications that are available for Group Policy Software Installation. The
Group Policy template is located in the system volume folder (Sysvol) in the \Policies
subfolder for its domain.

Group Policy container

The Group Policy container is a directory service object. It includes subcontainers for
computer and user Group Policy information. The Group Policy container contains the
following data:
• Version information--Used to verify that the information is synchronized with

Group Policy template information.

• Status information--Indicates whether the Group Policy object is enabled or

disabled for this site, domain, or organizational unit.

• List of components--Specifies which extensions to Group Policy have settings in

the Group Policy object.

The Group Policy container stores information for Group Policy Software Installation
and for Folder Redirection, which are extensions of the Group Policy Object Editor.

Group Policy template

The Group Policy template is a folder of domain controllers for the storage domain of
the Group Policy object. A typical Group Policy template folder might look like the
following example:

systemroot\Sysvol\SYSVOL\Streetmarket.com\Policies\

{34975054-fd77-df75-54fe-074936850457}

Subfolders of the Group Policy template

The Group Policy template folder contains subfolders, including, but not limited to,
the following:

• Adm--Contains all the .adm files for this Group Policy template.

• Scripts--Contains all the scripts and related files for this Group Policy template.

• User--Includes a Registry.pol file that contains the registry settings that are to be

applied to users. When a user logs on to a computer, this Registry.pol file is

downloaded and applied to the HKEY_CURRENT_USER portion of the registry. The
User folder contains an Applications subfolder.
• User\Applications--Contains the application advertisement script files (.aas) that

are used by the operating system-based installation service. These files are
applied to users.
• Machine--Includes a Registry.pol file that contains the registry settings that are to

be applied to computers. When a computer initializes, this Registry.pol file is

downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry.
The Machine folder contains an Applications subfolder.
• Machine\Applications--Contains the .aas files that are used by the operating

system-based installation service. These files are applied to computers.