What is Group Policy, and what is a GPO (Group Policy Object)?
Group Policy is a feature of Windows that enables centralized configuration and management of operating systems, computer settings and user settings. Each policy, or Group Policy object (GPO), defines a set of Group Policy settings.
You have literally thousands of settings available when creating GPOs. For example, you can:
- Specify the home page that users see when they open their browser.
- Prevent users from installing unapproved software or accessing the command prompt.
- Enforce password length and complexity requirements to reduce the risk of account compromise.
- Prevent the use of removable media to minimize the risk of data theft and malware infections.
- Keep users from creating PST files, which are a headache for backup, compliance and e-discovery.
- Run specific scripts at system startup and shutdown, for example, to start an application users need each day or clean up unnecessary data at the end of the day.
In fact, you can apply as many as 999 GPOs to a user account or computer account.
Benefits of Group Policy
The examples in the preceding section begin to illustrate the enormous benefits Group Policy can deliver — from improved user productivity and security to reduced IT workload. Here are just a few more of the ways that using Group Policy can benefit your organization:
- You can ensure the availability of all of a user’s files and folders, along with their custom settings (such as taskbar positioning, wallpaper selection and desktop icons) across all the computers they use.
- You can strengthen security by requiring the use of strong network and authentication protocols.
- You can improve employee productivity by installing and updating software during off hours.
Moreover, Group Policy enables quite granular control. For example, you can strategically limit the Control Panel settings that users can modify — for example, you can permit them to adjust the screen resolution to suit their needs but prevent them from changing the VPN settings.
Active Directory Group Policy and Local Group Policy
This article primarily concerns Group Policy at the Active Directory level, which can apply across an organizational unit (OU) or an entire domain. However, there is another type of Group Policy, Local Group Policy. It offers many of the same options as AD Group Policy, but the settings affect only the local Windows workstation. You can create multiple local policies; for example, you can assign a different group of settings to each of the business users who might log on to the machine, and yet another group of settings to machine administrators.
Local GPOs are separate from Active Directory GPOs, and are best used when Active Directory isn’t available, such as on machines that aren’t connected to a domain. The Local Computer Policy Editor is used to edit the Local Group Policy on a computer. To open it, simply click the Start button and run the command GPEDIT.MSC.
How does a GPO work?
Each GPO has two parts:
- The Computer node contains policy settings that are applied only to computers, no matter who is logged on at a given moment. Examples include startup scripts, shutdown scripts, and settings that control how the local firewall should be configured.
- The User node contains policy settings that are applied only for users; they follow the user to every machine they use. Examples include logon scripts, logoff scripts and availability of Control Panel options.
The first level under both the User and the Computer nodes contains Software Settings, Windows Settings and Administrative Templates. However, within those divisions, there are differences. For instance, the Administrative Templates section of the Computer node includes Printers but that section of the User node does not; its options include Shared Folders, Desktop, Start Menu and Taskbar.
Active Directory GPOs are stored on domain controllers (DCs).
Managing Group Policy with GPMC
Administrators can manage any GPO in Active Directory using the Group Policy Management Console (GPMC). It includes the Microsoft Management Console (MMC) snap-in, which provides a set of programmable interfaces for managing Group Policy and a scripting interface.
Creating and Linking GPOs
Creating a Group Policy object merely makes it available to be used in the Active Directory domain where it was created. For a GPO to take effect, you need to link it to one or more containers, such as the following:
- Site — If a GPO is linked at the site level, its settings affect all user accounts and computer accounts in that site, no matter which domain or OU they are in.
- Domain — If a GPO is linked at the domain level, it affects all users and computers in the domain, across all OUs beneath it.
- Organizational unit — If a GPO is linked at the OU level, it affects all users or computers in that OU and all OUs beneath it (which are called child OUs or sub-OUs).
A given Group Policy object can be linked to multiple containers, even at different levels. And a given container can have more than one GPO linked to it; in that case, you can specify the order in which GPOs are applied.
Group Policy is applied in the following order: Local, site, domain, OU. This ordering is important because the settings of two GPOs might conflict; for example, a policy at the domain level might specify one setting, while a policy at the OU level specifies a different setting. The result is simple: Policy settings further down the food chain take precedence. In our example, the OU-level setting would trump the domain-level setting. This might seem counterintuitive at first, but just remember that the rule with Group Policy is “last writer wins.”
Group Policy Preferences
Group Policy Preferences (GPPrefs) are a set of client-side extensions that expand Group Policy’s reach and capabilities. They are not policies; they are advanced settings that admins can configure in the GPMC.
Using Group Policy Preferences, you can deploy desired configurations to computers and users without preventing a user from opting for a different configuration. For example, you can:
- Set an environment variable that enables users to access certain files without having to enter the full path each time.
- Copy files from a server to a user’s machine.
- Delete the contents of a particular folder each day.
- Send certain registry settings to all client machines.
- Create or delete shares on workstations or servers.
- Create shortcuts on desktops.
- Map network drives.
- Change file associations.
- Configure VPN and dial-up connections.
- Modify power options, such as how long until the monitor goes into standby mode.
- Manage shared printers.
- Set scheduled tasks.
- Make changes to the Start menu.
How Netwrix can help
Group Policy is powerful and complex, with well over a thousand settings to choose from. As a result, managing Group Policy manually is a formidable task.
But getting Group Policy right is essential, since and one errant GPO setting can put security, compliance and business continuity at risk. In fact, Group Policy is one of the most common targets of malicious actors; altering local GPOs on one computer can enable lateral movement across the network, and changing Active Directory GPOs can disable domain-wide security controls.
Netwrix offers solutions that can help, including the following:
- Netwrix PolicyPak simplifies Group Policy management and helps eliminate GPO sprawl by cleaning up and consolidating GPOs. By reducing the number of managed objects, your organization will achieve faster login, higher security, better uptime, and fewer misconfigurations.
- Netwrix Auditor empowers you to promptly spot unwanted changes to Group Policy objects so you can remediate them before you suffer a breach or other issues. Its predefined reports go far beyond native tools, providing full details about every change, including which GPO was affected, who made the change, when it was made, which workstation it originated from, and the before and after values.
FAQ
What is Group Policy in Active Directory?
Group Policy is a feature of Windows that enables centralized management of computers and user accounts. Active Directory Group Policy enables management of the entire environment, while Local Group Policy enables granular management of the various users on a particular machine.
What is Windows Group Policy?
Windows Group Policy is a term sometimes used to refer to local Group Policy — a set of policies that apply on only one particular computer.
Why do we need Group Policy?
Group Policy provides a simple method for configuring user and computer settings on domain-joined computers, without having to physically visit and configure every computer one by one.
How many GPOs are there in Active Directory?
You can create as many Group Policy objects (GPOs) as required by your organization. The following GPOs are created automatically when an AD domain is created: Default Domain Policy and Default Domain Controllers Policy.
How do I control automatic updates in Group Policy?
You can enable automatic Group Policy updates using the Group Policy Editor. Expand Computer Configuration è Administrative Templates => Windows Components, and then click Windows Update. In the Configure Automatic Updates window, tick the Enabled checkbox, and choose your preferred option for downloading and installing updates. These options are described in detail in the Help section to the right.