Group Policy
The Group Policy Object ( GPO) in German GPO, is a term from the computer. Thus, the guidelines are in a Windows Active Directory domain set: one hand for single users to entire user groups ( organized into Organizational Units OUs), on the other hand also for computers and computer groups (also in OUs). To define a policy include: rights, properties in the system and management, installation of MSI packages, security settings, remote settings and profile properties.
Use
On Windows 2000 Server, Windows Server 2003 and Windows Server 2008 Group Policy can be created and configured via the console Active Directory Users and Computers. The Group Policy Management ( Group Policy Management Console, GPMC) is a snap-in that allows an expanded and improved configuration Group Policy, however, must first be installed locally on the computer (to be installed on Windows 2008 Server DCs). After that, they can be used as stand-alone snap -in, or accessible from Active Directory Users and Computers. However, the GPMC requires at least Windows XP or Windows Server 2003, Windows 2000, it is not executable. The domain can also be 2000 level to Windows. Apart from standard configurations can also create your own configuration options via Administrative Template, ie Files with the suffix *. Adm ( until Windows XP) or *. Admx be (since Windows Vista) used. An immediate update can be forced with the gpupdate.exe / force command.
Limitations of different policies
Group Policy can be linked to different objects:
- Site (Site )
- Domain ( domain)
- OU ( Organizational Unit, OU )
In addition, there are at each computer always a local policy. It should be noted that Group Policy does not act on groups, but only to computer and user accounts. The order of processing of Group Policy is Local, Site, Domain, OU. Any subsequent processing overwrites the values of the previously processed at competing policy settings. Thus, the settings are in the local policy the lowest priority because it is processed first, and the policy to the OU has the highest priority because it is processed last. The local administrator is not overwritten!
Sites
Sites are sites where a normalization must prevail. For example, perhaps a seat in Germany, Japan, Korea, etc. Now, to be tailored to the Japanese in Japan all a big company: Everything on Japanese sites, etc. By areas may be accrued and then the policies are set according to this field. A major reason for the establishment of a location is also the control of the replication traffic.
Domain / domain controller
In the domain policy for the entire domain be set up on the domain controller. These have a separate policy, as must be taken for their other security settings. Therefore, the computer accounts to the domain controller by default reside in the Domain Controllers OU.
Local
In Local ( Local) it sets forth guidelines for a single computer. If a computer is not joined to a domain, the local policy is the only way to use guidelines.