Group Policy Facts
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of settings that includes registry settings, scripts, templates, and software-specific configuration values.
- Computers that are not part of a domain use the Local Security Policy settings to control security settings and other restrictions on the computer.
- Computers that are part of a domain use both the Local Security Policy and Group Policy.
- Group policy settings take precedence over user profile settings. Group policy settings in Active Directory take precedence over settings in the local security policy.
Settings in a Group Policy object are divided into two categories:
|Computer Configuration||Computer policies (also called machine policies) are enforced for the entire computer. Computer policies include:
Computer policies are initially applied as the computer boots, and are enforced before any user logs on.
|User Configuration||User policiesare enforced for specific users. User policy settings include:
User policies are initially applied as the user logs on, and often customize Windows based on user preferences.
GPOs contain hundreds of configuration settings that can be configured. The following table describes common settings you should be familiar with.
|Account Policies||Use Account Policies to control the following:
|Local Policies/Audit Policy||Use Audit Policy settings to configure auditing for event classes (such as logon, account management, or privilege use).|
|Local Policies/User Rights Assignment||User rights determine what actions a user can perform on a computer or domain. User rights settings identify users or groups with the corresponding privilege. Examples of user rights include:
|Local Policies/Security Options||Unlike user rights, security options are either enabled or disabled for everyone. Examples of Security Options policies include:
|Registry||Use Registry policies to configure specific registry keys and values and configure permissions on the registry settings. For example, you can configure permissions that allow specific users to read the registry value, set (change) the value, list subkeys, or modify key permissions.|
|File System||Use File System policies to configure file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.|
|Software Restriction Policies||Use Software Restriction Policies to control which software can run on domain computers. You can use software restrictions to:
|Administrative Templates||Administrative Templates are registry-based settings that you can configure within a Group Policy object. Instead of editing the registry or making configuration changes in the Control Panel on individual computers, you can use settings in Administrative Templates to control the computer and user experience. For example, you can: