Latest Blog Posts

We're members of the

We've ridden there:


Layne's certifications:


Group Policy Facts

A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of settings that includes registry settings, scripts, templates, and software-specific configuration values.

  • Computers that are not part of a domain use the Local Security Policy settings to control security settings and other restrictions on the computer.
  • Computers that are part of a domain use both the Local Security Policy and Group Policy.
  • Group policy settings take precedence over user profile settings. Group policy settings in Active Directory take precedence over settings in the local security policy.

Settings in a Group Policy object are divided into two categories:

GPO Category Description
Computer Configuration Computer policies (also called machine policies) are enforced for the entire computer. Computer policies include:
  • Software that should be installed on a specific computer
  • Scripts that should run at startup or shutdown
  • Password restrictions that must be met for all user accounts
  • Network communication security settings
  • Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree)

Computer policies are initially applied as the computer boots, and are enforced before any user logs on.

User Configuration User policiesare enforced for specific users. User policy settings include:
  • Software that should be installed for a specific user
  • Scripts that should run at logon or logoff
  • Internet Explorer user settings (such as favorites and security settings)
  • Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree)

User policies are initially applied as the user logs on, and often customize Windows based on user preferences.

GPOs contain hundreds of configuration settings that can be configured. The following table describes common settings you should be familiar with.

Setting Category Description
Account Policies Use Account Policies to control the following:
  • Password settings
  • Account lockout settings
  • Kerberos settings
Note: Account policies are only in effect when configured in a GPO linked to a domain.
Local Policies/Audit Policy Use Audit Policy settings to configure auditing for event classes (such as logon, account management, or privilege use).
Local Policies/User Rights Assignment User rights determine what actions a user can perform on a computer or domain. User rights settings identify users or groups with the corresponding privilege. Examples of user rights include:
  • Access this computer from the network (the ability to access resources on the computer through a network connection)
  • Allow log on locally (the ability to log on to the computer console)
  • Allow log on through Terminal Services (the ability to log on using a Remote Desktop connection)
  • Back up files and directories (does not include restoring files and directories)
  • Shut down the system
  • Remove a computer from a docking station
Local Policies/Security Options Unlike user rights, security options are either enabled or disabled for everyone. Examples of Security Options policies include:
  • Computer shut down when Security event log reaches capacity
  • Unsigned driver installation
  • Ctrl+Alt+Del required for log on
Registry Use Registry policies to configure specific registry keys and values and configure permissions on the registry settings. For example, you can configure permissions that allow specific users to read the registry value, set (change) the value, list subkeys, or modify key permissions.
File System Use File System policies to configure file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.
Software Restriction Policies Use Software Restriction Policies to control which software can run on domain computers. You can use software restrictions to:
  • Identify allowed or blocked software.
  • Allow users to run only the files you specify on multi-user computers.
  • Determine who can add trusted publishers.
  • Apply restrictions to specific users or all users.
Administrative Templates Administrative Templates are registry-based settings that you can configure within a Group Policy object. Instead of editing the registry or making configuration changes in the Control Panel on individual computers, you can use settings in Administrative Templates to control the computer and user experience. For example, you can:
  • Enable and configure Windows features such as BitLocker, Offline Files, or Parental Controls.
  • Customize the Start menu, taskbar, or desktop for all users or specific users. For example, you can force a specific desktop background, hide or show Start menu links or options, or control notifications.
  • Restrict access to Control Panel features.
  • Configure Internet Explorer features and options.