Local Policy and Group Policy

Group Policy

In an Active Directory environment, policy settings are more easily applied using Group Policy. Group Policy is a more effective tool because it allows you to centralize the application of policy. Group Policies can be applied at 3 different levels in Active Directory: site, domain, and organizational unit (OU). Group policies allow you to configure all kinds of settings relating to the user and computer environment, such as removing the Run command or forcing certain wallpaper. They also include the security settings we discussed in Local policy. A deeper look at setting areas will be looked at in the Server portion of the series.

Although we haven’t yet really discussed Active Directory in the series, a brief overview will suffice for now. A site is a physical location in Active Directory. Any policies applied to a site will apply to all users in that site, regardless of the domain or OU they are a part of. A domain is still very similar to what you remember from NT 4. Any policy applied to a domain will affect all users and computers in the domain. Finally, an Organizational Unit, or OU, is a smaller container within a domain that represents breakdown for the purpose of administration or organization of objects (such as users and computers). Any group policy applied to an OU will affect users in that OU, as well as any sub-OUs (since OUs can be nested).

Since Group Policy can be set at different levels, it is possible that settings at one level (like site) could conflict with settings at another (like OU). As such, it is important to understand the order in which group policy gets processed.

The order is: Local Policy – Site – Domain – OU

What that means is very important, and you must understand it. Imagine you are a member of an OU called Sales in a site called Tallinn. All group policy settings merge together. That is, if a Tallinn site-level policy says you get green wallpaper, and a Sales OU-level policy removes the Run command, you will end up with green wallpaper and no Run command. However, if there is a conflict, the settings applied later will take precedence. Imaging the Tallinn site policy removed the Run command, and the Sales OU policy enabled it – you would end up having the Run command, since OU policy is applied after the site policy. Note that logging off and back on isn’t necessary in order to obtain the vast majority of group policy settings in Windows 2000. Group policy settings are automatically updated on the client system every 90 minutes by default (with a 30 minute offset). There is much more to Group Policy than just what has been discussed here – a more detailed look at group policy will follow in the Server portion of the series.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.