Network Administration: Windows Group Policy Basics

Group policy refers to a feature of Windows operating systems that lets you control how certain aspects of Windows and other Microsoft software work throughout your network. Many features that you might expect to find in a management console such as Active Directory Users and Computers are controlled instead by group policy.

Group policy consists of a collection of group policy objects (also called GPOs) that define individual policies. These policy objects are selectively applied to both users and computers. Each policy object specifies how some aspect of Windows or some other Microsoft software should be configured.

For example, a group policy object might specify the home page that’s initially displayed when any user launches Internet Explorer. Then, when a user logs on to the domain, that policy object is retrieved and applied to the user’s Internet Explorer configuration.

Group policy objects can apply to either computers or users. A policy that applies to a computer will be enforced for any user of the computer. And a policy that applies to a user will be enforced for that user no matter what computer he or she logs on to. As a network administrator, you’ll be mostly concerned with policies that apply to users. But computer policies are useful from time to time as well.

The trick to creating group policy objects is finding the particular setting you want to employ. Trying to find a specific group policy among the thousands of available policies can be frustrating. For example, suppose you want to force all network users to change their passwords every 30 days.

You know there’s a group policy that controls the password expiration date. But where is it? You’ll find help with this aspect of working with group policy in the section titled “Creating Group Policy Objects,” later in this chapter.

After you’ve created a group policy object, you then are faced with the task of linking it to the users or computers you want it to apply to. Creating a policy that applies to all users or computers is simple enough.

But things get more complicated if you want to be more selective — for example, if you want the policy to apply only to users in a particular organizational unit (OU) or to users that belong to a particular group.