-
Notifications
You must be signed in to change notification settings - Fork 1
GPO management
Group Policy Objects (GPO) facilitate the uniform administration of large numbers of users and computers. GPOs can be local or domain-based.
Local GPOs come in several varieties, applied in the following order (last takes highest precedence):
- Local Group Policy applied to computers
- Administrators and Non-Administrators Local Group Policy applied to users based on their membership in local Administrators group.
- User-specific Local Group Policy:
Domain-based GPOs consist of two components a [container][Group Policy container] and a [template][Group Policy template]. These are stored in different locations and replicated by different means.
- Containers define the fundamental attributes of a GPO, each of which is assigned a GUID, and are stored in the AD DS database and replicated to other domain controllers using intrasite or intersite AD DS replication schedule.
- Templates, a collection of files and folders that define the actual GPO settings, are stored in the
SYSVOLshared folder (%SystemRoot%\SYSVOL\Domain\Poligicies\{GUID}) on all DCs.SYSVOLreplication is handled by the DFS Replication Agent since Windows Server 2008.
A GPO consists of 2 top-level nodes:
- Computer Configuration contains settings that are applied to computer objects to which the GPO is linked
- User Configuration containers user-related settings, applied when a user signs in and thereafter and automatically refreshed every 90-120 minutes
Beneath each of these nodes are folders that group settings
- Software Settings
- Windows Settings allows basic configuration for computers or users
- Administrative Templates contains Registry settings that control user, computer, and app behavior and settings, grouped logically into folders
Although domain controllers store and serve GPOs, the client computer itself must request and apply the GPOs using the Group Policy Client service. Client-side extensions process the GPOs once downloaded
Starter GPOs are intended for use in large organizations with a proliferation of GPOs that share settings. Starter GPOs can be imported from, and exported to, a .CAB file.
Once a GPO is created it must be linked to a container object in AD DS for it to apply to objects, a process known as scoping. GPOs can be linked to Sites, Domains, and OUs. If multiple GPOs are linked to the same container, the link order must be configured.
There are 2 default GPOs in an AD DS domain, which can be reset using arguments to the dcgpofix command.
- Default Domain Policy, linked to the domain object
- Default Domain Controllers Policy, linked to the Domain Controllers OU
Although it is possible to link the same GPO to multiple containers, it is recommended to import (i.e. copy) a GPO from another domain. This process effecitvely restores the settings of another GPO into a newly created GPO, which is then linked to another container.
- ADCSAdministration
- ADCSDeployment
- ADDSAdministration
- ADDSDeployment
- Cluster
- DCBQOS
- DHCPServer
- Diagnostics
- DISM
- DNSServer
- Dedup
- GroupPolicy
- Hyper-V
- iSCSITarget
- iSCSI
- LocalAccounts
- Management
- NLB
- PackageManagement
- SR
- Utility
- WB
- WDS
- WSMan.Management
- WSUS
- cmdkey.exe
- dcgpofix.exe
- ddpeval.exe
- dism.exe
- djoin.exe
- dnscmd.exe
- dsamain.exe
- dsquery.exe
- netdom.exe
- ntdsutil.exe
- wbadmin.exe
- wdsutil.exe