1. Components of Group Policy
Group Policy consists of the following configurable
components:
Security Settings Configures
security for users, computers, and domains
Scripts Specifies scripts for
computer startup and shutdown, as well as for user logon and
logoff events
Preference Items Configures
unenforced settings for users and computers
Folder Redirection Places
special folders such as Documents or specified application folders
on the network
Software Settings Assigns
applications to users
2. Group Policy Objects
A collection of policy settings is called a Group Policy object
(GPO). A GPO contains policies that affect computers and
policies that affect users. Computer-related policies include computer
security settings, application settings, and computer startup and
shutdown scripts. User-related policies define application settings,
folder redirection, assigned and published applications, user logon
and logoff scripts, and user security settings. In cases of
conflicting policies, the convention is that computer-related settings
override user-related settings.
In a GPO, most settings have three possible states: enabled,
disabled, and not configured. Group policies are inherited and
cumulative. When you associate a GPO with an Active Directory
container, the Group Policy is applied to all computer and user
accounts in the container.
Group Policy is an abstraction consisting of two parts, a
Group Policy Container (GPC) and a Group Policy Template (GPT). Both parts are contained in a Group Policy
object (GPO). The GPO is what we work with directly. The GPO
contains all the settings that can apply to users and computers.
When those settings are changed, the changes are made to the GPO.
The two components of the GPO exist in different places.
The GPC is the Active Directory component of the GPO and
includes subcontainers with version information, status information,
and a list of which Group Policy extensions are employed in the GPO.
It also contains some information used by clients, such as the
software installation policy.
The GPT is a set of files in the SYSVOL folder on the
server. When you create a GPO, the corresponding GPT folder structure is created
automatically. The actual name of the folder for the GPT is the
globally unique identifier (GUID) for the GPO—a
number that is useful to the computer but is otherwise
incomprehensible. To see the policy folder, look in
%SystemRoot%\SYSVOL\sysvol\domain_name\policies. But do
not change this folder in any way. Work on Group Policy through the Group Policy Management
Console (GPMC).
3. Managing Group Policies
The Group Policy Management Console (GPMC) provides a
comprehensive overview of Group Policy in a single console. All Group
Policy management tasks can be performed in the GPMC except
configuring individual policies in GPOs.
When you want to configure individual policies, the GPMC will
launch the Group Policy Object Editor with the policy loaded.
To see the group policies specifically defined for Windows SBS,
select Administrative Tools from the Start menu and then select Group
Policy Management. Expand Forest and then Domains until you get to
MyBusiness as shown in Figure 1.
To view or modify an existing GPO, right-click the GPO and
select Edit as shown in Figure 2.
This action opens the Group Policy Management Editor (shown in
Figure 3), wherein you can expand
various items in the console to view existing settings.
