What is Group Policy (GP)?

Group Policy provides the centralized management and configuration of

operating systems, applications, and users' settings in an Active Directory
Environment
Group Policy is an infrastructure that allows to implement specific
configurations for users and computers. Group Policy settings are
contained in Group Policy objects (GPOs), which are linked to the following
Active Directory service containers: sites, domains, or organizational units
(OUs). The settings within GPOs are then evaluated by the affected
targets, using the hierarchical nature of Active Directory. Consequently,
Group Policy is one of the top reasons to deploy Active Directory because
it allows you to manage user and computer objects.
What is Group Policy Objects (GPO)?
Group Policy Settings are stored in Group Policy Objects. Group Policy
Objects are collection of settings that are defined for Users and Computers
Configuration. Group Policy object applies to not only users and Client
machine, but also members Servers, Domain Controllers and any windows
computers within the scope of the management.
What can you do with Group Policy?

Manage- Registry based Polices using Administrative Templates

Redirect folders

Manage Applications

Specify Security Options

What are the kinds of Group Policy?

There are two kinds of Group Policy Objects: Local and Non Local Policy
Objects

Local Policy: these are Stored in Individual Computers. only one

object is exist and has subset of settings that are available in NonLocal Policy

Non Local Policy Objects: Which are stored on a Domain

Controller and be applied from Active Directory Environment. They
apply to users and computers on a site or domain or Organizational
unit with which GPO is applied.

Where do Group Policy Objects that exist by default?

By Default, Active Directory is set up, 2 Non Local Policy Objects are
created

Default Domain Policy is linked to the domain, and it affects all users
and computers in the domain (including computers that are domain
controllers) through policy inheritance. For more information

Default Domain Controllers Policy is linked to the Domain Controllers

organizational unit, and it generally only affects domain controllers,
because computer accounts for domain controllers are kept
exclusively in the Domain Controllers organizational unit.

What are User and Computer Policy?

User Policy Settings are stored under User Configuration in Group Policy
and they are obtained when a user logs on.
Computer Policy Settings are stored under Computer Configuration in
Group Policy and they obtained when a computer starts
What is the Order of GP Processing?
1. Local Policy-The unique local Group Policy object on a computer
2. Site Policy
3.

Domain Policy

4. Organizational Unit(OU)
Site, Domain and OU are applied as per administratively specified order.
This means Group Policy objects that are linked to the organizational unit
that is highest in the Active Directory hierarchy are processed first, then
Group Policy objects that are linked to its child organizational unit, and so
on. Finally, the Group Policy objects that are linked to the organizational
unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy,
one, many, or no Group Policy objects can be linked. If several Group
Policy objects are linked to an organizational unit, their processing is
synchronous and in an order that is specified by the administrator.
In this processing order sites are applied first but have the least
precedence. OUs are processed last and have the highest precedence.
What is Group Policy inheritance()?
There are several Group Policy options that can alter this default
inheritance behaviour. These options include:

Link Order the precedence order for GPOs linked to a given

container. The GPO link with Link Order of 1 has highest precedence
on that container.

Block Inheritance the ability to prevent an OU or domain from

inheriting GPOs from any of its parent container. Note that Enforced
GPO links will always be inherited.

Enforcement (previously known as No Override) the ability to

specify that a GPO should take precedence over any GPOs that are
linked to child containers. Enforcing a GPO link works by moving
that GPO to the end of the processing order.

Link Status determines if a given GPO link is processed or not for

the container to which it is linked.

1. Why should we use Group Policy?

For deploying software

We can apply security

For controlling Users environment, settings, per computer settings

To manage desktop environment (To standardize environment)

To modify the registry

2. What is Group policy object?

We call the actual unit that we are creating, deleting, managing, working with is called Group
Policy object. Group Policy objects have two components:

Group Policy container

Group Policy template

3. What is Group policy container?

It is the container in the Active Directory where the Group Policy can be applied. (i.e., either
Organizational unit or Domain or Site)
4. What is Group policy template?
When you create a group policy container automatically a template will be created in the hard
drive, in sysvol folder of the Domain Controller that is called Group Policy template.
5. Where is Group policy template stored?
Group Policy template stored in sysvol folder.

6. How to create a Group Policy?

Start >Programs >Administrative tools ->Active Directory Users and computers ->Right
click on the container on which you want to apply Group Policy->Select properties-> Click
on Group Policy tab->Click on New
7. What are the steps do we have when we are creating Group Policy?
There are two steps, one is creating Group policy and linking to the container. Generally we
create the group policy at container only so when you click on New it creates and links the
GPO to that container at a time. Suppose if you want to link a group policy object to a
container which is already created click on Add select the group policy.
8. What are the buttons available on Group policy tab in properties of a container?

New (Creates new GPO)

Add (links a GPO to this container which has created already)

Edit (Edits the existing GPO)

Delete Deletes the GPO

Options (here you get the following check boxes): (i) No override Prevent other
GPO from overriding policy set in this one; and (ii) Disabled This GPO is not
applicable to this container

Properties

Note: When you are deleting a GPO it asks two things:

Remove the link from this list

Remove the link and delete the GPO permanently

9. What is no override option in GPO?

Generally the policies set at one level will be overridden in other level, so if dont want to
override this policy under the sub levels of this one you can set this.
Ex: If you set No override at Domain level then that GPO will be applied through out the
Domain, even though you have the same policy differently at OU level.
10. What is Block inheritance of GPO and where it is?
The Block inheritance GPO option blocks the group policies inheriting from the top level,
and takes effect of this present GPO.
Right click on the container > click on Group Policy go to properties >on the bottom of
the General tab you will find Block inheritance check box

Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site
level or local policy will not applied to this OU.
11. You have set the No override option at Domain level and Block inheritance at OU
level. Which policy will take effect?
If you have set both then No override wins over the Block inheritance. So No override will
take effect.
12. What are the options that are available when you click on option button on general
tab?

General

Disable computer configuration settings (The settings those are set under computer
configuration of this GPO will not take effect.)

Disable user configuration settings (The settings those are set under User
configuration of this GPO will not take effect.)

Links (Displays the containers which have links to this GPO)

Security (With security option you can set level of permissions and settings to the
individual users and groups. Ex: If you want to disable this GPO to a particular user
on this container, on security tab select that user and select the deny check box for
apply the Group Policy. Then the GPO will not take effect to that user even though he
is in that container.)

13. What will you see in the Group Policy snap in?
You will see two major portions, and under those you have sub portions, they are

Computer Configuration

Software settings

Software installations

Windows settings

Administrative templates

User configuration

Software settings

Software installations

Windows settings

Administrative templates

Note: Administrative templates are for modifying the registry of windows 2000 clients.
14. What is the hierarchy of Group Policy?

Local policy

Site Policy

Domain Policy

OU Policy

Sub OU Policy (If any are there)

15. Who can create site level Group Policy?

Enterprise Admin
16. Who can create Domain lever Group Policy?
Domain Admin
17. Who can create Organization Unit lever Group Policy?
Domain Admin
18. Who can create Local Group Policy?
Local Administrator or Domain Administrator
19. What is the Refresh interval for Group Policy?
Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all other
computers in the network is 45 minutes (this one doubt).
20. Why do we need to manage and control desktop environment?

To decrease support time

Eliminate potential for problems

One standard environment to support

Eliminate distractions

To increase productivity

21. What is Group policy loop back process? How to set it?
Start >programs >Administrative tools >Active Directory users and computers >Right
click on the container >click on Group policy tab >Click on edit >click on Computer
settings >click on Administrative templates >system >Group policy >click on User
group policy loop back processing mode > click OK > Select enable
22. What are the players that are involved in deploying software?

Group Policy: Within GP we specify that this software application gets installed to
this particular computer or to this particular user.

Active Directory: Group Policy will be applied somewhere in Active Directory.

Microsoft Installer service

Windows installer packages: The type of package that can be used by Group Policy to
deploy applications is .msi packages i.e., Microsoft Installer packages.

23. What is the package that can be used to deploy software through Group Policy?
Windows installer packages (.msi files)
24. What is Microsoft installer service?
Microsoft Installer Service runs on the client machines in the Windows 2000 domain. It
installs the minimum amount of an application, as you extend functionality it installs the
remaining part of application. It is responsible for installing software in the client. It is also
responsible for modifying, upgrading, applying service packs.
25. What is Local security policy, Domain security policy, and Domain controller
security policy in the administrative tools?

Local Security policy: This is group policy applied to local machine

Domain Security Policy: Group Policy applied at domain level

Domain Controller Security Policy: Group Policy applied at domain controller level.

26. What are the design considerations for Group policy?

The following should be considered for designing group policies.

Minimize linking: Because there may be a chance deleting the original one with
seeing who else are using this GPO. Minimizing linking for simplicity.

Minimum number of GPOs: Microsoft suggests that one GPO with 100 settings will
process faster than 100 GPOs each with one setting. This is for performance.

Delegate

Minimize filtering: To keep simple your environment, try to minimize filtering.

If you have more number of GPOs for a container, whatever GPO is on top will be applied
first. If you want, you can move GPOs up and down.
If there is conflict between two GPOs of same container, the last applied GPO will be
effective. i.e., the bottom one will be effective.

Loopback processing of Group Policy, explained.

Hi guys,
Today I want to write a few words about Loopback processing of Group Policy. When you
deal with this setting for the first time it may be a little bit confusing. You can find
explanations of this policy setting on the internet, but in my case I will try to explain
everything in simple words.
As we know group policy has two main configurations, user and computer. Accordingly, the
computer policy is applied to the computer despite of the logged user and the user
configuration is applied to the user despite of the computer he is logged on.
For example we have a Domain, this Domain has two different organizational units (OU)
Green and Red, Green OU contains a Computer account and Red OU contains User account.
The Red policy, which has settings Computer Configuration 1 and User Configuration 1,
is applied to the OU with the User account.
The Green policy, which has settings Computer Configuration 2 and User Configuration
2 is applied to the OU with the computer account.
If you have a look at the picture below it will become clearer.

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer,
the following is true:

As we can see from the picture, the User gets Computer Configuration 2 and User
Configuration 1. This is absolutely standard situation, where policies are applied according to
the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1
accordingly.
Now lets enable the Loopback processing of Group Policy for the Green OU. In this case if
the User logs on to the Computer, the policies applied in the following way:

As we can see, now the User is getting User Configuration 2 despite of the fact that he
belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was
replaced with the User Configuration 2, i.e. with the configuration applied to the Computer
account.
As you have probably noticed, the picture above says Loopback in replace mode. I have to
mention that the Loopback processing of Group Policy has two different modes, Replace and
Merge. It is obvious that Replace mode replaces User Configuration with the one applied to
the Computer, whereas Merge mode merges two User Configurations.

In Merge mode, if there is a conflict, for example two policies provide different values for the
same configuration setting, the Computers policy has more privilege. For example in our
scenario, in case of the conflict the User Configuration 2 would be enforced.
In the real work environment Loopback processing of Group Policy is usually used on
Terminal Servers. For example you have users with enabled folder redirection settings, but
you do not want these folder redirection to work when the users log on to the Terminal

Server, in this case we enable Loopback processing of Group Policy in the Policy linked to
the Terminal Servers Computer account and do not enable the folder redirection settings. In
this case, once the User logged on to the Terminal Server his folder redirection policy will not
be applied.
To enable Loopback Processing navigate to: Computer Configuration/Administrative
Templates/System/Group Policy/Configure user Group Policy loopback processing
mode