Group Policy Fundamentals in Active

Directory
Here's a breakdown and explanation of the multiple types of Group Policy.

 By Troy Thompson
 01/12/2016

In an Active Directory environment, Group Policy is an easy way to configure computer and
user settings on computers that are part of the domain. An Active Directory environment
means that you must have at least one server with the Active Directory Domain Services
installed. Group Policy allows you to centralize the management of computers on your
network without having to physically go to and configure each computer individually. If you
need to manage computers in a large company, it is almost impossible without using Group
Policy. In order to use Group Policy editor in a domain environment, you must use an
administrator account. A standard domain user account is not in the local Administrators
group and will not have the proper permissions to configure Group Policies.

To launch the Group Policy Management Tool, choose, Start, All Programs, Administrative
Tools, Group Policy Management (see Figure 1).
 [Click on image for larger view.] Figure 1.

Once the Group Policy Editor has launched, you will see many different options (see Figure
2).

[Click on image for larger view.] Figure 2.

You can apply Group Policy on a variety of Microsoft platforms to include Windows 2000,
Windows 2003, Windows XP, Vista, Windows Server 2008, Windows 7, Windows 8 and
Windows Server 2012. Granted, there will be some settings that are particular to that
operating system, but those settings are kind of rare. If a user is connecting via a slow link,
which by default is 500KB or less, there are certain group policies that will not be
applied. By default, Disk Quotas, Folder Redirection, Internet Explorer settings, and
Software Deployment are not applied over slow links. It is possible to change the definition
of a slow link in the Group Policy Slow Link Detection setting.

Group Policy setting at any level automatically affects all levels beneath it. If needed, you
can prevent inheritance. Some other default behavior to consider are that domains, OUs, and
child OUs inherit settings from their parents, but duplicate settings in GPOs linked to child
OUs have precedence over the same settings in GPOs linked to parent OUs. Any policy
geared for a Domain Controller is refreshed within five minutes.

Examples of Group Policy

Drive Mappings: You can map drives via login scripts, but it can be done more reliably
using Group Policy. It is also possible to remove drive mappings for users.

Power Options: Using Group Policy, you can set things like hard disk sleep time, the amount
of time before the monitor goes into stand-by mode, and what happens to laptops when you
hit the power button or close the lid. All aspects of power can be configured, but some of
these are user preferences, which can be changed by the user.
Folder Redirection: Normally, users' folders for storing data are located on their local
computers. If you want to redirect their data to another location, you can do this using Group
Policy. In a domain environment, it is common to backup server data, but not each individual
computer. By redirecting a user's My Documents to a server, you keep their data off the local
computer. This redirect has several uses. It allows the user data to be backup up in a central
location and it also provides the user access to their data regardless of the computer they log
onto. The type of folders that can be redirected are:

 Contacts
 Start Menu
 Desktop
 Documents
 Downloads
 Favorites
 Music
 Videos
 Pictures
 Searches
 Links
 AppData (Roaming)

Internet Explorer Settings: There are almost 2,000 different items that you can configure in
Internet Explorer using Group Policy. Some of the more common items are:

 Configure Delete Browsing History on exit

 Configure Toolbar Buttons
 Configure new tab page default behavior
 Disable changing home page settings
 Do not allow resetting Internet Explorer settings
 Do not allow users to enable or disable add-ons
 Pop-up allow list

Local Accounts and Passwords: The Default Domain Policy is created by default at the
domain level. This default policy encompasses three domain-wide security settings:

o Password policy: You can use Group Policy to set the password length,
complexity and longevity.
o Account Lockout policy: A Group Policy can be set to define when an account
is locked out and for how long.
o Kerberos policy: You can set the Kerberos ticket expiration time.

If the Password policy, Account Lockout policy, or Kerberos policy is set anywhere else in
the domain, such as at the OU or site level, the settings will be ignored when users log onto
the domain.
Printers: The Print Management snap-in with Group Policy can be used to automatically
deploy printer connections to users or computers and install the appropriate printer drivers. If
you choose to add the printer per-computer connections, Windows will add the printer
connections when the user logs on. If per-user connections are chosen, Windows will add the
printer connections during background policy refresh. If the printer connection settings are
removed from the GPO, Windows will remove the corresponding printers from the client
computer during the next background policy refresh or user logon.

You can reapply Group Policies without restarting your computer or logging off. From a Run
prompt, type GPupdate / force. This will cause the Group Policies to be reapplied. After
running this command, it is sometimes necessary to logoff for the change to take effect
immediately.