Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft's Active Directory to implement specific configurations for users and computers. Group Policy is primarily a security tool, and can be used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers. These policies, which are collectively referred to as Group Policy Objects (GPOs), are based on a collection of individual Group Policy settings. Group Policy objects are administered from a central interface called the Group Policy Management Console. Group Policy can also be managed with command line interface tools such as gpresult and gpupdate.
The Group Policy hierarchy
Group Policy objects are applied in a hierarchical manner, and often multiple Group Policy objects are combined together to form the effective policy. Local Group Policy objects are applied first, followed by site level, domain level, and organizational unit level Group Policy objects.
Group Policy extensibility
The native collection of Group Policy settings pertain exclusively to the Windows operating system. An administrator might for instance use these native Group Policy settings to enforce a minimum password length, hide the Windows Control Panel from users, or force the installation of security patches. However, Group Policy is designed to be extensible through the use of administrative templates. These administrative templates allow various applications to be configured through Group Policy settings. One of the best known examples of this is the collection of administrative templates for Microsoft Office.
Administrative templates consist of two components. An ADMX file is the XML file containing all of the Group Policy settings that are associated with the template. A corresponding ADML file acts as a language file that allows the Group Policy settings to be displayed in the administrator’s language of choice.
Local vs. centralized Group Policy
Group Policy objects can be applied locally to a Windows computer through its own operating system, or Group Policy objects can be applied through Active Directory. Local group policies allow security settings to be applied to either standalone computers or computers managed by a domain controller, but these policy settings cannot be centrally managed. Conversely, Active Directory based Group Policy objects can be centrally managed, but they are only implemented if a user is logging in from a computer joined to the domain.
Many organizations use a combination of local and Active Directory Group Policy objects. The local policy settings provide security when the user is not logged into a domain, while Active Directory Group Policy objects apply once the user has logged in.