Group Policy Object (GPO) Rules.

Article translations Article translations
Article ID: 555991 - View products that this article applies to.
Author: Nirmal Sharma MVP
Expand all | Collapse all

SUMMARY

This article explains the rules you need to have while configuring a Group Policy Object in Active Directory domain.

MORE INFORMATION

The following points must be observed clearly before creating and implementing a GPO in production environment. You must know some rules. Without these rules a GPO will never work:
 
1. Group Policies can be applied to Active Directory Leaf objects such as users and computers but NOT security or distribution Group.
 
2. Users and Computers must reside in the OU where you have configured the Group Policy.
 
3. Group Policies can use Security Groups to filter the scope of policy settings.
 
4. By default Group Policies are applied to the following groups:
 
Authenticated Users                                        
 
5. If the security properties are set to default then Group Policy settings should apply to administrators because by default when you create a GPO the following Security Settings permissions are set:

*Apply Group Policy* and *Read* Permission to the following Groups:-
 
Authenticated Users                                        
Domain Admins                                            
Enterprise Admins
Administrators.

 
6. Group Policy processing depends on Client-Side-Extensions stored in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtensions
 
under the above sub-key all {GUID} are the Client-Side-Extensions modules which activates itself when a processing from Winlogon service is required.
 
CSCs are used to process GPOs from Domain Controller. Winlogon.exe will capture a list of GPOs.
 
As per Microsoft recommendation you should remove *Authenticated Users* group and create a new Group and add all members to this group and then use Group Policy Filtering technique. Basically, any user who is successfully logggin on to the network is member of Authenticated Users Group.
 
If you have configured anything in the parent OU and also configured in Child OU and all users are member of Authenticated Users Group then the settings are messed up and Group Policy rule is applied:
 
Group Policy Key terms:
 
Not Configured           
This means Policy setting is not configured and Winlogon service at client end, while processing the Group Policy Objects from domain controller, will not process this policy
setting.
 
Disabled
This means Policy setting is configured but Domain Controller will not publish it for processing or Winlogon at workstation will not process this setting.
 
Enabled
This means Policy setting is configured and will be processed by Winlogon service at workstation.
 
The Microsoft has designed two options for Group Policy for NOT processing Group Policy settings. The “Disabled” option in Policy settings are configured per policy setting whereas “Disable User or Computer Policy settings” in property of GPO is used to NOT to process any policy settings configured in the said container. The later option overrides settings configured in earlier option.
 
  1. Computer policy settings only run when computer starts just before user logon. Example, you have a network drive to map for all computers. This network drive mapping will be available for all the users who log on to that system.
  2. User policy settings only run after user log on to the system. In above example, the network drive mapping will be available to all users who logs on to the system.
  3. Third option is filtering Group Policy settings using groups. This option doesn’t necessarily defeat the above rule but is here to process the GPO for selected users or computers. In above example, if you create a Group called “ServiceComputers” and put 4 computers in that group and apply a policy setting to this group then only the 4 computers will receive this policy.
 
Other options are “Block Policy Inheritance” and “No Override”. The first option can be set on a child policy meaning you can not set this option at site level or there is no use of this option at parent policies. This option, if enabled, forces child GPO not to accept any policy settings coming from Parent GPO. The “No Override” option, if enabled, forces child GPO not to block any policy setting coming from parent GPO. If there is a conflict in the policy, the Parent GPO settings will be applied provided “No Override” option is enabled.

Properties

Article ID: 555991 - Last Review: September 23, 2007 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
Keywords: 
kbpubmvp kbpubtypecca kbhowto KB555991
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com