Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Group Policy Object (GPO) Rules.


Author: Nirmal Sharma MVP

View products that this article applies to.

Summary

This article explains the rules you need to have while configuring a Group Policy Object in Active Directory domain.

↑ Back to the top


More information

The following points must be observed clearly before creating and implementing a GPO in production environment. You must know some rules. Without these rules a GPO will never work:

1. Group Policies can be applied to Active Directory Leaf objects such as users and computers but NOT security or distribution Group.

2. Users and Computers must reside in the OU where you have configured the Group Policy.

3. Group Policies can use Security Groups to filter the scope of policy settings.

4. By default Group Policies are applied to the following groups:

Authenticated Users����������������������������������������

5. If the security properties are set to default then Group Policy settings should apply to administrators because by default when you create a GPO the following Security Settings permissions are set:

*Apply Group Policy* and *Read* Permission to the following Groups:-

Authenticated Users � � � � � � � � � � � � � � � � � � � �
Domain Admins � � � � � � � � � � � � � � � � � � � � � �
Enterprise Admins
Administrators.


6. Group Policy processing depends on Client-Side-Extensions stored in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtensions

under the above sub-key all {GUID} are the�Client-Side-Extensions modules which activates itself when a processing from Winlogon service is required.

CSCs are used to process GPOs from Domain Controller. Winlogon.exe will capture a list of GPOs.

As per Microsoft�recommendation you should remove *Authenticated Users* group and create a new Group�and add all members to this group and then use Group Policy Filtering technique.�Basically, any user who is successfully logggin on to the network is�member of Authenticated Users Group.

If you have configured anything in the parent OU and also configured in Child OU and all users are member of Authenticated Users Group then the settings are messed up and Group Policy rule is applied:

Group Policy Key terms:

Not Configured ����������
This means Policy setting is not configured and Winlogon service at client end, while processing the Group Policy Objects from domain controller, will not�process this policy
setting.

Disabled
This means Policy setting is configured but Domain Controller will not publish it for processing or Winlogon at workstation will not process this setting.

Enabled
This means Policy setting is configured and will be processed by Winlogon service at workstation.

The Microsoft has designed two options for Group Policy for NOT processing Group Policy settings. The �Disabled� option in Policy settings are configured per policy setting whereas �Disable User or Computer Policy settings� in property of GPO is used to NOT to process any policy settings configured in the said container. The later option overrides settings configured in earlier option.

  1. Computer policy settings only run when computer starts just before user logon. Example, you have a network drive to map for all computers. This network drive mapping will be available for all the users who log on to that system.
  2. User policy settings only run after user log on to the system. In above example, the network drive mapping will be available to all users who logs on to the system.
  3. Third option is filtering Group Policy settings using groups. This option doesn�t necessarily defeat the above rule but is here to process the GPO for selected users or computers. In above example, if you create a Group called �ServiceComputers� and put 4 computers in that group and apply a policy setting to this group then only the 4 computers will receive this policy.

Other options are �Block Policy Inheritance� and �No Override�. The first option can be set on a child policy meaning you can not set this option at site level or there is no use of this option at parent policies. This option, if enabled, forces child GPO not to accept any policy settings coming from Parent GPO. The �No Override� option, if enabled, forces child GPO not to block any policy setting coming from parent GPO. If there is a conflict in the policy, the Parent GPO settings will be applied provided �No Override� option is enabled.

↑ Back to the top


Properties

COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

↑ Back to the top


Community solutions content disclaimer

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.

↑ Back to the top


Keywords: KB555991, kbhowto, kbpubtypecca, kbpubmvp

↑ Back to the top

Article Info
Article ID : 555991
Revision : 1
Created on : 9/23/2007
Published on : 9/23/2007
Exists online : False
Views : 262