Group Policy

Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment.

Other examples include: allowing or preventing unidentified users from remote computers to connect to a network share, or to block/restrict access to certain folders.

As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users.

To accomplish the goal of central management of a group of computers, machines should receive and enforce GPOs.

Active Directory can distribute GPOs to computers which belong to a Windows domain.

These filters allow administrators to apply the GPO only to, for example, computers of specific models, RAM, installed software, or anything available via WMI queries.

Originally, Group Policies were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC).

The server is a Windows Service that stores its Group Policy Objects in an archive located on the same computer or a network share.

The client is a snap-in to the Group Policy Management Console, and connects to the AGPM server.

[20] Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.

For example, Windows XP has introduced a new feature called Group Policy Update which replaced the secedit command.

[22] This feature allows an administrator to force a group policy update on all computers with accounts in a particular Organizational Unit.

This overrides the default scheduled task on the computer which runs the gpupdate command within 90 minutes, adjusted by a random offset to avoid overloading the domain controller.