Group policy is a complex tool that lets you centrally manage Windows 2000 computers and users. But if you don't understand how Win2K applies Group Policy, you can shoot yourself in the foot. You can easily implement a combination of settings that cancel out one another or cause unexpected results. For example, you might think you've enabled an important security setting throughout your network, only to discover you've inadvertently disabled this setting on a subset of systems. This type of mistake can be inconvenient when it involves an administrative setting but can be devastating when it involves a security setting. To effectively use Group Policy, you need to understand how Win2K uses Group Policy Objects (GPOs) to apply policies, the sequence in which Win2K applies GPOs, and the processing options that let you fine-tune GPO application. (For more information about Group Policy, see Michael D. Reilly, Getting Started with Windows 2000, "Group Policy," March 2000, and Darren Mar-Elia, "Introducing Group Policy," September 1999.)
The ABCs of GPOs
A GPO is a collection of configuration settings that cover nearly every area of a Win2K computer's configuration and a user's profile. Each GPO is divided into two subfolders: Computer Configuration and User Configuration. Win2K initially applies the settings in the Computer Configuration subfolder when a computer boots and applies the settings in the User Configuration subfolder when a user logs on. Then, Win2K typically reapplies Group Policy periodically while the computer is up or the user is logged on. You can customize the frequency and conditions under which Win2K applies different types of Group Policy.
Every Win2K computer stores a local GPO. To let you simultaneously manage multiple computers or users, Win2K lets you link other GPOs to Active Directory (AD) containers, such as organizational units (OUs); Win2K then applies the linked GPOs to all the computers or users in those containers. If you link multiple GPOs to a container, Win2K follows specific rules to apply the relevant GPOs in a predictable sequence that facilitates configuration by exception. Configuration by exception lets you define general settings first, then define exceptions— without repeating the general settings— for a subset of computers or users.
Group Policy Application Sequence
Each GPO has a full complement of computer and user settings. You can specify a value for most GPO settings, or you can leave the settings Not configured (i.e., tell Win2K to take no action). Unconfigured settings tell Win2K not to change existing settings (e.g., settings previously defined in GPOs at another container level) and don't affect configuration.
Multiple GPOs can apply to a computer or user, and some of these GPOs might contain conflicting settings. When several GPOs define a value for the same setting, the last-applied GPO takes precedence. Therefore, you need to understand Win2K's GPO-application sequence, which Figure 1 shows.
When a computer boots, Win2K applies the Computer Configuration portion of Group Policy. Win2K first applies the computer's locally stored GPO, then GPOs linked to the computer's site, then GPOs linked to the computer's domain, then GPOs linked to the OUs (in order from highest to lowest) that contain the computer. When a user logs on, Win2K applies the User Configuration portion of Group Policy. The User Configuration application follows the same sequence as the Computer Configuration application, except that Win2K bases domain- and OU-linked GPOs on the user account's domain and branch of the OU tree instead of the computer's location in AD, as Figure 2 shows. The application sequence for User Configuration policies is the locally stored GPO of the computer the user logs on to, then GPOs linked to the computer's site, then GPOs linked to the user's domain, then GPOs linked to the OUs (in order from highest to lowest) that contain the user account. You can view the GPOs that Win2K will apply at each step in the sequence.
Computer's local GPO. Each computer stores one GPO locally. When a computer boots up or a user logs on, Win2K applies the computer's local GPO first. When the computer isn't a member of a domain, Win2K applies only the local GPO, and all its settings take effect. When the computer is a member of a domain, this GPO is the least influential GPO because all AD-linked GPOs that Win2K applies can override the local GPO. To access a computer's local GPO configuration, run mmc.exe from the Win2K Start menu, add the Group Policy snap-in, and select Local Computer.
Site-linked GPOs. When the computer is a member of a domain, Win2K next applies all the GPOs that link to the computer's site. (Sites are AD objects that represent a network's physical layout. For more information about sites, see Sean Deuby, "AD Sites, Part 1," June 2000 and "AD Sites, Part 2," July 2000.) Use site-linked GPOs only when you need to define a setting (e.g., a network parameter) that is specific to the computer's physical portion of your network. To view a list of a site's GPOs, go to Administrative Tools, Active Directory Sites and Services. Right-click a site, click Properties, and select the Group Policy tab. Win2K doesn't come with any prebuilt site-linked GPOs, and administrators seldom define site-linked GPOs.
Domain-linked GPOs. Win2K then applies all the GPOs that link to the computer's—or user's, in the case of User Configuration—domain. Group policies that you define at this level apply to all computers or users in the immediate domain and overwrite site-linked and local GPOs. Unconfigured domain-linked GPO settings don't change defined values in previously configured site-linked GPOs. Domains are the boundary of Group Policy inheritance: Win2K doesn't apply a parent domain's GPOs to a child domain. To view a list of domain-linked GPOs, go to Administrative Tools, Active Directory Users and Computers. Right-click the computer's or user's domain, click Properties, and select the Group Policy tab. Win2K comes with one prebuilt domain-linked GPO: Default Domain Policy.
OU-linked GPOs. Finally, Win2K applies GPOs that link to any OUs that contain the computer—or the user, in the case of User Configuration. If more than one OU contains the computer or user, Win2K applies the linked GPOs in order from the highest OU to the lowest OU. Because the last-applied GPO overrides previously applied GPOs, lower-OU-linked GPOs override higher-OU-linked GPOs whenever both GPOs define a value for the same setting. (Figure 3 shows the configuration settings for a computer in a child OU; Win2K will apply several OU-linked GPOs as well as a domain-linked GPO to the computer.) To view OU-linked GPOs, right-click the OU, click Properties, and select the Group Policy tab.
Multiple same-level links. What happens when multiple GPOs link to the same site, domain, or OU? A GPO's relative position in the list of GPO links for the site, domain, or OU determines the GPO's priority; Win2K applies same-level GPOs in order of priority from lowest to highest. (Win2K applies the highest priority GPO last so that the GPO overrides all previously applied GPOs.) Figure 4 shows the Group Policy tab of an example Marketing OU. The New Marketing Policies GPO has the lowest priority, so Win2K applies it first; Win2K applies the Marketing Policies GPO last. To increase or decrease a GPO's priority, use the Group Policy tab's Up and Down buttons to reposition the GPO in the list.
Keep in mind that an important difference exists between a GPO and a link to a GPO. When you delete a GPO, Win2K no longer applies the GPO under any circumstance. When you delete a link, Win2K still applies the GPO to other AD containers to which the GPO is linked. Imagine that a GPO is like a human resources (HR) policy document that you can assign to various departments in your company. When the policy no longer applies to a department, you can remove the document from only that department (i.e., delete the link to the GPO). When the policy is no longer valid on a company basis, you can throw away the document (i.e., delete the GPO). If a department needs to follow the policy but with a few exceptions, you can create an addendum and attach it to the document for that department (i.e., create a second linked GPO, which has higher priority than the original GPO).
Win2K follows a straightforward GPO-application process. Group Policy's true complexity lies in your options for controlling that process, which I'll explain in Part 2 of this series.
