What is Group Policy?

A. You will no doubt be familiar with the concept of group policies in NT 4.0 and by utilizing the Group Policy Editor you can configure various restrictions, save it as file NTCONFIG.POL in the netlogon share and the settings will be applied to all users of the domain. Effectively all the policies of Windows NT 4.0 allowed were registry updates.

These policy settings could be configured for users, computers or groups of users.

Windows 2000 takes this to the next level and promises the following ideal

"The ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish"

In Windows 2000 the Group Policy model has been completely updated and now utilizes the Active Directory and offers much more than just registry restrictions, for example

  • Application deployment
  • Logon/logoff/startup/shutdown scripts
  • Folder redirection

Group Policy Object's (GPO's) are a policy unit and can be applied to a site, domain or organizational unit (OU), in fact it will often be the case that a user/computer will have multiple GPO's applicable to them and in the event of a clash of a setting the order of precedence is Site, Domain then OU, SDOU, and so any setting defined at a site level can be overwritten by a domain setting, anything defined on a domain can be overwritten by an OU setting. There is a fourth type, the Local computer policy and this has bottom priority and any policies will be overwritten by any of the others which gives us an order of LSDOU.

The three mechanisms to apply Group Policies for sites, domains and OU’s are as follows:

  • Domain Group Policy Object
    Start the “Active Directory Users and Computers” MMC snap-in, right click on the domain and select Properties. Select the “Group Policy” tab
  • OU Group Policy Object
    Start the “Active Directory Users and Computers” MMC snap-in, right click on the OU and select Properties. Select the “Group Policy” tab
  • Sites Group Policy Object
    Start the “Active Directory Sites and Services” MMC snap-in, expand the sites right click on the required site and select Properties. Select the “Group Policy” tab

By default when you select Group Policy for a container there will be no GPO and you have the option of either adding an existing GPO to the container or creating a new one. To create a new GPO just click the New button and enter a name for the GPO. Once created clicking the Edit button can modify the specified policy. A new instance of the Microsoft Management Console will be started with the Group Policy Editor loaded with the selected GPO at the root.

Windows NT 4.0 policies already in place are NOT upgraded to 2000 and you will need to redefine all your policies as GPO's. In a mixed environment of both 4.0 and 2000 clients you will need to keep a NTCONFIG.POL in the NETLOGON share of the domain controllers (even the 2000 DC's as they may authenticate 4.0 client logons in a mixed environment) to ensure 4.0 clients still receive their policy settings. Windows 2000 clients will ignore NTCONFIG.POL unless you make a policy change to instruct them to implement the NTCONFIG.POL contents. If you do then the order of reading is

  1. GPO(s) Computer at startup
  2. Computer NTCONFIG.POL at login
  3. User NTCONFIG.POL at login
  4. GPO(s) User at login

As has been said, GPO information is stored in the Active Directory but the policy itself is stored on the SYSVOL container on each domain controller as %systemroot%\SYSVOL\sysvol\<domain>\Policies\<GUID of GPO> (GUID is Globally Unique IDentifier).

Under the folder you will find a file Gpt.ini which for non local GPO will contain:

Version=&lt;version number&gt;

For example the version may be 65539. The least 4 significant digits (four right most digits) represent the Computer Settings version number (3) and the most four significant represent the User Settings version numsber (four left most digits) (1). You have to convert to hexadecimal so:

65539 : 00010003

Also within the folder is an Adm folder which contains the .adm template files which are used in the GPO. Also in the folder are a MACHINE and USER folder containing specific settings.

You can check the GUID for a GPO by right clicking on its root and selecting Properties and viewing the Unique name property.

Click here to view image

To avoid any conflicts with GPO modifications only the PDC role holder can make changes to the GPO.

Another change is that old 4.0 policies are 'tattooed' in the registry, meaning that even after a policy has been removed, its settings stay in the registry until changed by something else. An advantage of the Windows 2000 Group Policies is that this does not occur. The reason for this is that in Windows 2000, registry settings written to the following two secure registry locations are cleaned up when a Group Policy Object no longer applies:

  • \Software\Policies
  • \Software\Microsoft\Windows\CurrentVersion\Policies

Finally unlike the 4.0 Group Policies the policy actually gets refreshed at certain times, well not ALL of the policy,  software deployment and folder redirection are not updated as, for example, you would be unhappy if the GPO was modified to remove Word and you were using it at the time and it suddenly uninstalled! All 2000 machines refresh the policy every 90 minutes except domain controllers who replicate every 5 minutes. These times and the parts to replicate can be modified within the GPO.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.