Q. What is Group Policy?
A. Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions (CSEs) responsible for writing specific policy settings on target client computers.
Q. What are Group Policy objects (GPOs)?
A. Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.
Q. What are the differences between Group Policy, Registry-based policy, and Security policy?
A. Group Policy is an infrastructure in which IT administrators can implement standard computing environments for groups of users and computers and includes both Registry-based and Security Policy. Registry-based policy is one of the many features of Group Policy that uses Administrative templates to modify the registry settings for policy-enabled components included in Windows. Security Policy, another feature delivered by Group Policy, includes a variety of security-related settings for Microsoft Windows.
Q. Are the new Windows Vista features of GPMC available in an update to the current version of GPMC?
A. You can join a Windows Vista workstation to your existing domains in order to benefit from the new features in GPMC. GPMC is integrated directly into the Windows Vista operating system (Business, Enterprise, and Ultimate versions only) and is the standard tool for managing Group Policy along with Group Policy Object Editor. New Windows Vista features are not included in the current version of GPMC, downloadable from the Microsoft Download Center.
Q. Is there a maximum number of Group Policy objects that I can store in a domain?
A. Creating a Group Policy object will create a Group Policy container object, stored in Active Directory, and a Group Policy template, stored on the Sysvol of the domain controller. Both are limited only to the amount of free disk space.
Q. What is the maximum number of Group Policy objects a user or computer can process?
A. A user or computer cannot process more than 999 Group Policy objects. Windows Vista writes a Windows-GroupPolicy error event with an event ID of 1088 to the system event log when a user or computer attempts to process more than 999 Group Policy objects.
Q. Can I apply a Group Policy object directly to a security group?
A. You cannot apply a Group Policy object directly to a security group. However, you can use security filtering to refine which users or computers will receive and apply Group Policy settings. The Group Policy Management Console (GPMC) is the tool to manage security filtering. For more information about security filtering, see the Core Group Policy Technical Reference.
Q. What tools do I use to manage Group Policy?
A. Microsoft provides two management consoles to administer Group Policy. The Group Policy Management Console (GPMC) consists of a Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy objects (but not Group Policy settings). Group Policy Object Editor, also a Microsoft Management Console, is used to edit the individual settings contained within each Group Policy object.
Q. How often is Group Policy applied and how do you change it?
A. Group Policy for computers is triggered at computer startup. For users, Group Policy is triggered when they log on. Versions of Windows before Windows XP as well as Windows Server 2003 use synchronous processing, meaning that computer Group Policy is completed before the logon dialog box is presented. User Group Policy is completed before the shell is active and available for the user to interact with it. Windows XP defaults to asynchronous policy processing. By default, Group Policy is refreshed every 90 minutes with a randomized delay of up to 30 minutes, for a total maximum refresh interval of up to 120 minutes. This interval can be changed using the computer policy setting Group Policy refresh interval for Computer located in the Computer Configuration\Administrative Templates\System\Group Policy namespace. The processing of Group Policy is explained in the Core Group Policy Technical Reference.
Q. How long does it take to process policy settings?
A. Under synchronous processing, there is a time limit of 60 minutes for all of Group Policy to finish processing on the client computer. Any client side extensions (CSE) that are not finished after 60 minutes are signaled to stop, in which case the associated policy settings might not be fully applied.
Q. What is processed under slow link behavior?
A. Administrative Templates and Security Settings are applied over a slow link and the behavior cannot be changed. By default, Software Installation, Scripts, and Folder Redirection will not process over a slow link. You can change the default Policy process behavior for these client side extensions using Group Policy Object Editor. These settings are located at Computer Configuration\Administrative Templates\System\Group Policy.
Q. What is Security Policy?
A. Security policies are rules that administrators configure on a computer or multiple computers for protecting resources on a computer or network. The Security Settings extension of the Group Policy Object Editor snap-in allows you to define security configurations as part of a Group Policy object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and enable administrators to manage security settings for multiple computers from any computer joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization.
Q. Where is the local Security Policy stored?
A. The security database in Windows 2000 had a specific table to store local security policy settings. This approach was changed in Windows XP and Windows Server 2003. Local security policy settings are written directly to their respective locations in the registry.
Q. I removed some security settings but they are still in effect. Why?
A. Under some circumstances, Windows Security Settings remain in effect after being set to undefined. In some cases, these security settings need to be explicitly overwritten to be removed. For more information, see Windows Security Settings remain in effect after removal.
Q. What is loop back processing?
A. Group Policy loop back processing can be used to alter the application of GPOs to a user by including GPOs based on the location of the computer object. The typical way to use loop back processing is to apply GPOs that depend on the computer to which the user logs on.
