Windows Server - Group Policy Objects

What are Group Policy Objects (GPOs)?

GPOs standardize your organization’s settings

A GPO is an object that contains one or more policy settings for configuring users or computers.  Group Policy settings allow administrators to enforce settings by modifying the computer‑specific and user‑specific settings on domain‑based computers. You configure Group Policy settings in GPOs, which you can then link to containers or organizational units that contain users or computers.

GPOs have Computer and User settings

The Group Policy Management Editor window displays the individual Group Policy settings that are available in a GPO. The window displays the settings in an organized hierarchy that is divided into Computer Configuration and User Configuration nodes. Settings that are user-centric are in the User Configuration Node. Settings that are computer-centric are in the Computer Configuration Node.

Group Policy templates and containers

Group Policy templates and containers

A GPO has a template and a container

A GPO is made up of two components a Group Policy Template and a Group Policy Container. These components work together to define the GPO and keep it updated.

	Description	Location
Group Policy Template	Contains Group Policy settings	Stored in shared SYSVOL folder
Group Policy Container	Stores version information	Stored in AD DS directory

Group Policy Templates are the settings

Group Policy templates are the actual collection of settings that you can modify. The Group Policy template includes files that are stored in the SYSVOL of each domain controller. SYSVOL is in the %SystemRoot% \SYSVOL\Domain\Policies\GPOGUID path, where GPOGUID is the globally unique identifier (GUID) of the Group Policy container. When you create a GPO, a new Group Policy template is created in the SYSVOL folder.

Group Policy Containers are the objects

The Group Policy container is an Active Directory object that is stored in the Active Directory database. Each Group Policy container includes a GUID attribute that identifies the object uniquely within AD DS. The Group Policy container defines basic attributes of the GPO, such as links and version numbers, but it does not contain any of the settings. When you create a GPO, a new Group Policy container is created in AD DS.

Windows Server - Group Policy Organization

How are group policies organized?

GPO policy settings are organized by Software, Windows, and Templates

Within User and Computer Configurations the policy settings are organized by Software Settings, Windows Settings, and Administrative Templates.

Section	Description
Software Settings	Contains software settings that you can deploy to the user or the computer. Software that you deploy to a user is specific to that user. Software that you deploy to the computer is available to all users of that computer.
Windows Settings	Contains script settings and security settings for both user and computer, and Internet Explorer maintenance settings for the user configuration.
Administrative Templates	Contain hundreds of settings that modify the registry to control various aspects of the user and computer environment. Microsoft or other vendors may create new administrative templates, such as Microsoft Office templates, which you can download from the Microsoft website, and then add to the Group Policy Management Editor.

Local GPOs. All computers that are running Microsoft Windows client or server operating systems also have available local GPOs. Local policy settings only apply to the local machine, but you can export and import them to other computers. GPO Versioning. Not all GPO settings apply to all versions of Windows Server and Windows operating systems. Each new version introduces new settings and capabilities that only apply to that specific version. If a computer has a Group Policy setting applied that it cannot process, it simply ignores the setting.