--terms=group-policy
Group Policy is a feature of Microsoft Windows Active Directory that allows administrators to manage the configurations of users and computers across a network from a central location.
Group Policy (GP) is one of the most powerful tools in a Windows administrator's arsenal. It provides a infrastructure for centralized configuration management of the operating system, application settings, and user settings.
### Group Policy Objects (GPOs)
Settings are defined in Group Policy Objects (GPOs), which are collections of configuration settings. These GPOs are then 'linked' to Active Directory containers such as Domains, Sites, or Organizational Units (OUs).
### What Can You Control?
- Security Settings: Enforce password complexity, disable USB ports, or configure Windows Firewall.
- Desktop Configuration: Set the desktop wallpaper, redirect folders (like Documents) to a server, or hide specific control panel items.
- Software Installation: Automatically push out software packages to all computers in an OU.
- Scripts: Run specific scripts at startup, shutdown, logon, or logoff.
### Processing Order (LSDOU)
Group Policies are applied in a specific order, which determines which settings win if there's a conflict:
1. Local: The local computer policy.
2. Site: Policies linked to the AD Site.
3. Domain: Policies linked to the AD Domain.
4. Organizational Unit (OU): Policies linked to the specific OU (lower OUs override higher ones).
graph LR
Center["--terms=group-policy"]:::main
Pre_active_directory["active-directory"]:::pre --> Center
click Pre_active_directory "/terms/active-directory"
Rel_active_directory["active-directory"]:::related -.-> Center
click Rel_active_directory "/terms/active-directory"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 Explain Like I'm 5
📜 Imagine a school where the principal can write a set of rules on a master board, and those rules automatically appear in everyone's notebook. Group Policy is that board—it's how a boss sets the 'rules of the road' for every computer in the company at once.
🤓 Expert Deep Dive
Group Policy relies on the Client-Side Extensions (CSE) on each Windows machine to pull and apply settings from the KDC/Domain Controller. GPOs are stored in two parts: the Group Policy Container (GPC) in Active Directory (stores metadata) and the Group Policy Template (GPT) in the SYSVOL share (stores actual settings files like Registry.pol). For troubleshooting, administrators use tools like gpresult and rsop.msc to determine the Resultant Set of Policy. Modern cloud-managed environments often supplement or replace traditional GPOs with Microsoft Intune (MDM) policies, which use a different delivery mechanism but achieve similar configuration goals.