by Group Policy is a Microsoft technology that allows computers and users to be managed centrally. It allows customization of desktop and other settings of computers and users centrally. It can also perform application installation and uninstallation.
Policies set policies for security needs at different levels. It can be described as managerial tools that allow automatic operations that would take a lot of time when they are done manually, such as creating working environments that users need, granting or restricting certain rights to users, installing programs that users need.
Policy’s operation is object-based. The settings and rules we want to apply with Policy are stored in files called Group Policy Object (GPO). We use Group Policy Editor to define and create these rules. The GPO (Group Policy Object) we have created is read by the computer and the required settings are made by processing the specified settings by the machine.
In general, we can talk about the existence of two types of policies. The first of these is the policy for a single computer and located locally on the computer. The second type is the policy that is set from a central place (Domain Controller) in the policy domain environment and makes arrangements for multiple computers. Local and domain policies can be applied to a computer at the same time. But the domain group policy is always superior to the local policy.
Policy Types
In general, we can say that there are two types of policies. Group Policy, which can be applied to more than one computer simultaneously in local policies and domains. Although the method of application and preparation is different, the purpose of both types of policies is the same. To make arrangements on issues such as security in the computer, some basic user rights. While tools such as Local Group policy, Security Configuration and Analysis are used to prepare and implement local policies, Active Directory and Domain Group Policy are used in domain policy.
Order of Application
There is a certain order of implementation of the Policies. In order to understand this sequence, we must first explain what a Group Policy Container is. Group Policy Container (GPC) is where a policy is implemented. This location can be a Site, Domain, or an Organizational Unit (OU). These points where Group Policy can be applied are called GPC, that is, Group Policy Container. There is also a policy that can be applied to each computer independent of the domain. The name of this is Local Policy. A computer with the local policy applied to it can also be a member of a Domain. According to the container it is in in the domain of which it is a member, the site, domain, OU and local policies are respectively.
It has been tried to prevent the confusion that may arise thanks to the order of applying different policies. Accordingly, there is a certain order of the Policy applied at each level. First, the applied policy is the local policy of the computer. Then the Site, then Domain and finally the policy applied at the OU level are applied. The rules of the last applied policy always remain valid. If there is no conflict between policies that have been applied at different levels, all policies apply from top to bottom.
The order of applying GroupPolicy is as follows.
Local Group Policy
Domain Group Policy applied at the site level
Domain Group Policy applied at the domain level
Domain Group Policy applied at OU level
How Does Group Policy Work?
Group Policy settings are created, changed, and stored in the Active Directory database. This object with the settings kept is called the Group Policy Object (GPO). The Group Policy Object (GPO) created and applied is downloaded from by the client. This process is defined as Pull on the client-side and Push on the Active Directory Domain Controller side. After the GPO is downloaded by the client, it is applied to the system. This process on the client-side is called Client Side Extensions.
You can view the Group Policy Extensions section in the Registry Editor at the following path.
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions
Here it can be seen that each Group Policy Extension has its own folder. When one of these folders is clicked, the name of the applied Group Policy Client Extension is seen. The example shows the Group Policy Power Options Group Policy Extension.
When a Group Policy on Power Options is deployed, this Group Policy Client Extension will apply the desired changes to the power options with Group Policy to the deployed computer.
Computer Configuration and User Configuration
To open the Group Policy Management Editor on the domain, type MMC from the Start> Run menu and click the Enter button.
In the “Group Policy Management” page, we right-click on “Default Domain Policy” and click on the “Edit” tab.
Group Policy is divided into two parts as the Computer Configuration and User Configuration. The rules applied in the Computer Configuration section are applied directly to computers. So it doesn’t matter which user is logged on to the computer. The rules applied in the User Configuration section are applied directly to the users. So it doesn’t matter on which computer the user is logged on.
Policies and Preferences
There are two sections called Policies and Preferences in the Computer Configuration and User Configuration sections.
Policies>Software Settings
The first section under Policies is Software Settings. If you plan to distribute or manage an application with Group Policy, you can use the “Software Settings” section.
Policies>Windows Settings
The second section is under “Policies” in “Windows Settings“. The policies to be applied in this section allow changing the Windows settings that will affect the entire computer. As an example, you can set the Startup>Shutdown Script from this section. In the “User Configuration” section, there is a similar Logon> Logoff Script.
In the “User Configuration” section, there is a similar Logon> Logoff Script.
Policies>Administrative Templates
The third section is under “Policies” in “Administrative Templates“. Administrative Templates collectively contain Group Policy settings. Here you can make many administrative settings such as Control Panel, Network, Start Menu and Taskbar.
Preferences>Windows Settings
The first section is under “Preferences” in Windows Settings. In this section, you can make many Windows settings such as files, folders, registry, shortcuts.
Preferences>Control Panel Settings
The second section is under “Preferences” in Control Panel Settings. In this section, you can set many Control Panel settings such as devices, local users and groups, network options, power options.
