Group Policies are computer or user settings that can be defined to control or secure the Windows server and client infrastructure. Understanding GPO in Windows Server 2012 before actually configuring and applying policy settings is very important. It is easy to understand GPO in Windows Server 2012. There are some new features of GPO in Windows Server 2012.
Understanding GPO in Windows Server 2012
Two main components of GPO are, GPO Object and GPO Policy Settings.
GPO Object: – GPO Object is an active directory object that has various group policy settings. These policy settings can be user settings or computer settings and can be applied to user or computers. GPO objects are stored in GPO container. The GPO object is stored in active directory database and each object has its own unique GUID (Globally Unique Identifier).
GPO Policy Settings: – GPO policy settings are the real settings within GPO object that defines particular action. GPO policy settings comes from GPO templates which are stored in SYSVOL folder of each domain controller. For example, Prohibit Access to Control Panel is a GPO policy setting that will simply disable access to control panel. Most of the GPO settings can be enabled, disabled or not configured. The example is shown below,
When you create a group policy, the GPO object is created and stored in GPO container in active directory and at the same time, GPO template is created and stored in SYSVOL folder. After creating a group policy, it can be linked to Sites, Domains and OUs. Group policy is process in the order of LSDOU: –
- Local Group Policy
- Organizational OUs
There are certain things that you should remember while creating and applying GPO settings. As stated earlier there are computer settings and user settings of each GPO object. Computer settings are applied at startup of the client machine. User settings are applied at use logon. Policies refresh can be initiated manually by using, C:\> gpupdate /force command or C:\> Invoke-Gpupdate powerShell cmdlet.
In fresh domain controller there are two default group policy settings configured. They are: –
- Default Domain Policy: – This policy is linked to the entire domain and has policies like password policies, account lockout policies and kerberos protocol policies. It is recommended that not to edit this policy. If you want to link new group policy then create new GPO and link to the domain.
- Default Domain Controller Policy: – This policy setting is applied to domain controllers and is linked to domain controllers OU. This policy affects domain controllers only.