5.1 What Is Group Policy?

Group Policy is a collection of configuration settings and instructions that can apply to user accounts or to computers. Group Policy allows you to manipulate an almost unlimited array of configuration settings and provides a flexible model for applying those configuration settings to specific users or computers within your organization. Many of those settings are completely unrelated to security. For example, you can use Group Policy to deploy a single, corporate-approved desktop wallpaper bitmap to all client computers or to force all users in your organization to use a particular screensaver. Group Policy does contain security-related settings and as I mentioned previously can be used to deploy security templates for comprehensive security control of an entire enterprise. Group Policy also contains instructions to computers that can perform tasks such as installing software or running a script. Although these are technically just one-time settings, they are a bit different in their functionality.

Every Windows 2000, Windows XP, and Windows Server 2003 computer has its own Group Policy, referred to as Local Group Policy, or just local policy. Active Directory domains allow policies to be stored on and applied by the domain. These policies are collectively called domain policy. Both local and domain policies allow you to configure many of the same settings as Group Policy. The difference is that local and domain policies are configured on individual computers and domain controllers. If you change your mind about a configuration setting, you have to modify it on every computer, which can be an administrative nightmare. Figure 5-1 shows the Local Security Policy console, which you can find in the Administrative Tools section of the Start menu. You use this tool to configure the local policy of a single computer.

Figure 5-1. The Local Security Policy console

Group Policy provides a solution to the nightmare of managing distributed computers by allowing you to centrally configure settings in Active Directory. When computers and users log on to an Active Directory domain, the computers download and apply the appropriate Group Policy. Group Policy settings always override any local policy settings, allowing you to centrally manage the policy settings that affect each computer and user in your domain. As a result, Group Policy provides a perfect way to centrally configure security settings for all the computers in your organization. Any administrator with a need to centrally configure security on an organization's computers should be using Group Policy to do so.