GPO Basics in the UCB AD

What is a GPO?

The name "Group Policy Object" can be misleading as they are not directly related to user groups. A Group Policy Object (GPO) is a set of configuration information that can be applied to users or computers, and contain sections of policy specifically devoted to each. They are similar to System Policies under Windows NT 4, but much more extensive and flexible.

GPOs are objects in an Active Directory (AD) that can be viewed by looking at the properties of an organizational unit (OU), domain or site. These three types of containers (OUs, domain and sites) are the places where GPOs can be applied. Most departments will only deal with applying GPOs at the OU level. When a GPO is applied it affects all users and computers from that level down through the hierarchy unless specifically blocked. (See the "What is special about using GPOs at UCB?" section of this document for details on applying user policy in the UCB AD.)

Application of GPOs can be finely tuned by altering the permissions on the GPO itself to prevent them from being applied to certain users or computers.

There are hundreds of settings available in GPOs that allow for control of numerous items including the user's desktop environment, local security settings, logon scripts, software publishing, and much more.

What can a GPO do for me?

GPOs allow IT administrators to easily configure computers and user environments for large numbers of clients. This means that less configuration has to be done at each workstation or to a base workstation image. It also means that the configuration can be more dynamic and changes can quickly and easily be made to all workstations without having to configure workstations individually.

What is special about using GPOs at UCB?

Loopback Processing
While applying the computer portion of GPOs works as expected at UCB, applying the user portion is more complicated due to the fact that the user objects are located in a single, central OU. To allow the user portion of the GPO to be applied when the user object is not directly within the scope of the GPO loopback processing must be enabled. This setting in a GPO (located within Computer Configuration, Administrative Templates, System, Group Policy) allows the user portion of a GPO to be applied when only the computer being used is within the scope of the GPO.

Loopback processing contains two modes: replace and merge. Replace mode overwrites any existing policies on the users with the ones specified on the computer whereas merge mode combines the two sets of policy. Because of the extra processing to combine policies, merge mode leads to slower logins. Since ITS places no user-based policy on the central user objects, you can safely use replace mode.

GPO Naming
Like user groups, GPO names must be unique within a domain. To prevent naming conflicts ITS asks that departments prefix the names of their GPOs with their department's name or abbreviation.

Where can I learn more about GPOs?

Here are some good resources to learn more about Group Policy Objects:

• Introduction to Windows 2000 Group Policy
• Windows 2000 Group Policy
• Troubleshooting Group Policy in Windows 2000
• Step-by-Step Guide to Understanding the Group Policy Feature Set
• Implementing Common Desktop Management Scenarios
• Implementing Registry-Based Group Policy - information on creating custom templates for making registry changes via GPO

Getting Help

help@colorado.edu