Active Directory: Group Policies in Windows


The following is a guide to Group Policies in Windows regarding the LSU OCS Active Directory system.

Group Policies allow Organizational Unit administrators to define procedures and set restrictions on computers and user objects within an OU. In the LSU Active Directory, Group Policy Objects are defined at the Organization Unit level, filtering down to child objects like Organizational Units, User Objects, and Computer Objects. Group Policies can be used to secure lab environments, such as removing system-sensitive tools like the Registry Editor from users. Group Policies can also be used to deliver applications and scripts to users.

The Microsoft Windows 2000 Server Resource Kit has the following to say about Group Policy:

“Group Policy allows you to stipulate users' environments only once, and to rely on the operating system to enforce them thereafter.”

“Group Policy objects are not profiles. A profile is a user environment setting that a user can change, such as: desktop settings, registry settings in NTUser.dat files, profiles directory, My Documents, or Favorites. You, as the administrator, manage and maintain Group Policy, an MMC hosted administrative tool used to set policy on groups of users and computers.”

“By default, Group Policy is inherited from site, to domain, and finally to the organizational unit level. The order and level in which you apply Group Policy objects (by linking them to their targets) determines the Group Policy settings that a user or computer actually receives. Furthermore, policy can be blocked at the Active Directory site, domain, or organizational unit level; or policy can be enforced on a per Group Policy object basis. This is done by linking the Group Policy object to its target and then setting the link to no override.”

“By default, Group Policy affects all computers and users in the site, domain, or organizational unit, and does not affect any other objects in that site, domain, or organizational unit. In particular, Group Policy does not affect security groups.”

“Instead, you use security groups to filter Group Policy; that is, to alter its scope. This is done by adjusting the Apply Group Policy and the Read permissions on the Group Policy object for the relevant security groups, as explained later in this chapter. The location of a security group in Active Directory is irrelevant to Group Policy.”

2/13/2017 12:19:16 PM