Group Policy Management and Preferences in Windows 2012 R2
If you are System Administrator or IT Manager then knowledge of Group Policy is essential for your job and for daily routine activities. As the name says, GP means the policies or settings that can be deployed for Users and Computers. Considering an example, if you have to deploy certain settings e.g. disable run for users in your Organizations they how would you do that.
If you are wondering about the answer then let me tell you that just by tweaking a simple setting in GP you can disable run or deploy other restrictions and settings either for all the users and computers in your Organization or you can define it for the set of users and computers.
GP enables us to manage users and computers through Group Policy Management Console (GPMC). Group Policy Management console is an administrative tool that gets installed automatically when you promote a Domain Controller. However, you can also deploy Group Policy Management console on the client machine to manage GP remotely. You can edit group policy either by running the command “GPMC.MSC” or by clicking the icon of GPMC from a start menu.
Group Policy cannot be deployed on Groups
Don’t fall for the name, even when the name says Group Policy, the irony is that GP cannot be deployed on Groups. It can only be deployed on Users and Computers, to understand it better we’ll write an article on that. GP can be used to install software, define permissions, restrict permissions, change password settings, restrict software, etc.
Types of Group Policies
By default three types of GPs that gets created.
It is used to deploy policies to local computers. It gets created automatically on all the machines irrespective or their roles i.e. Domain Controller, Member Server or Client machine. Command “gpedit.msc” is the local group policy editor which you can run on any Operating System i.e. Client OS or Server OS.
Group Policy Management can be done for Domain by linking it to the Domain and deploy settings, restrictions, etc to all the Domain users and Computers.
c) Domain Controller
Group Policy Management for Domain Controllers can be done by linking it with the Domain Controller’s OU. It is used to implement settings to all the Domain Controllers.
Group Policy Management
Group policy management would be done at various levels, it can vary depending on hierarchy of Organization or scope of settings. To remember the hierarchy of Group Policy processing, remember the word LSDOU. Let’s understand the hierarchy of GP in detail:
a) L = Local
Group Policy processing would start from the local computer. The Computer checks and implement all the policies defined locally on the computer. These are primarily for the computers which are not part of the domain but can also be used for the domain joined computers. It is the first policy that gets implemented.
b) S = Site
Site represents geographical disbursed locations. If you organization is large and it has users disbursed in multiple locations and requirement is to deploy settings to specific location then it can be achieved by deploying GP for site.
c) D = Domain
You can link the GP to the domain if you want to deploy policies to all the users or computers of that domain.
d) OU = Organizational Unit
OU is a container for all the objects. Linking GP with OU is the most preferred method of deploying policy. You can design OU structure as per your Organizational structure i.e. different OUs can be created for different roles or department. Moreover, you can create nested OUs and link GP with them. It is the last policy that gets implemented.
Group Policy Preferences
Group Policy Preferences are important to understand. Group Policy preferences define the priority assigned to the GP.
a) OU: It has the highest priority while comparing to others. In case of any conflicting situation, settings assigned to the OU would win over others.
b) Domain: Priority of settings linked with domain are less comparing to OU but are more comparing to Site.
c) Site: It comes third in terms of priority.
d) Local: It has least priority in terms of deploying settings.
Group Policy Preferences and Winning Group Policy
As we learned in the processing that Local GP gets implemented first and GP linked to OU gets implemented last. In addition to that we also learned in the Group Policy Preferences that settings linked with OU has highest priority versus settings linked to domain, site or local computer. Now the question is which GP would win in case of conflict. I’ll take a simple scenario to understand the Group Policy Preferences and winning policy.
a) Local: Let’s assume that we defined the setting of Disable Run for local computer. User would not be able to use run command by using these settings.
b) Site: Create and link the settings to Enable run for users
c) Domain: Create GP to Disable run for users and link it with Domain.
d) OU: Create another GP to Enable run for users and link it with OU.
In the above defined scenario, settings are conflicting and as we know that the Local group policy implement first and policy linked with OU deploys last. However, settings linked with OU has highest priority and settings linked with local computer has least priority.
Now the question is, “Which Policy would win in case of conflict?”
The policy that deploys last would win i.e. Enable run settings we defined at the OU level would win and all the users would get the run. Simple way to remember this is to remember the sequence of policy or remember the Group Policy preferences. We already discussed that settings linked with OU has highest level of priority therefore Enable run would run and all the users would get run.
Don’t get confused because of enable and disable option. Some people get confused and think that the policy with restricted settings would always win. That is true but in separate situation, we gonna talk about that in the upcoming articles as that is different topic.
Local GP would implement first and settings linked with the OU would deploy last however policy linked with OU would have highest preference and policy linked with local computer has least preference.