Professional Documents
Culture Documents
What Is A GPO
What Is A GPO
A GPO, or Group Policy Object, is an object you set up to configure your clients or
servers. The benefit of using a GPO is that you can configure a large number of clients
or servers centrally from one or more policies. Also, the GPO settings get re-applied
every 60 – 120 minutes ensuring a consistent environment.
Computer settings contain settings that are OS specific, like the size of the event logs,
user rights assignment or network settings.
User settings contain settings that are specific to user accounts, like layout of the
desktop, start menu and application settings.
There are literally thousands and thousands of settings that can be configured and the
GPO framework can easily be expanded to accommodate new settings.
The following picture show you the computer and user settings of a typical GPO in the
Group Policy Editor:
Most (but not all) settings get re-applied every 60 – 120 minutes.
Where Are GPO’s Stored?
GPO’s are stored partly in your Active Directory database and partly in the
replicated Sysvol folder shared by domain controllers. This is just something you should
know in case of troubleshooting.
In your daily management you’ll not be accessing the Active Directory objects nor the
Sysvol folders directly, perhaps with the exception of logon scripts which are normally
placed manually in the Sysvol folder together with the GPO files.
When you open up the GPMC tool you’ll be able to see the OU structure of your domain
which makes good sense: In order to apply a group policy you must link it with an OU.
Once the GPO is linked it will start applying to the users and/or clients in the linked OU
and any sub OU’s (see the next section for more details on this).
To create a new GPO right click the OU where you want to link it and select “Create a
GPO in this domain, and Link it here…”:
This will create a new GPO object which you can then open up and configure with the
desired settings:
Notice that this action will create two things: The GPO itself and the GPO link which
ensures the GPO is applied to users and/or computers in the OU (and sub-OU’s). It
makes a big difference if you delete the GPO link or the GPO itself so make sure you
understand the difference!
A GPO can be linked to multiple OU’s and editing the GPO will affect all GPO links!
A GPO can also be linked to a site object. This feature is not used very often but may
be useful when you want to configure devices according to their network location.
At the bottom section of the GPMC tool you’ll find an overview of all the GPO’s in the
domain. This is the place to look for a specific GPO if you don’t really know where it’s
linked:
First of all:
Computer objects in AD receive computer settings (only) from GPO’s which are linked
to the computer’s OU or parent OU’s.
User objects in AD receive user settings (only) from GPO’s which are linked to the
user’s OU or parent OU’s.
Exceptions to this rule exist! Please read the entire section carefully!
A GPO can have it’s computer settings or user settings disabled. Use this to speed up
GPO processing on clients by disabling the computer settings of GPO’s that only hold
user settings, vice versa. Disabling both computer and user settings will effectively
disable the GPO.
Since multiple GPO’s can have conflicting settings and since even computer and user
settings can sometimes configure the same setting, an important question arises:
What are the effective settings applied in the case of multiple, conflicting GPO’s?
First of all, you should avoid configuring conflicting settings in your GPO’s. But
nevertheless these are the “basic” rules of GPO appliance:
GPO’s set with a lower link order (e.g. 1) on the same OU will override
GPO’s set with a higher link order (eg. 3) on the same OU
GPO’s set at a lower level OU will override GPO’s set at a higher level OU
This basically means, the lower in your OU hierarchy you configure the GPO’s the more
dominant they are (as they get applied last, thereby overwriting previously applied
settings).
In the below example, the GPO with the highest link order will win over any conflicting
settings in lower link order GPO’s:
Note! The order of the GPO’s below the domain object in the left-hand side are simply
ordered alphabetically! You must look at the Link Order in the right-hand side.
In the below example, the GPO linked to the lower level OU (“Desktop Configuration”)
will win over any conflicting settings in GPO’s linked on a higher level (closer to the
domain object):
In addition to this, in the case of conflicting user and computer settings you should
understand the following:
To complicate things even further, the GPO appliance can be modified with the
following:
Link disabled
No override
Block inheritance
Loopback processing
WMI filtering
Security filtering
Link disabled is when you disable the GPO link. The GPO is linked to the OU, but the
link is disabled. In that case nothing get’s applied from the GPO. This is primarily used
during testing.
No override means that settings in the GPO can’t be overridden by lower level GPO
settings. This is normally used to keep lower level administrators from overriding
enterprise settings.
Block inheritance is a feature of OU’s (not GPO’s) and ensures that GPO’s set at higher
level OU’s are not applied to the computer or user objects in the OU (or sub-OU’s).
Notice that no override takes precedence over block inheritance.
With Replace the user settings from the GPO’s affecting the user object are
skipped entirely. This is useful in e.g. a terminal server environment where
you don’t want random user GPO’s to mess up your terminal server.
With Merge the user settings from the GPO’s affecting the user are
processed on top of the user settings from the GPO’s affecting the
computer.
WMI filtering allows you to filter your targets with a WMI filter. A WMI filter can query
anything in WMI e.g. operating system version, bios version, disk size, hardware type,
etc. WMI filters are defined in the WMI Filters section in GPMC and once defined they
can be added to your group policy in the scope tab of the policy.
Finally, GPO appliance can be modified by security filtering which is covered in the next
section.
This might not be something you notice initially as Authenticated Users are assigned
Read and Apply by default. As both domain users and domain computers belong to this
group the GPO is applied indiscriminately to all of them.
But sometimes you may want to restrict the GPO appliance to a single user or
computer, e.g. during testing of a new GPO.
This is achieved either by removing the Apply permission from Authenticated Users or
removing Authenticated Users entirely from the GPO’s ACL:
… And then assigning Read and Apply manually to the user or computer you use for
testing:
This method is referred to as security filtering. It’s mainly used for testing and when you
have a sub-optimal correspondence between your OU design and GPO appliance
needs. Check the next section for more information regarding this.
Another reason to change your GPO ACL is delegation. This does not relate to GPO
appliance but is a matter of GPO management.
But now you have a GPO with enterprise settings that you want to assign to all
marketing users in the organization. You have a few options now:
The good: Use security filtering (as described in the previous section) to
target all Marketing users and link it on top level
The bad: Link the GPO with the marketing OU in all countries Marketing
OU’s (that’s a lot of linking!)
The ugly: Create a single OU with all marketing users
Obviously the last solution does not match the security needs for delegation of AD
objects so it should not even be considered. The need for delegation of AD objects
should be your prime concern when designing our OU structure.
GPUpdate
You can trigger GPO processing on your system using the GPUpdate command. Use
the /Force parameter to ensure full processing and limit the scope with the /Target
parameter, e.g.:
GPResult
On clients the number one tool for troubleshooting GPO appliance is the GPResult
command. It takes various parameters of which the most commonly used are /R and
/Scope.
As an example, the following command will show you GPO appliance information
related (only) to computer settings:
GPResult /R /Scope:Computer
Replace Computer with User to only get GPO info for user settings. Leave out the
/Scope parameter entirely for full information.
The output from the above command has various sections of information. Each section
provides valuable information for troubleshooting your GPO processing.
Let’s have a look at the different sections and what information it provides:
CN=DC-01,OU=Domain Controllers,DC=gigacorp,DC=local
Last time Group Policy was applied: 8/10/2020 at 8:48:31 PM
Group Policy was applied from: DC-01.gigacorp.local
Group Policy slow link threshold: 500 kbps
Domain Name: GIGACORP
Domain Type: Windows 2008 or later
The information here is a list of GPO’s that were applied to your system. Obviously very
important to understand if you’re receiving settings from the GPO’s you expect.
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
802.1x LAN Authentication
Filtering: Denied (Security)
Here you see a list of GPO’s that were not applied due to security filtering. This lets you
confirm if the security filtering you have setup is actually working.
And finally, a list of the security groups of which your computer is a member. This
information can help you troubleshoot situations where security filtering is not working.
Double check if your computer is actually a member of the group you’re using in your
security filter. If the group is not there, investigate if any recent change in group
membership has replicated to the DC from which you received the GPO.
With security filtering you can easily test any new GPO’s without affecting live users and
systems.
Complete your GPO security filtering with the use of Dynamic Groups. Our free tool will
allow you to automate your setup based on user and computer attributes.
Using GPResult on the client or RSoP server side you can quickly troubleshoot GPO
Group Policies can also be managed with the GroupPolicy module for PowerShell.
Using PowerShell you can perform tasks that are not feasible doing manually.
As an example on how to manage GPO’s with PowerShell have a look at this article. It
shows you how to quickly analyze every single GPO in your domain for security filtering
and custom delegation, using only PowerShell and Excel.