One of the most indispensable features of Active Directory is Group Policy. Group Policy is a feature that allows you to centralize user and computer settings throughout a network. For example, if you have 1,000 PCs and you don’t want to spend an eternity manually configuring the shutdown/logoff/restart options in the “Start” menu, you can configure these settings in Group Policy, link it to the correct Organizational Unit(s) and voilà, all the right machines are automatically updated. It’s a huge time-saver!
(A quick diversion—just in case you’re wondering what Organizational Units(OUs) are— it’s subsection of Active Directory in which you can organize user and group accounts as well as computers. You can also have an OU within an OU. Many organizations organize their OUs to reflect their business structure or function.)
Okay, back to our normally scheduled program. There are many policy settings, also known as Group Policy Objects (GPOs), that can be configured—folder redirection, password complexity, power settings, windows update and the list goes on. Being clear about what you want to accomplish with Group Policy, how it will be processed, and how often it’s updated will help you be efficient and keep things standardized.
Here are a few ways you can use Group Policy to manage your environment:
- System: This is a registry-based policy where you can enable or disable computer settings. Administrators can globally configure most of the settings in user profiles, such as desktop settings, “Start” menu options, or pre-populate certain menus and drop-down lists.
- Scripts: Configure scripts to schedule specific times for when a computer needs to startup/shutdown and user logon/logoff.
- Software Installation: This policy assigns and publishes software to users or computers. When software is assigned to a user, it’ll be available to the user after the next login. And when software is published, it gives the user the option to decide whether or not to install the published software.
- File deployment: If you ever need to place files in folders on the user’s computer, the file deployment policy is an extremely powerful way to complete this task.
- Security: The security policy specifies local computer, domain and network security settings. It allows an administrator to restrict user access to files and folders, configure how many failed login attempts will lock an account, enforce a password complexity policy that prevents users from choosing an overly simple password, and allow/prevent unidentified users from remote computers to connect to a network share.
How Group Policy Objects Processed
GPOs are applied in a the following order – a very predictable and logical order
- Local policies are applied first
- Site – Any GPOs that have been linked to the site that the computer belongs to are processed next.
- Domain – Domain policies are applied third
- Organizational Units – OU policies are applied fourth. If an object is nested inside of multiple OUs, then the GPOs are applied at the OUs closest to the root first.
How Often Group Policy is updated
Group Policy is updated every 90 minutes, with a random timer up to 30 minutes. That means that, by default, there can be up to a 120 minute wait. Group Policy for the computer is always updated when the system starts. You can specify an update rate from 0 to 64,800 minutes(or 45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. Short update intervals aren’t recommended, because updates might increase network traffic.
As you can see, Group Policy is an essential tool for automating otherwise tedious and time-consuming tasks. Do you have tried and true Group Policies that are indispensable to you as a sysadmin? If so, we’d love to hear about them in the comments!