Platform SDK: Group Policy

Group Policy Object

A Group Policy Object (GPO) is a virtual collection of policy settings. It is given a unique name, such as a GUID. A GPO can represent policy settings in up to three locations: the registry, the file system, and the Active Directory. The structure of a GPO can be represented as shown in the following illustration.

Note that policy settings are divided into settings that affect a computer and settings that affect a user. Computer-related policies specify system behavior, application settings, security settings, assigned applications, and computer startup and shutdown scripts. User-related policies specify system behavior, application settings, security settings, assigned and published applications, user logon and logoff scripts, and folder redirection. The convention is that computer-related settings override user-related settings.

A GPO can be linked to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one linked GPO, as shown in the following illustration.

The administrator can further specify the computers and users that are affected by a GPO by using membership in security groups. Starting with Windows 2000, the administrator can add both computers and users to security groups. Then the administrator can specify which security groups are affected by the GPO by using the Access Control List (ACL) editor. To start the ACL editor, select the Security tab of the property page for the GPO.

In addition, by default every computer receives a local GPO that contains registry-based policy settings and security-specific policy settings. This is useful for computers that are not members of a domain.