What is Group Policy?

A. You will no doubt be familiar with the concept of group policies inNT 4.0 and by utilizing the Group Policy Editor you can configure variousrestrictions, save it as file NTCONFIG.POL in the netlogon share and thesettings will be applied to all users of the domain. Effectively all thepolicies of Windows NT 4.0 allowed were registry updates.

These policy settings could be configured for users, computers or groups ofusers.

Windows 2000 takes this to the next level and promises the following ideal

"Theability for the Administrator to state a wish about the state of their Usersenvironment once, and then rely on the system to enforce that wish"

In Windows 2000 the Group Policy model has been completely updated and nowutilizes the Active Directory and offers much more than just registry restrictions,for example

Group Policy Object's (GPO's) are a policy unit and can be applied to a site,domain or organizational unit (OU), in fact it will often be the case that auser/computer will have multiple GPO's applicable to them and in the event of aclash of a setting the order of precedence is Site, Domain then OU,SDOU, and so any setting defined at a site level can be overwritten by a domainsetting, anything defined on a domain can be overwritten by an OU setting. Thereis a fourth type, the Local computer policy and this has bottom priorityand any policies will be overwritten by any of the others which gives us anorder of LSDOU.

The three mechanisms to apply Group Policies for sites, domains and OU’s are asfollows:

By default when you select Group Policy for a container there will be no GPO and you have the option of either adding an existing GPO to the container or creating a newone. To create a new GPO just click the New button and enter a name for the GPO. Once created clicking the Edit button can modify the specified policy. A new instance of the Microsoft Management Console will be started with the Group Policy Editor loaded with the selected GPO at the root.

Windows NT 4.0 policies already in place are NOT upgraded to 2000 and you willneed to redefine all your policies as GPO's. In a mixed environment of both 4.0and 2000 clients you will need to keep a NTCONFIG.POL in the NETLOGON share ofthe domain controllers (even the 2000 DC's as they may authenticate 4.0 clientlogons in a mixed environment) to ensure 4.0 clients still receive their policysettings. Windows 2000 clients will ignore NTCONFIG.POL unless you make a policychange to instruct them to implement the NTCONFIG.POL contents. If you do thenthe order of reading is

As has been said, GPO information is stored in the Active Directory but thepolicy itself is stored on the SYSVOL container on each domain controller as %systemroot%SYSVOLsysvolPolicies (GUID is Globally Unique IDentifier).

Under the folder you will find a file Gpt.ini which for non local GPO willcontain:

[General]
Version=

For example the version may be 65539. The least 4 significant digits (fourright most digits) represent the Computer Settings versionnumber (3) and the most four significant represent the User Settingsversion numsber (four left most digits) (1). Youhave to convert to hexadecimal so:

65539 : 00010003

Also within the folder is an Adm folder which contains the .adm templatefiles which are used in the GPO. Also in the folder are a MACHINE and USERfolder containing specific settings.

You can check the GUID for a GPO by right clicking on its root and selectingProperties and viewing the Unique name property.

Click here to view image

To avoid any conflicts with GPO modifications only the PDC role holder canmake changes to the GPO.

Another change is that old 4.0 policies are 'tattooed' in the registry, meaning thateven after a policy has been removed, its settings stay in the registry untilchanged by something else. An advantage of the Windows 2000 Group Policies is that this does not occur. The reason for this is that in Windows 2000, registry settings written to the following two secure registry locations are cleaned up when a Group Policy Object no longer applies:

Finally unlike the 4.0 Group Policies the policy actually gets refreshed atcertain times, well not ALL of the policy,  software deployment and folderredirection are not updated as, for example, you would be unhappy if the GPO wasmodified to remove Word and you were using it at the time and it suddenlyuninstalled! All 2000 machines refresh the policy every 90 minutes except domaincontrollers who replicate every 5 minutes. These times and the parts toreplicate can be modified within the GPO.