1.1.9 Group Policy Management

  • Article

Group Policy can be managed from an interface such as the GPMC, a custom application, or a command-line tool. GPOs exist within a Group Policy Objects container in Active Directory, as shown in the following diagram, and can be managed by a Group Policy administrator:

GPO location in Active Directory

Figure 1: GPO location in Active Directory

The Group Policy administrator uses the Active Directory container objects for the domain as shown in the diagram to manage Group Policy. When Group Policy administrators need to manage GPOs, they can create a new GPO, delete a GPO, or edit an existing one. They can also manage policy settings via other default GPOs for the domain. The following default objects and containers can be accessed in a domain for management purposes:

Domain Controllers container: A default container that is automatically created when a server is promoted to a domain controller. It is linked to the domain controller's OU and manages security settings for all domain controllers in a domain.

WMI Filters container: A default container that is automatically created when a server is promoted to a domain controller. It holds WMI filter objects that the Group Policy administrator creates and that are linked to GPOs to exempt specific Group Policy clients from the extension policy settings that they hold. For information about evaluating WMI filters, refer to [MS-GPOL] section 3.2.5.1.7.

Group Policy Objects container: A default container that is automatically created when a server is promoted to a domain controller. It provides a hierarchical repository for GPOs that the Group Policy administrator creates with the use of the Administrative tool. For more information about how GPOs are created, refer to section 2.1.3.2.1.

Default Domain Controllers Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. This GPO represents the default policy that is applied to all domain controllers in the Domain Controllers container.

Default Domain Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. It has the highest precedence of all GPOs linked to the domain, and it applies to all users and computers in the domain. The Default Domain Policy GPO is generally used to manage default account settings, although there are exceptions to this practice. For other areas of policy management, new GPOs can be created; however, some policy settings are best configured at the domain level, and there are no restrictions against doing so.

Administrator-configured: A GPO that is created by the Group Policy administrator to generate custom Group Policy settings for policy targets such as a Group Policy client computer.