Group Policy

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Group Policy enables you to perform your administrator tasks more efficiently because it enables centralized computer and user management. Centrally managing the configuration settings of the computers and users on the network can decrease the total cost of ownership for an IT infrastructure.

How Group Policy works

Group Policy is a technology available as part of an Active Directory Domain Services (AD DS) implementation. When domain member computers connect to their Active Directory domain, they automatically retrieve and apply Group Policy objects (GPOs) from the domain controller.

A GPO is a collection of settings that can be created by a domain administrator, and then applied to groups of computers or users in the organization.

Configuration settings and rules that you want to apply to the computers in your organization are stored in GPOs that are maintained on the domain controllers of an Active Directory domain. The GPOs are automatically downloaded to all assigned computers when they connect to the domain. They are then merged with the local GPO stored on the computer, and then applied to the computer's active configuration. Group Policy provides easy centralized management, and detailed control of which computers receive which GPOs.

Because the capabilities of both firewall rules and the implementation of IPsec are significantly enhanced in Windows Vista and later versions of Windows, we recommend that administrators leave existing GPO settings in place for earlier versions of Windows and create new GPOs for computers that are running versions of Windows with Windows Firewall with Advanced Security. By applying the new GPOs to the same set of containers as the old GPO settings, and by using WMI filters with each GPO as demonstrated in this guide, you can ensure that you apply the most appropriate settings to each computer in your organization. For example, create one GPO (or set of GPOs) to contain the firewall and IPsec policy configuration for Windows XP and Windows Server 2003 computers. Use WMI filters to ensure that these GPOs apply only to computers that are running those versions of Windows. Use a different GPO (or set of GPOs) to contain the firewall and connection security rules for computers that are running Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008. Use WMI filters to ensure that these GPOs apply only to those computers that are running those versions of Windows.

For more information about Group Policy, see Windows Server Group Policy at

Next topic: Requirements for Performing the Scenarios