Active Directory group policy objects (GPOs) can customize virtually any aspect of a computer or user’s desktop. They can also install applications, secure a computer, run logon/logoff or startup/shutdown scripts, and much more. You can assign a GPO to a specific security group, Organizational units (OU), site, or domain. This is called scope of management (SOM for short) because only the users or computers that fall under the scope of the group, OU, site, or domain will process the GPO. Assigning a GPO to a SOM is referred to as linking the GPO.

With Windows Server 2003, you can also use a WMI filter to restrict the application of a GPO. A WMI filter is simply a WMI query that can search against any information on a client’s computer. If the WMI filter returns a true value (i.e., something is returned from the query), the GPO will be processed; otherwise, it will not. So not only do you have all of the SOM options for applying GPOs, you can now use any WMI information available on the client’s computer to determine whether GPOs should be applied. For more on the capabilities of GPOs, I recommend reading Chapter 7 of Active Directory, Second Edition (O’Reilly).

GPOs consist of two parts. groupPolicyContainer (GPC) objects are stored in Active Directory for each GPO, which reside in the cn=Policies,cn=System,<DomainDN> container. These objects store information related to software deployment and are used for linking to OUs, sites, ...