Active Directory Group Policy Objects (GPOs) can customize virtually any aspect of a computer or user’s desktop. They can also be used to install applications, secure a computer, run logon/logoff or startup/shutdown scripts, and much more. You can assign a GPO to a local computer, site, domain, or organizational unit. This is called scope of management (SOM), because only the users or computers that fall under the scope of the computer, OU, site, or domain will process the GPO. Assigning a GPO to a SOM is referred to as linking the GPO. You can restrict the application of GPOs further by using security groups to filter which users or groups they will apply to or by using inheritance blocking.

You can also use a WMI filter to restrict the application of a GPO. A WMI filter is simply a WMI query that can search against any information on a client’s computer. If the WMI filter returns a true value (i.e., the client computer matches the conditions that are specified in the filter), the GPO will be processed; otherwise, it will not. So not only do you have all of the SOM options for applying GPOs, but also you can use any WMI information available on the client’s computer to determine whether GPOs should be applied. For more on the capabilities of GPOs, we recommend reading Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).

Group Policies are defined by a set of files that are replicated to each domain controller in a domain ...