Chapter 10. Designing Organization-Wide Group Policies
This chapter takes an in-depth look at Group Policy Objects (GPOs), focusing on three areas:
How GPOs work in Active Directory
How to manage GPOs with the Group Policy Object Editor and Group Policy Management Console
How to structure your Active Directory effectively using Organizational Units and groups so that you can make the best use of the GPOs required in your organization.
How GPOs Work
Group policies are very simple to understand, but their uses can be quite complex. Each GPO can consist of two parts: one that applies to a computer (such as a startup script or a change to the system portion of the registry) and one that applies to a user (such as a logoff script or a change to the user portion of the registry). You can use GPOs that contain only computer policies, only user policies, or a mixture of the two.
How GPOs Are Stored in Active Directory
GPOs themselves are stored in two places: Group Policy Configuration (GPC) data is stored in Active Directory, and certain key Group Policy Template (GPT) data is stored as files and directories in the system volume. They are split because while there is definitely a need to store GPOs in Active Directory if the system is to associate them with locations in the tree, you do not want to store all the registry changes, logon scripts, and so on in Active Directory itself. To do so could greatly increase the size of your DIT file. To that end, each GPO consists of the object holding ...