Distributing Policies

Computers that operate as standalone machines depend solely on local policy files for their policy settings. Networked computers, however, have the chore of obtaining policy files from the Domain Controller and merging them into their Registry. These downloaded policies contain the policies of the sites, domains, and organizational units that the computer and users are members of.

When you run the Group Policy snap-in, you’re required to select the Group Policy Object for the settings you wish to modify. This can be a GPO associated with an Active Directory object, or it may be a local or remote computer GPO. The users and computers that the policy affects, however, depends directly on which GPO is chosen. The higher the GPO is in the hierarchy, the more machines the policy file is distributed to.

Understanding How Effective Policies Are Calculated

I said earlier that policies are applied to the Registry in a specific order. That is: the local GPO, site GPOs, domain GPOs, and then OU GPOs from largest to smallest. Clearly, since policies are cumulative, order of application is quite important. Policies set early in the process can be overwritten by later GPOs. Since local GPO settings are applied before nonlocal GPOs, the LGPO is considered to be the least influential of all GPOs. The important policies, then, are those held by nonlocal, or Active Directory, GPOs.

The hierarchy of the Active Directory is tree-like in that an Active Directory container can accommodate ...

Get Managing The Windows 2000 Registry now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.