Group Policy is a feature provided by Windows operating systems in order to manage the different operating systems, user, account, and similar settings. Group policy mainly used for centralized management and configuration of operating systems, applications, and users setting in an Active Directory (AD) environment. Group Policy Object or GPO is an object used to set configuration objects which can be the background setting, password size or the process thread count, etc.
Group Policies are organized as containers, sites, domain, or organizational units. Group policies have some operations like enforcement,inheritances or filtering.
Group Policy (GP) Advantages
Group Policy and Group Policy Objects are so popular because they provide some advantages while administrating single or multiple windows operating systems. Alternatively, group policies can be implemented in the non-Active Directory infrastructure.
Ease of management : Ease of management is one of the biggest advantages of group policy. Group policy is used to group multiple computers, users, or different attributes and set configurations about these components easily with a single step.
One-stop administration: One-stop administration is similar to the ease of management where deploying patches, software updates and installation builtin or 3rd party software is very easy.
Easy Security Management : Security is an important part of today’s IT. We can configure different security-related features and configurations with the group policy and easily apply them to multiple systems. As an example password policy can be enforced easily with the group policy.
Group Policy Object (GPO) Limitations
Even group policy provides advantages there are some limitations for group policy usage.
Latency and Network Traffic : By default group, policy objects take 90-120 minutes to completely distributed. This interval may seem high and we can set lower intervals like 7 seconds. As GPO updates received via network this will burden the network.
GPO Editor: GPO editor is used to creating, update, and manage group policy objects. Even it provides a good user experience it is not perfect. In some cases finding specific objects can be a nightmare. Alternatively, Powershell provides a more easy and straightforward configuration.
Group Policy Object (GPO) Types
There are two types of group policy objects. First one is the centralized group policy object which is created and used in an Active Directory environment that is called Centralized Group Policy and the second is Local Group Policy which is used in the local system.
Centralized Group Policy is mainly used with the AD in order to manage multiple computers. The group policy objects are distributed via the AD according to the hierarchy and attributes of the AD objects.
Local Group Policy is used to change group policies on the local system. This can be also useful if there is no Active Directory. Local Group Policy can be used to change background image, user password, and other configuration about the local system. Windows operating system provides the tool named Local Group Policy Editor in order to manage Local Group Policy.
Group Policy Object (GPO) Preference
We have listed two GPO types “local group policy” and “AD group policy”. But there some other GPO types which are subtypes of the “AD group policy”. They are called “Site policies”, “Domain policies” and OU policies”. What will happen if the same configuration or object is defined with different group policy types like local group policy and Domain policy? GPO provides the following order to preference.
- Local Group Policy
- Site Policy
- Domain Policy
- OU Policy
Local Group Policy Editor
In order to edit the local group policy object, the tool named Local Group Policy Editor is used. It can be opened from the Start menu by typing “local group policy” like below.
The local group policy editor provides two main categories for GPO configuration. Computer Configuration is used to set general and computer-related objects like security, printer, public keys, windows operating system, etc. User Configuration provides user-related objects like control panel, script, shared folders, start menu and taskbar, etc.
How To Change Group Policy Object (GPO)?
In order to change a GPO, we will find the GPO as below. In this example, we select the Desktop Wallpaper GPO which is under “User Configuration” -> “Administrative Templates” -> “Desktop” -> “Desktop” and double click on it.
We will see the following configuration screen where we will select the Enabled radio box below. By default, this group policy object is not enabled. In order to set the desktop wallpaper, we will provide the complete or full path of the wallpaper into the Wallpaper Name configuration like below. The last step will be clicking Apply in order to make this GPO change effective.
