Professional Documents
Culture Documents
in
windowstricks.in
it's all about windows technology
What is GPO?
Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows utility known as
the Group Policy snap-in. GPO aects the user and computer accounts located in sites, domains, and organizational
units (OUs). The Windows 2000/2003 operating systems support two types of GPOs, local and non-local (Active
Directory-based) GPOs.
Local GPOs are used to control policies on a local server running Windows 2000/2003 Server. On each Windows
2000/2003 server, a local GPO is stored. The local GPO aects only the computer on which it is stored. By default, only
Security Settings nodes are congured. The rest of the settings are either disabled or not enabled. The local GPO is
stored in the %systemroot%SYSTEM32GROUPPOLICY folder.
Non-local GPOs are used to control policies on an Active Directory-based network. A Windows 2000/2003 server needs
to be congured as a domain controller on the network to use a non-local GPO. The non-local GPOs must be linked to a
site, domain, or organizational unit (OU) to apply group policies to the user or computer objects. The non-local GPOs
are stored in %systemroot%SYSVOLPOLICIESADM, where is the GPOs globally unique identier. Two non-local GPOs
are created by default when the Active Directory is installed:
1. Default Domain Policy: This GPO is linked to the domain and it aects all users and computers in the domain.
2. Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it aects all domain
http://www.windowstricks.in/2009/07/grouppolicies.html 1/4
3/10/2017 WindowsGroupPolicyInterviewQuestionsandAnswerswindowstricks.in
GPO Applyorder
When multiple group policy objects are assigned, the group policies are applied in the following order:
The following are the exceptions with regard to the above-mentioned settings:
No Override:
Any GPO can be set to No Override. If the No Override conguration is set to a GPO, no policy congured in the GPO
can be overridden. If more than one GPO has been set to No Override, then the one that is the highest in the Active
Directory hierarchy takes precedence
The Block Policy Inheritance option can be applied to the site, domain, or OU. It deects all group policy settings that
reach the site, domain, or OU from the object higher in the hierarchy. However, the GPOs congured with the No
Override option are always applied
What isLoopback policy?
The group policies are inherited from parent to child within a domain. They are not inherited from parent domain to
child domain
http://www.windowstricks.in/2009/07/grouppolicies.html 2/4
3/10/2017 WindowsGroupPolicyInterviewQuestionsandAnswerswindowstricks.in
A policy setting is congured (Enabled or Disabled) for a parent OU, and the same policy setting is not congured for
its child OUs. The child OUs inherit the parents policy
A policy setting is congured (Enabled or Disabled) for a parent OU, and the same policy setting is congured for its
child OUs. The child OUs settings override the settings inherited from the parents OU
Compatible policy settings congured at the parent and child OUs are accumulated
Although GPOs are linked to the site, domain, or OUs, and they cannot be linked to the security groups directly,
applying permissions to the GPO can lter its scope. The policies in a non-local GPO apply only to users who have the
Read and Apply Group Policy permissions set to Allow
By specifying appropriate permissions to the security groups, the administrators can lter a GPOs scope for the
computers and users
Related Posts:
1. SYSVOL Folder Structure
2. Check trusted site and activeX approval site list
3. Gpresult failed with ERROR Access Denied
4. GPO update failed in Slow Link VPN site with Event ID 1000 and 1054
Category: GPO
http://www.windowstricks.in/2009/07/grouppolicies.html 3/4
3/10/2017 WindowsGroupPolicyInterviewQuestionsandAnswerswindowstricks.in
http://www.windowstricks.in/2009/07/grouppolicies.html 4/4