Group Policy contains Computer Configuration and User Configuration two sections
Local Computer Policy----for a single computer
Group Policy within a domain----can set Group Policy for sites, domains, organizational units within a domain
For domain-joined computers, if the settings of the local computer policy and the Group Policy settings of the domain or organizational unit conflict, the local machine policy is not valid when the Group Policy setting for the domain or organizational unit takes precedence.
gpedit.msc editing Local computer policies
Intra-domain Group Policy is set through a Group Policy object GPO that, whenever a GPO is linked to a domain or organizational unit, is applied to all users and computers within the domain or organizational unit.
The system defaults to two built-in Gpo:default domain Policy and Default domain Controllors policy
A link to a domain controller before a default link to a domain
You can select an organizational unit right-click to block inheritance so that the organizational unit does not inherit the domain policy setting
You can also right-click the domain GPO, select Force, which indicates that the organizational unit must inherit
Enter edit after new GPO
Group Policy Exception Exclusions: Select "Delegate"--"advanced"--"add"--"check and apply Group Policy to deny" to the right of a gpo-------so that you can put people below an organizational unit without applying Group Policy
Domain controller above Group Policy is done, automatically applied every 5 minutes
If there are multiple domain controllers in the domain, changes to the PDC host are replicated to other domain controllers after 15 seconds
Non-domain controllers are automatically applied every 90-120 minutes
All computers are also forced to apply all of the settings within the domain security policy every 16 hours, without any changes to immediate Group Policy
To perform an application manually: Gpupdate/force
Security Configuration Wizard: This tool can be used to guide all configuration information on a server to other servers.
You can set the working environment for a user or computer through Group Policy preferences
Preference functionality is only available for Group Policy within a domain
Preferences are non-mandatory, and clients can modify their own setting values
However, the policy setting is mandatory and cannot be modified by the client after it is applied
WIN2008R2 Group Policy