WIN2008R2 Group Policy

Group Policy contains Computer Configuration and User Configuration two sections

Local Computer Policy----for a single computer

Group Policy within a domain----can set Group Policy for sites, domains, organizational units within a domain

For domain-joined computers, if the settings of the local computer policy and the Group Policy settings of the domain or organizational unit conflict, the local machine policy is not valid when the Group Policy setting for the domain or organizational unit takes precedence.

gpedit.msc editing Local computer policies

Intra-domain Group Policy is set through a Group Policy object GPO that, whenever a GPO is linked to a domain or organizational unit, is applied to all users and computers within the domain or organizational unit.

The system defaults to two built-in Gpo:default domain Policy and Default domain Controllors policy

A link to a domain controller before a default link to a domain

You can select an organizational unit right-click to block inheritance so that the organizational unit does not inherit the domain policy setting

You can also right-click the domain GPO, select Force, which indicates that the organizational unit must inherit

Enter edit after new GPO

Group Policy Exception Exclusions: Select "Delegate"--"advanced"--"add"--"check and apply Group Policy to deny" to the right of a gpo-------so that you can put people below an organizational unit without applying Group Policy

Domain controller above Group Policy is done, automatically applied every 5 minutes

If there are multiple domain controllers in the domain, changes to the PDC host are replicated to other domain controllers after 15 seconds

Non-domain controllers are automatically applied every 90-120 minutes

All computers are also forced to apply all of the settings within the domain security policy every 16 hours, without any changes to immediate Group Policy

To perform an application manually: Gpupdate/force

Security Configuration Wizard: This tool can be used to guide all configuration information on a server to other servers.

You can set the working environment for a user or computer through Group Policy preferences

Preference functionality is only available for Group Policy within a domain

Preferences are non-mandatory, and clients can modify their own setting values

However, the policy setting is mandatory and cannot be modified by the client after it is applied

WIN2008R2 Group Policy