Group Policy Objects

A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID.

Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory. GPO settings are evaluated by clients using the hierarchical nature of Active Directory.

The following illustration shows the structure of a GPO.

To create Group Policy, an administrator can use the Group Policy Object Editor, which can be a stand-alone tool. However, it is recommended that you use the Group Policy Object Editor as an extension to an Active Directory-related MMC snap-in because this will allow you to browse the Active Directory for the correct Active Directory container and define Group Policy based on the selected scope of management (SOM). Examples of Active Directory-related snap-ins include the Active Directory Users and Computers snap-in and the Active Directory Sites and Services snap-in.

Be aware that policy settings are divided into policy settings that affect a computer and policy settings that affect a user. Computer-related policies specify system behavior, application settings, security settings, assigned applications, and computer startup and shutdown scripts. User-related policies specify system behavior, application settings, security settings, assigned and published applications, user logon and logoff scripts, and folder redirection. Be aware that computer-related settings override user-related settings.