Group Policy Overview

Group Policy allows you to stipulate users' environments only once, and to rely on the operating system to enforce them thereafter.

Group Policy objects are not profiles. A profile is a user environment setting that a user can change, such as: desktop settings, registry settings in NTUser.dat files, profiles directory, My Documents, or Favorites. You, as the administrator, manage and maintain Group Policy, an MMC hosted administrative tool used to set policy on groups of users and computers.

By default, Group Policy is inherited from site, to domain, and finally to the organizational unit level. The order and level in which you apply Group Policy objects (by linking them to their targets) determines the Group Policy settings that a user or computer actually receives. Furthermore, policy can be blocked at the Active Directory site, domain, or organizational unit level; or policy can be enforced on a per Group Policy object basis. This is done by linking the Group Policy object to its target and then setting the link to no override.

By default, Group Policy affects all computers and users in the site, domain, or organizational unit, and does not affect any other objects in that site, domain, or organizational unit.


In particular, Group Policy does not affect security groups.

Instead, you use security groups to filter Group Policy; that is, to alter its scope. This is done by adjusting the Apply Group Policy and the Read permissions on the Group Policy object for the relevant security groups, as explained later in this chapter.


The location of a security group in Active Directory is irrelevant to Group Policy.

Windows NT 4.0 and Windows 2000 Policy Comparison

Microsoft® Windows NT® 4.0 introduced the System Policy Editor (Poledit.exe), a tool that you use to specify user and computer configurations that it stores in the Windows NT registry. Using the System Policy Editor, you control the user work environment and enforce system configuration settings for all domain computers running Windows NT Workstation 4.0 or Windows NT Server 4.0. System Policy settings are registry settings that define the behavior of various components of the desktop environment.

In Windows 2000, you can create a specific desktop configuration for a particular group of users and computers by using the Group Policy snap-in. For Windows 2000 clients, the Group Policy snap-in almost entirely supersedes the System Policy Editor. It allows management of desktop configurations for large, possibly nested, and even overlapping, groups of computers and users. Non-local Group Policy objects exert their effect by being linked to any number of targets, which can be sites, domains, or organizational units in Active Directory.

System Policy in Windows NT 4.0, Windows 95, and Windows 98

The System Policy settings you specify with the System Policy Editor (Poledit.exe):

  • Are applied to domains

  • Can be further controlled by user membership in security groups.

  • Are not secure. They can be changed by a user with the registry editor (Regedit.exe).

  • Persist in users' profiles, sometimes beyond their useful lives. After a registry setting is set using Windows NT 4.0 System Policy, the setting persists until the specified policy setting is reversed or the user edits the registry.

  • Are limited to administratively mandated desktop behavior based on registry settings.


Windows NT 4.0 registry settings can be problematic when a user's security group membership changes. You might need to manually update or remove the registry settings.

The Group Policy snap-in provides built-in features for registry-based policy, security settings, software installation, scripts, and folder redirection. The Group Policy settings that you create are contained in a Group Policy object. Each Windows 2000–based computer has one local Group Policy object, and can also be subject to any number of non-local (that is, Active Directory–based) Group Policy objects.

The policy settings you specify using Group Policy represent the primary method for enabling centralized change and configuration management in Windows 2000.

Group Policy settings:

  • Can be associated with sites, domains, and organizational units.

  • Affect all users and computers in the site, domain, or organizational unit.

  • Can be further controlled by user or computer membership in security groups.

  • Are secure. Only an administrator can change the settings.

  • Are removed and rewritten whenever policy changes.

  • Can be used for finely tuned desktop control and to enhance the user's computing environment.


Windows NT 4.0 System Policy settings in the registry sometimes persisted past their useful life because these settings remained in effect until they were explicitly changed. Windows 2000 Group Policy settings do not persist past their useful life because Windows writes them to the following secure registry locations, and removes them when a Group Policy object no longer applies. The registry locations are \Software\Policies and \Software\Microsoft\Windows\CurrentVersion\Policies.

For a detailed comparison of Windows NT 4.0 System Policy as compared to Windows 2000 Group Policy, see "Applying Change and Configuration Management" in the Microsoft ® Windows ®  2000 Server Resource Kit Deployment Planning Guide .