 Hello, Windows Server Hybrid Administrator. Welcome to this Microsoft Learn Training Module, Introduction to Group Policy. This module provides a general introduction to group policy and group policy objects, GPOs. This module also functions as preparation for objective domain 1, deploy and manage ADDS in on-premises, and cloud environments of the first Windows Server. Hybrid Administrator Associate Exam AZ800. The Windows Server Hybrid Administrator Associate Certification is Microsoft's successor to the Windows Server MCSE. You can follow along with the contents of this module on Microsoft Learn, at the address shown on the screen or listed in the video description. After completing this module, you'll be able to describe GPOs. Describe GPO scope and inheritance, describe domain-based GPOs, create and configure GPOs, explain GPO storage, and describe administrative templates and the central store. Since early versions of Windows Server, the Group Policy feature of Windows Operating Systems has provided an infrastructure with which administrators can define settings centrally and then deploy them to computers across their organizations. Group Policy is a framework in Windows Operating Systems with components that reside in Active Directory Domain Services, ADDS, on-domain controllers, and on each Windows Server and client. By using these components, you can manage configuration in an ADDS domain. You define group policy settings within a Group Policy Object, GPO. A GPO is an object that contains one or more policy settings that apply to one or more configuration settings for a user or a computer. Group Policy is a powerful administrative tool. You can use GPOs to push various settings to a large number of users and computers, because you can apply them to different levels from the local computer to domain. You also can focus these settings precisely. Primarily, you use Group Policy to configure settings that you do not want users to configure. Additionally, you can use Group Policy to standardize desktop environments on all computers in an organizational unit, OU, or in an entire organization. You also can use Group Policy to provide additional security to configure some advanced system settings and for other purposes, such as mapping network drives or connecting network printers. A Group Policy Object GPO is a collection of Group Policy settings. The most granular component of Group Policy is an Individual Policy setting. An Individual Policy setting defines a specific configuration, such as a policy setting that prevents a user from accessing registry editing tools. If you define that policy setting and then apply it to a user, that user will be unable to run tools such as Reggieedit.x. Some settings affect a user known as user configuration settings or user policies, and some affect the computer known as computer configuration settings or computer policies. Group Policy manages various policy settings and the Group Policy framework is extensible. You can manage almost any configurable setting with Group Policy. To define a policy setting, in the Group Policy Management Editor, locate the policy setting and then select Enter. The policy setting properties dialog box appears. Change the policy state to Enabled or Disabled. Most policy settings can have three states, not configured, enabled and disabled. If required, configure additional values and when complete, select OK. In a new GPO, every policy setting defaults to not configured. When you enable or disable a policy setting, Windows Server makes a change to the configuration of users and computers to which the GPO is applied. To create a new GPO in a domain, in Group Policy Management, right-click or access the context menu for the Group Policy Objects container and then select New. To modify the configuration settings in a GPO, right-click or access the context menu for the GPO and then select Edit. This opens the Group Policy Management Editor snap in. The Group Policy Management Editor displays all the policy settings that are available in a GPO in an organized hierarchy that begins with the division between computer settings and user settings. The computer configuration node and the user configuration node. GPOs display in a container named Group Policy Objects. The next two levels of the hierarchy are nodes named policies and preferences. Progressing through the hierarchy, the Group Policy Management Editor displays folders called nodes or policy setting groups. The policy settings are listed items within those folders. You can use a starter GPO as a template from which to create other GPOs within the Group Policy Management Console. Starter GPOs only have administrative template settings. You might use a starter GPO to provide a starting point to create new GPOs in your domain. The starter GPO might already have specific settings that are best practices for your environment. You can export starter GPOs to and import them from cabinetlarge.cab files to make distribution to other environments simple and efficient. The Group Policy Management Console stores starter GPOs in a folder called starter GPOs, which is in Sysvol. Sysvol is a shared folder on domain controllers. ADDS includes pre-configured starter GPOs for Windows client operating systems. These starter GPOs have administrative template settings that reflect best practices that Microsoft recommends for the configuration of the client environment. Policy settings in GPOs define configuration. However, you must specify the computers or users to which the GPO applies before the configuration changes and a GPO will affect computers or users in your organization. This is called scoping a GPO. The scope of a GPO is the collection of users and computers that will apply the settings in the GPO. You can use several methods to manage the scope of domain-based GPOs. The first is the GPO link. In ADDS, you can link GPOs to sites, domains, and OUs. The site, domain, or OU then becomes the maximum scope of the GPO. The configurations that the policy settings in the GPO specify will affect all computers and users within the site, domain, or OU, including those in child OUs. You can link a GPO to more than one domain, OU, or site. Linking GPOs to multiple sites in a multiple domain forest can introduce performance issues when applying the policy, and you should avoid linking GPOs to multiple sites in this situation. This is because in a multi-forest multiple site network, the GPOs are stored on the domain controllers in the domain where the GPOs were created. The consequence of this is that computers in other domains might need to traverse a slow, wide area network, WAN link, to obtain the GPOs. You can further narrow the scope of the GPO with security and WMI filters. Security filters specify security groups or individual user or computer objects that relate to a GPO's scope, but to which the GPO explicitly should or shouldn't apply. WMI filters specify a scope by using characteristics of a system, such as an operating system version or free disk space. Use security filters and WMI filters to narrow or specify the scope within the initial scope that the GPO link created. The GPOs that apply to a user, computer, or both don't apply all at once. GPOs apply in a particular order. Conflicting settings that process later might overwrite settings that process first. Group policy follows the following hierarchical processing order. First, local GPOs. Second, site linked GPOs. Third, domain linked GPOs. Fourth, OU linked GPOs. And final, child OU linked GPOs in group policy application. The default rule is that the last policy, the most specific policy applied, prevails. For example, a policy that restricts access to the control panel applied at the domain level could be reversed by a policy applied at the OU level for the objects contained in that particular OU. If you link several GPOs to an OU, their processing occurs in the order that the administrator specifies on the OU's linked group policy objects tab in the group policy management console. By default, processing is enabled for all GPO links. You can disable a container's GPO link to block the application of a GPO completely for a given domain or OU. For example, if you made a recent change to a GPO and it's causing production issues, you can disable the linker links until the issue resolves. Note that if the GPO is linked to other containers, they'll continue to process the GPO if their links are enabled. You also can disable the user or computer configuration of a particular GPO independently from either the user or computer. If one section of a policy is known to be empty, disabling the other section can speed up policy processing slightly. For example, if you have a policy that only delivers user desktop configuration, you could disable the computer section of the policy. You can configure a policy setting in more than one GPO, which might result in GPOs conflicting with each other. In this case, the precedence of the GPOs determines which policy setting the client applies. A GPO with higher precedence prevails over a GPO with lower precedence. Precedence is determined numerically. Each GPO has a precedence value, the lower the number, the higher the precedence. Therefore, a GPO that has a precedence of one prevails over all other GPOs. The default behavior of group policy is that GPOs linked to a higher level container are inherited by lower level containers. When a computer starts up or a user signs in, the group policy client extensions examines the location of the computer or user object in ADDS and evaluates the GPOs with scopes that include the computer or user. Then the client side extensions apply policy settings from these GPOs. Policies apply sequentially, beginning with policies that link to the site, followed by those that link to the domain, followed by those that link to OUs. This sequential application of GPOs creates an effect called policy inheritance. Policies are inherited, which means that the resultant set of policies for a user or computer will be the cumulative effect of site domain and OU policies. You can configure a domain or OU to prevent the inheritance of policy settings. This is known as blocking inheritance. To block inheritance, right click or access the context menu for the domain or OU in the group policy management consultory and then select block inheritance. The block inheritance option is a property of a container, so it blocks all group policy settings from GPOs that link to parents in the group policy hierarchy. Use the block inheritance option sparingly because blocking inheritance makes it more difficult to evaluate group policy precedence and inheritance. With security group filtering, you can carefully scope a GPO so that it applies to only the correct users and computers in the first place, making it generally unnecessary to use the block inheritance option. You can set a GPO link to be enforced. To enforce a GPO link, right click or access the context menu for the GPO link in the consultory and then select enforced from the shortcut menu. When you set a GPO link to enforced, the GPO takes the highest level of precedence. Policy settings in the GPO prevail over any conflicting policy settings in other GPOs. An enforced link applies to child containers even when those containers are set to block inheritance. The enforced option causes the policy to apply to all objects within its scope. Enforcement is useful when you must configure a GPO that defines a configuration that's mandated by your corporate IT security and usage policies. Therefore, you want to ensure that other GPOs that are linked to the same or lower levels don't override those settings. You can do this by enforcing the GPO's link. To facilitate evaluation of GPO precedence, you can simply select an OU or domain and then select the group policy inheritance tab. This tab displays the resulting precedence of GPOs, accounting for GPO link, link order inheritance blocking, and link enforcement. Note that this tool doesn't account for policies that are linked to a site for GPO security or WMI filtering. You can create domain-based GPOs in ADDS and store them on domain controllers. You can use these GPOs to manage configuration centrally for the domain's users and computers. When you install ADDS, Windows Server creates two default GPOs, default domain policy and default domain controllers policy. Note that Windows computers also have local GPOs which are primarily used when computers aren't connected to domain environments. The default domain policy GPO is linked to the domain and it applies to authenticated users. This GPO doesn't have any WMI filters, therefore it affects all users and computers in the domain. This GPO contains policy settings that specify password, account lockout, and Kerberos version 5 authentication protocol policies. These settings are of critical importance to the ADDS environment and thus make the default domain policy a critical component of group policy. You shouldn't add unrelated policy settings to this GPO. If you need to configure other settings to apply broadly in your domain, create additional GPOs that link to the domain. The default domain controllers policy GPO links to the OU of the domain controllers because computer accounts for domain controllers are kept exclusively in the domain controllers OU and other computer accounts should be kept in other OUs. This GPO affects only domain controllers or other computer objects that are in the domain controllers OU. You should modify GPOs linked to the domain controllers OU to implement your auditing policies and to assign user rights that are required on domain controllers. You manage GPOs by using the following tools, the group policy management console, the group policy management editor. You can also use Windows PowerShell commandlets to manage GPOs and their settings including the following. New GPO creates a new GPO, new GPO link. Links a GPO to a site domain or OU. Get GP inheritance gets group policy inheritance information for a specified domain or OU. Set GP inheritance blocks or unblocks inheritance for a specified domain or organizational unit. Get GPO, list one GPO or all the GPOs in a domain. There are two major categories of policy settings computer settings which are contained in the computer configuration node and user settings which are contained in the user configuration node. The computer configuration node contains the settings that apply to computers regardless of who logs on to them. Computer settings apply when the operating system starts during background refreshes and every 90 to 120 minutes thereafter. The user configuration node contains settings that apply when a user logs on to a computer during background refreshes and every 90 to 120 minutes thereafter. Within the computer configuration and user configuration nodes are the policies and preferences nodes. The policies nodes in computer configuration and user configuration have a hierarchy of folders that contain policy settings. Because there are thousands of settings the scope of this course doesn't include individual settings. However, it's worth reviewing the types of settings that you can configure. GPOs include a large number of security related settings that you can apply to both users and computers. For example, you can enforce settings for the domain password policy, for Windows Defender firewall, and you can configure auditing and other security settings. You also can configure full sets of user rights assignments. You can use group policy to provide a consistent desktop and application environment for all users in your organization. By using GPOs you can configure each setting that affects the representation of the user environment. You also can configure settings for some applications that support GPOs. With group policy you can deploy software to users and computers. You can use group policy to deploy all software that is available in the MSI format. Additionally, you can enforce automatic software installation or you can let your users decide whether they want the software to deploy to their computers. Whilst you can deploy software in this manner most organizations use other methods such as configuration manager and Intune. With the folder redirection option it is easier to back up users data files. By redirecting folders you also ensure that users have access to their data regardless of the computer to which they sign in. Additionally, you can centralize all users data to one place on a network server while still providing a user experience that is similar to storing these folders on their computers. For example, you can configure folder redirection to redirect users documents folders to a shared folder on a network server. By using group policy you can configure various network settings on client computers. For example, you can enforce settings for wireless networks to allow users to connect only to specific wi-fi network SSIDs and with predefined authentication and encryption settings. You also can deploy policies that apply to wired network settings and some Windows server roles use group policy to configure the client side of services such as direct access. Group policy inheritance, filters and exceptions are complex and it can often be difficult to determine which policy settings will apply. Resultant set of policy is the net effect of GPOs applied to a user or computer considering GPO links, exceptions such as enforced and block inheritance and the application of security and WMI filters. Resultant set of policy also is a collection of tools that you can use to evaluate model and troubleshoot the application of group policy settings. Resultant set of policy can query a local or remote computer and report the exact settings that apply to the computer and to any user who has logged on to the computer. Resultant set of policy also can model the policy settings that are anticipated to be applied to a user or computer under a variety of scenarios including moving the object between OUs or sites or changing the object's group membership. With these capabilities resultant set of policy can help you manage and troubleshoot conflicting policies. The following tools exist for performing resultant set of policy analysis, the group policy results wizard, the group policy modeling wizard, and GPO result.exe command line utility. Group policy settings present as GPOs in ADDS user interface tools but a GPO actually includes two components. These are the group policy container and the group policy template. The group policy objects container is located in active directory and it stores GPO metadata. It doesn't contain actual settings but information on when GPO was created, how many times user and computer settings were modified, GPO version and its GDAWID which is used to link group policy settings to a group policy template. The group policy template is a collection of files stored in the sysful of each domain controller in the percent system root percent sysfall domain policies GPO GWID path where GPO GWID is the globally unique identifier GWID of the group policy container. The group policy template contains the group policy settings similar to all ADDS objects each group policy container includes a GWID attribute that uniquely identifies the object within ADDS. When you change the settings of a GPO the changes are saved to the sysfall share by default the domain controller that holds the PDC emulator operations master role is used. Changes made are then replicated to other domain controllers by default when group policy refresh occurs the client side extensions apply settings in a GPO only if the GPO has been updated the group policy client can identify an updated GPO by its version number each GPO has a version number that increments each time you make a change the version number is stored as a group policy container attribute and in a text file group policy GPO.ini in the group policy template folder the group policy client knows the version number of each GPO it has previously applied if during the group policy refresh the group policy client discovers that the version number of the group policy container has changed windows server will inform the client side extensions that the GPO is updated and processing will occur the group policy container and the group policy template both replicate between all domain controllers in the local domain in ADDS however these two items use different replication mechanisms the group policy container in ADDS replicates by using the directory replication agent DRA the DRA uses a topology that the knowledge consistency checker generates which you can define or refine manually the result is that the group policy container replicates within seconds to all domain controllers in a site and replicates between sites based on your intersite replication configuration the group policy template in the sysval replicates by using the distributed file system replication DFSR because the group policy container and group policy template replicates separately it is possible for them to become out of sync for a brief time typically when this happens the group policy container will replicate to a domain controller first systems that obtained their ordered list of GPOs from that domain controller will identify the new group policy container those systems will then attempt to download the group policy template and they'll notice that the version numbers are not the same a policy processing error will record in the event logs if the reverse happens and the GPO replicates to a domain controller before the group policy container clients that obtain their ordered list of GPOs from that domain controller won't be notified of the new GPO until the group policy container has replicated administrative template files provide most of the available GPO settings which modify specific registry keys the use of administrative templates is known as a registry based policy because all the settings you configure in administrative templates result in changes to the registry for many apps using a registry based policy is the simplest and best way to support the centralized management of policy settings you can use administrative templates to control the environment of an operating system and the user experience there are two sets of administrative templates computer related settings and user related settings they have sub nodes that correspond to specific areas of the environment such as network system and windows components the settings in the computer section of the administrative templates node edit the Hickey underscore local underscore machine hive in the registry the settings in the user section of the administrative templates node edit the HKE underscore current underscore user hive in the registry some settings exist for both user and computer and some settings are available only to certain versions of windows operating systems for example you can apply several new settings only to windows 11 the administrative templates node has two sections the computer configuration sections and the user configuration settings in the case of conflicting settings the computer setting prevails computer configuration includes settings related to control panel network printers server start menu and taskbar system windows components and all settings user configuration includes settings related to control panel desktop network shared folders start menu and taskbar system windows components and all settings most of the nodes contain multiple sub folders that enable you to organize settings into logical groupings even with this organization finding the setting that you need might be challenging all the settings in the administrative templates node of a gpo are stored in files all currently supported operating systems store the settings in admx files these settings use a standards based xml file format known as admx files by default windows stores admx files in the windows policy definitions folder but you can store them in a central location the admx files are language neutral the plain language descriptions of the settings are not part of the admx files instead they're stored in language specific adml files this means that administrators can review the same gpo and observe the policy descriptions in their own language because they can each use their own language specific adml files the policy definitions folder stores adml files subfolders each language has its own folder for example the nus folder stores the english files and the es es folder stores the spanish files by default only the adml language files for the language of the installed operating system are present in domain based enterprises you can create a central store location for admx files which anyone with permissions to create or edit gpo's can access the group policy management editor automatically reads and displays administrative templates policy settings from admx files in the central store and then ignores the admx files stored locally if the domain controller or central store is not available the group policy management editor uses the local store the advantages of creating a central store are you ensure that whenever someone edits a gpo the settings in the administrative templates node are always the same when microsoft releases new administrative templates for new operating systems or apps such as office you only need to update the administrative templates files in one location and you must create the central store manually and then update it manually on a domain controller the domain controllers then use adds replication and dfs are to replicate the data to create a central store for admx and adml files create a folder and name it policy definitions in thedo fq dn sysval fq dn policies location where fq dn is the domain name for your adds domain an administrator must copy all files and subfolders of the policy definitions folder which on a windows computer resides in the windows folder the policy definitions folder stores all admx files and subfolders store adml files for all languages enabled on the client computer for example on a windows server computer that has english enabled cd windows policy definitions will contain the admx files and in the subfolder n us the adml files will contain english based descriptions for the settings defined in the admx files in this module you learned how to describe gpo's describe gpo scope and inheritance describe domain based gpo's create and configure gpo's explain gpo storage and describe administrative templates and the central store if you want to learn more you can take this module on microsoft learn or read the official az 800 exam prep guide from microsoft press links available at aka miss az 800 study guide we publish new content regularly on this channel on topics related to windows server hybrid cloud and azure infrastructure and the certifications related to these topics look forward to seeing you in future videos