Saturday, 28 July 2012

What is Group Policy

In a nutshell, a Group Policy is a collection of settings, which determine how a unit of users, computers and other security objects should behave.

Two Types of Group Policies:

Administrators can use Group Policies to enforce a set of configuration settings to both the computer and the user. Through Group Policies, administrators can control a myriad of settings like Software Installation, Security Settings, Scripts, Internet Explorer maintenance, Desktop settings, Control Panel settings and many more. There are two types of Group Policies. They are:

Local Group Policy and
Non-local Group Policy

Local Group Policy

Each computer running the windows line of operating system has exactly one local group policy. It is available only to the particular computer in which it resides and to users who log on to that computer. The local group policy objects reside in the %systemroot%\System32\Group Policy folder. It has only a subset of settings that are available in the non-local group policy.

Non-local Group policy

Each domain controller has one or more non-local group policies. They are available to all the machines and users in the Active Directory environment. A non-local group policy can be applied to all users and computers in a domain or to a particular OU depending on where the group policy is linked.

Need for Group Policies

As organizations seek to increase productivity and revenues through technology, they are also trying to minimize the complexity of managing a huge IT infrastructure. The following are some of the reasons that illustrate why group policies are a necessity:

Uniform User experience

Users are no longer confined to a single computer in their workplace. They use different computers for different tasks. So, all their files and folders along with their personalized settings such as taskbar location, wallpaper settings, desktop icons, etc., have to be made available in all the machines the user logs on to.


Even with all the authentication protocols and authorization techniques involved in AD, a malicious user, can still gain access to network resources, if the attacker comes to know about a user’s password. So, it is very important to have a strong password setting for all the users in an organization. It is also important to record certain events like user logon, access to a particular folder, etc., for auditing purposes.

Organization wide Policies

Most organizations use wallpapers, screen savers, interactive logon messages, etc., in an effort to establish a standard among all its employees. Organizations also have Internet policies that all users in the organization should adhere to.

Cost and Time

Tasks like software installation consume a lot of time. Installing and updating software in all computers, for all users, will not only take time, but also affects productivity, as employees lack access to their computers when the installation is taking place.

Group Policies play a crucial role in ensuring that the employees of an organization can have a hassle free experience when it comes to using the IT resources to accomplish their tasks.

Active Directory

What is Active Directory ?

Active Directory  is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems.

Active Directory provides a central location for network administration and security.
Server computers that run Active Directory are called domain controllers.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network assigning and enforcing security policies for all computers and installing or updating software. For example, when a user login into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a have authorization  or not.

Active Directory makes use of  Lightweight Directory Access Protocol,Kerberos and Domain Name System to manage environment.


    An Active Directory structure is a hierarchical arrangement of information about objects(ex:users,computers,etc..). The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a database schema, which also determines the kinds of objects that can be stored in Active Directory.

The following diagram illustrates the relationship of the Active Directory domains, OUs, trees, and forests.

The core unit of logical structure in Active Directory  is the domain, which can store millions of objects. Objects stored in a domain such as computers, printers, documents, database, users are those considered vital to the network. Directory is made up of one or more domains. A domain can span more than one physical location.
An OU is a container used to organize objects within a domain into a logical administrative group. OUs provide a means for handling administrative tasks, such as the administration of users and resources, as they are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain.
A tree is a grouping or hierarchical arrangement of one or more Windows Server domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure.
A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:
All domains in a forest share a common schema.
All domains in a forest share a common global catalog.
All domains in a forest are linked by implicit two-way transitive trusts.
Trees in a forest have different naming structures, according to their domains.
Domains in a forest operate independently, but the forest enables communication across the entire organization