Group Policies are a mechanism to enforce configuration options for computers and users. This enforcement is achieved by changing registry entries to reflect the policies. The policies are specified and stored in the Active Directory as GPOs, Group Policy Objects. The GPO is created and modified with the GPO editor shown in the following dialog.

GPOs are associated with Sites, Domains, and OUs and apply to all objects with the site, domain or OU. If an object is affected by more than one GPO, the policy which is closest to the object has precedence. The sequence of precedence is Sites, Domains, and finally OUs, or SDOU.  Some policy values are cumulative. For example, if login scripts are specified in multiple GPOs then all are run.

The following diagram shows the precedence for GPOs in different OUs.

|	GPO1: Wallpaper = Autumn.jpg Logon script = one.vbs
|
|	GPO2: Wallpaper = Ascent.jpg Logon script = two.vbs
|
	UserX: Wallpaper = Ascent.jpg Logon script = one.vbs, two.vbs

User policies are applied when the user logs on. Computer policies are applied when the computer starts. Policies are also applied periodically. Policies can be applied immediately by using the SECEDIT command. For example

• SECEDIT /refreshpolicy user_policy
• SECEDIT /refreshpolicy machine_policy

Keyboard Exercise

In the Active Directory Users and Computers console, select your domain and start the properties dialog. Select the Group Policy tab and edit the default domain policy. Investigate the many options that are available.