EN 
30.11.2025 Ondřej WELCOME IN MY WORLD

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Group Policy - řízení aplikace politik

Group Policy - policy application management

| Petr Bouška - Samuraj |
Group Policy is used to centrally manage computers by using Active Directory. Thus, they are mainly used for computers that are joined to a domain. However, we can also use local policies (Local Group Policy), which offer slightly more limited functionality, but also work on standalone computers. Now we have not only Group Policy, but also Group Policy Preferences, which have a slightly different behavior. Here we will look at how Group Policies are applied to objects (users and computers), how we can filter them, use Loopback processing or look for application errors.
displayed: 97 772x (96 704 CZ, 1 068 EN) | Comments [5]

Setting and creating Group Policy is now most often done using the Group Policy Management Console (GPMC, which we will also use throughout the article), previously (or for local policies) the Group Policy Object Editor (GPedit) was used. The settings are stored in a Group Policy Object (GPO). Group Policies have several predefined parts (depending on the OS version) and then possible extensions using Administrative Templates. They most often modify the registry, but can also change security settings, install software, configure Internet Explorer, and so on. Policies have two main parts: Computer Configuration and User Configuration.

Group Policy struktura

Group Policy most often works on the principle of modifying the registry on the client station or server. The Computer Configuration part deals with settings for the computer, these settings can be applied to computer objects in Active Directory (it applies to the selected computer and does not depend on the logged-in user). They modify the HKEY_LOCAL_MACHINE (HKLM) registry branch, for example HKLM\Software\Policies\Microsoft\Windows, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System.

The User Configuration part deals with settings for the user, the policy with this setting can be applied to user accounts in Active Directory (it applies to the selected user and does not depend on the computer). It modifies the HKEY_CURRENT_USER (HKCU) registry branch, for example HKCU\Software\Policies\Microsoft\Windows, HKCU\Software\Microsoft\Windows\CurrentVersion\Policies.

Policies applied to the computer are normally applied at computer startup, policies applied to the user occur at user logon. Both are then applied during the periodic Group Policy refresh (this is normally every 90 minutes + a random shift of up to 30 minutes). We can also manually force the application of policies using the command

gpupdate /force

Policy Application

Group Policies are applied by linking them to a container (link to). These are Active Directory containers site, domain, or organizational unit (OU).

Link GPO

When applying policies, inheritance (inheriting) is applied, given the hierarchical structure of AD, and the cumulative effect. This means that a policy applied to an OU will affect all computers and users located in that and nested OUs. When there are multiple policies, their effect is combined. Of course, if a policy contains only the computer part, it will be applied to the user, but will have no effect. It also depends on whether the computer or user has rights to the given policy (this is where filtering is used).

Policies are processed sequentially, with the later processed policy able to overwrite the settings of the previous one. The order is local GPO, site, domain, OU, the last being the OU closest to the object. Policies on one container are processed in the order they are set on the Linked Group Policy Objects tab.

Linked Group Policy Objects

Disabling Part of the Policy

Even though a policy contains only one part (computer or user), it is normally processed on all objects (users and computers) that fall within the scope of application. Processing each policy, even an empty one, loads the target computer. So it is appropriate to disable the other part in policies where we only use one part. It is also appropriate to minimize the number of policies by combining them into one.

On the policy, we switch to the Details tab and here is the GPO Status item. We can set one of four values.

  • Enabled - everything enabled
  • All settings disabled - everything disabled
  • Computer configuration settigs disabled - only the user part is applied
  • User configuration settigs disabled - only the computer part is applied
Vypnutí části politiky

Loopback Processing

Sometimes we may need to apply some user settings, but assign them to the computer. So that any user who logs in to this computer has the given settings. But if they connect elsewhere, the settings may be different. This applies, for example, to terminal servers, laptops vs. workstations, etc.

To achieve this, we can use Group Policy in Loopback processing mode. It can be in Replace mode, where it replaces the settings that are applied for the user, or Merge mode, where the two settings are combined. The setting is done in the given policy. The value Computer Configuration - Administrative Templates - System - Group Policy - User Group Policy loopback processing mode. We set Enabled and select Mode Replace or Merge.

This seemed so pleasant to me when I read about this method. Unfortunately, in practice, one finds that this solution is almost unusable. It is not a matter of setting the given policy so that a certain setting according to the computer is executed on the user. But it is a global setting that sets the behavior of the computers to which it is applied. So it then applies to all policies.

This means that when we have the Replace mode set, no user policies that are applied only to the user will be used. We have to assign user policies to computers. We can set policies maybe for the entire domain, but then we lose the targeting of policies to certain OUs with users (which will probably always bother us). Or we can use Merge mode, then the policies that are applied to the user and the policies on the computer are applied. But this will extend the policy processing time, unexpected situations may arise, and troubleshooting becomes difficult.

GPO Loopback processing

Restricting Policy Application

Filtering Policy Application

For dynamic control of which computers and users a policy should apply to, we can use WMI Filtering or Security Filtering. Using WMI (Windows Management Instrumentation) we can create filters that detect various computer details and the policy is then applied only to those that meet the given condition. An example is a certain OS version. Security filtering, on the other hand, allows the policy only for those who are members of a certain security group or certain computers or users.

Blocking Inheritance

Another way to control policy application is to disable inheritance for a certain container. Right-click on the object and choose Block Inheritance, this will stop processing all parent policies except enforced ones.

Another option is to enforce the application of the policy, so that it cannot be overwritten (or even blocked). Right-click on the policy and choose Enforced.

We can see which policies are applied to an object on the Group Policy Inheritance tab. We also see the processing order here.

Group Policy Inheritance

Checking Policy Application

Part of the Group Policy Management Console are two tools that we can use to troubleshoot problems. Group Policy Results will return online information about the applied policies, including errors, for a selected computer and user. It gets the information directly from the DC and the given computer. This is a very useful tool. The second tool is Group Policy Modeling, which simulates policy application and displays the result.

Author:

Related articles:

Group Policy

Group Policy is definitely the basis for central management of computers in a domain. With them we can control the settings, security and behaviour of workstations and servers.

If you want write something about this article use comments.

Comments
  1. [1] Tomáš Langmaier

    Díky!

    Thursday, 29.01.2015 08:46 | answer
  2. [2] Jiřina

    Výborně vysvětleno

    Thursday, 16.04.2015 09:33 | answer
  3. [3] Sohaj

    I po tolika letech je tento článek užitečný. Děkuji

    Wednesday, 28.06.2017 13:27 | answer
  4. [4] DARK

    Zdravím,

    řeším následující problém a potřeboval bych poradit s konkrétním problémem.

    Potřebuji pomoci doménových politik GPO aplikovat na konkrétní stanice Powershell script, který upravuje chování metro aplikací pod Windows 10 build 1511 - 10586. Rád bych, aby se tento skript spouštěl hned po startu, čili měl by to být Startup script. PC s tímto buildem si umím vyfiltrovat v AD.

    Ale nejsou mi jasné následující věci:

    1. Na jaký AD kontejner to mám konkrétně aplikovat? Na celý kontejner Computers? Nikde jsem bohužel nepřišel na to, jak to aplikovat pouze na konkrétní vyfiltrované PC v kontejneru Computers - narazil jsem pouze na nějaké WMI filtry, kde by to snad mělo jít nějak nastavit, ale to jsem bohužel nepochopil, jak to přesně funguje.

    2. Některá PC mají LOKÁLNĚ (NE přes GPO) deployované nějaké starší skripty, kterých bych se rád zbavil a nastavil tam pouze tento jeden - mohu je přes GPO nějak hromadně smazat?

    3. Jak mám nastavit přístupová práva? Defaultně je Security Filtering v GPO nastaven na Authenticated Users - můžu to tam nechat, nebo je třeba to nějak měnit?

    3. Jak konkrétně nastavit ten GPO? Dle mě by to mělo být GPO - EDIT - Computer Configuration - Policies - Windows settings - Scripts - Startup - karta PowerShell Scripts a tam přes Add... zadat cestu na síťový disk k tomu souboru. Stačí to takto, nebo ten soubor se skriptem musím ještě zkopírovat do složky SYSVOL (tlačítko Show Files) a musím to někde potvrzovat a nějak ukládat?

    5. Na stanicích nakonec stačí zadat gpupdate/force a po restartu by se měl skript aplikovat?

    Díky moc za odpovědi

    Tuesday, 12.06.2018 13:40 | answer
  5. [5] adminšlakmin

    xDDDDD číst ty komentáře lol

    Thursday, 05.12.2019 19:21 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)