You can use Group Policy to manage workstations running Microsoft Windows 2000 and Windows XP Professional as well as servers running Windows 2000 and Windows Server™ 2003. While you can’t use Group Policy to manage Windows NT^® workstations or servers, Windows 95, Windows 98, Windows Millennium Edition (Me), or Windows XP Home Edition, you can use Group Policy in both enterprise (domain) and local (workgroup) environments.

For enterprise environments where Active Directory is deployed, the complete set of policy settings is available. This policy set is referred to as domain-based Group Policy, Active Directory–based Group Policy, or simply Group Policy. In Active Directory, two important related elements are sites and organizational units (OUs). A site represents the physical architecture of your network. It is a group of TCP/IP subnets that are implemented to control directory replication traffic and isolate logon authentication traffic between physical network locations. OUs are used to group objects in a domain. An OU is a logical administrative unit within a domain that can be used to represent the structure of an organization or its business functions.

Group Policy is applied in discrete sets, referred to as Group Policy Objects (GPOs). GPOs contain settings that can be applied in a variety of ways to computers and users in a specific Active Directory domain, site, or OU. Because of the object-based hierarchy in Active Directory, the settings of top-level GPOs can also be inherited by lower-level GPOs.

For example, a setting for the cpandl.com domain can be inherited by the Engineering OU within that domain, and the domain settings will be applied to users and computers in the Engineering OU. If you don’t want policy settings to be inherited, you can block these settings to ensure that only the GPO settings for the low-level GPO are applied.

Tip

With domain-based Group Policy, you might think that the forest or domain functional level would affect how Group Policy is used, but this is not the case. The forest and domain do not need to be in any particular functional mode to use Group Policy. The forest functional level can be Windows 2000, Windows Server 2003 Interim, or Windows Server 2003. The domain functional level can be Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim, or Windows Server 2003.

For local environments, a subset of Group Policy called Local Group Policy is available. As the name implies, Local Group Policy allows you to manage policy settings that affect everyone who logs on to a local machine. This means Local Group Policy applies to any user or administrator who logs on to a computer that is a member of a workgroup as well as any user or administrator who logs on locally to a computer that is a member of a domain. Because Local Group Policy is a subset of Group Policy, there are some things you can’t do locally that you can do in a domain setting. Generally speaking, the areas of policy that you can’t manage locally have to do with Active Directory features that you can manage through Group Policy, such as software installation. Like Active Directory–based Group Policy, however, Local Group Policy is managed through a GPO. This GPO is referred to as the Local Group Policy Object (LGPO).

Beyond these fundamental differences between Local Group Policy and Active Directory–based Group Policy, both types of policy are managed in much the same way. In fact, you use the same tools to manage both. The key difference is in the GPO you work with. On a local machine, you work exclusively with the LGPO. If you have deployed Active Directory, however, you can also work with domain, site, and OU GPOs in addition to LGPOs.

Tip

Whether they are client workstations, member servers, or domain controllers, all Windows 2000, Windows XP Professional, and Windows Server 2003 computers have a Local Group Policy Object (LGPO). The LGPO is always processed. However, it has the least precedence, which means its settings can be superceded by site, domain, and OU settings. Although domain controllers have LGPOs, Group Policy for domain controllers is managed best through a default GPO called the Default Domain Controllers Policy. There’s also a default GPO for domains called the Default Domain Policy. As you might imagine, these default GPOs have special purposes and are used in very specific ways. You’ll learn more about these default GPOs later in this chapter in the section titled "Working with Linked GPOs and Default Policy."