Local Group Policy is available on any computer running Windows 2000, Windows XP Professional, or Windows Server 2003. Domain-based Group Policy is available only if your network is running Active Directory. Because Active Directory in turn relies on TCP/IP and Domain Name System (DNS), you must implement TCP/IP networking, DNS, and Active Directory to use domain-based Group Policy.
DNS provides the naming context that allows one computer to find another computer. It is an Internet Engineering Task Force (IETF) standard name service that is described in detail in RFC 1034 and RFC 1035. DNS is installed automatically with TCP/IP on workstations and servers, and it provides for several types of forward lookup queries that allow a computer to resolve a host name to an IP address and reverse lookup queries that allow a computer to resolve an IP address to a host name.
Active Directory provides essential directory services for the domain and the many features that enable advanced controls through Group Policy. The primary communications protocol for Active Directory is Lightweight Directory Access Protocol (LDAP). LDAP is an industry-standard protocol for directory access that runs over TCP/IP. Clients can use LDAP to query and manage directory information, in accordance with the level of access they’ve been granted. Other communications protocols are supported as well, including the REPL interface, which is used for replication; Messaging Application Programming Interface (MAPI), which is used for older messaging clients; and Security Accounts Manager (SAM) interface, which allows Windows NT 4.0 clients to access Active Directory in a limited way. Together, these interfaces allow:
Communication with LDAP, Active Directory Services Interface (ADSI), and newer Outlook clients for the purposes of authentication, access control, directory queries, and directory management
Replication with other directory servers for the purposes of distributing directory changes to other domain controllers
Communication with older (MAPI) Outlook clients, primarily for address book lookups
Communication with Windows NT 4.0 clients for the purposes of authentication and access control
By using DNS with Active Directory, you can establish directory structures that give very specific naming contexts. Objects within the directory are logically grouped by domain. This makes the domain one of the basic building blocks in Active Directory. Two additional building blocks are sites and OUs, which we previously introduced.
Active Directory has very specific rules when it comes to domains, sites, and OUs. Every workstation or server on a network must be a member of a domain and be located in a site. A workstation or server can belong to only one domain and one site. OUs, on the other hand, are defined within domains and can be thought of as containers for subsets of a domain. For example, you might have Engineering, Marketing, Sales, and Support OUs within your domain. Like domains, OUs can be organized into a hierarchy. For example, you might have Printer Sales and Computer Sales OUs within your Sales OU.
Note
With Windows NT, you often created additional domains to create clear separation between users, computers, and resources or to delegate administrator privileges while limiting administrative access. You can use Active Directory OUs for similar purposes—without the need to establish additional (and more complex) domain structures. Another reason for creating additional domains in NT was to reduce traffic between network segments, and this is where Active Directory sites come into the picture. You can use sites to gain better control over communications between network segments.
When you include the local computer within the basic structures we’ve discussed, a typical Active Directory network will have four distinct levels:
Local computer
Site
Domain
OU
When Group Policy is set at the local computer level, everyone who logs on to the local machine is affected by the policy settings (Local Group Policy). Domain-based Group Policy is set within the actual directory structure, and Active Directory–based policy settings are applied in this basic order: site, domain, OU.
This structure is thought of as having four tiers. The top tier is the Local Group Policy, the second tier is the site, the third tier is the domain, and the fourth tier is the OU. OUs can be nested within each other, so you can create additional levels in the hierarchy as needed. By default, when policy is set at one level, the setting applies to all objects at that level and all objects in the levels below, via inheritance.
The inheritance of policy settings works as follows (unless inheritance is blocked):
If a policy setting is applied at the site level, it affects all users and computers defined within domains and OUs that are part of the site. For example, if Main Site contains the tech.cpandl.com and sales.cpandl.com domains, any setting applied to the site will affect objects in both domains.
If a policy setting is applied at the domain level, it affects all users and computers defined within OUs that are part of the domain. For example, if the tech.cpandl.com domain contains the Engineering and IT OUs, any setting applied to the tech.cpandl.com domain will affect objects in the Engineering and IT OUs.
If a policy setting is applied at the OU level, it affects all users and computers defined within the OU as well as other OUs beneath it (child OUs). For example, if the Engineering OU contains the WebTeam and DevTeam child OUs, any setting applied to the Engineering OU will affect the WebTeam and DevTeam OUs.