Editing Group Policy (section)

==Operation==
Group Policies, in part, control what users can and cannot do on a computer system. For example, a Group Policy can be used to enforce a password complexity policy that prevents users from choosing an overly simple password. Other examples include: allowing or preventing unidentified users from remote computers to connect to a [[network share]], or to block/restrict access to certain folders. A set of such configurations is called a Group Policy Object (GPO).

As part of Microsoft's ''IntelliMirror'' technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include ''[[Roaming profile|roaming user profiles]]'', ''[[folder redirection]]'', and ''[[Windows Vista I/O technologies#Offline Files|offline files]]''.

===Enforcement===
To accomplish the goal of central management of a group of computers, machines should receive and enforce GPOs. A GPO that resides on a single machine only applies to that computer. To apply a GPO to a group of computers, Group Policy relies on [[Active Directory]] (or on third-party products like [[ZENworks Desktop Management]]) for distribution. Active Directory can distribute GPOs to computers which belong to a [[Windows domain]].

By default, Microsoft Windows refreshes its policy settings every 90 minutes with a random 30 minutes offset. On [[domain controller]]s, Microsoft Windows does so every five minutes. During the refresh, it discovers, fetches and applies all GPOs that apply to the machine and to logged-on users. Some settings - such as those for automated software installation, drive mappings, startup scripts or logon scripts - only apply during startup or user logon. Since [[Windows XP]], users can manually initiate a refresh of the group policy by using the <code>gpupdate</code> [[command (computing)|command]] from a [[command prompt]].<ref>
[https://technet.microsoft.com/en-us/library/bb490983.aspx Gpupdate]</ref>

Group Policy Objects are processed in the following order (from top to bottom):<ref>{{Cite web
 | title     = Group Policy processing and precedence
 | url       = https://technet.microsoft.com/en-us/library/cc785665.aspx
 | publisher = Microsoft Corporation
 | date      = 22 April 2012
 }}
</ref>

# '''Local''' - Any settings in the computer's local policy. Prior to Windows Vista, there was only one local group policy stored per computer. Windows Vista and later Windows versions allow individual group policies per user accounts.<ref>{{cite web|url=http://www.sevenforums.com/tutorials/151415-group-policy-apply-specific-user-group.html|title=Group Policy - Apply to a Specific User or Group - Windows 7 Help Forums|website=www.sevenforums.com}}</ref>
# '''Site''' - Any Group Policies associated with the ''[[Active Directory]] site'' in which the computer resides. (An Active Directory site is a logical grouping of computers, intended to facilitate management of those computers based on their physical proximity.) If multiple policies are linked to a site, they are processed in the order set by the administrator.
# '''Domain''' - Any Group Policies associated with the [[Windows domain]] in which the computer resides. If multiple policies are linked to a domain, they are processed in the order set by the administrator.
# '''Organizational Unit''' - Group policies assigned to the ''Active Directory organizational unit (OU)'' in which the computer or user are placed. (OUs are logical units that help organizing and managing a group of users, computers or other Active Directory objects.) If multiple policies are linked to an OU, they are processed in the order set by the administrator.

The resulting Group Policy settings applied to a given computer or user are known as the Resultant Set of Policy (RSoP). RSoP information may be displayed for both computers and users using the <code>gpresult</code> command.<ref>{{cite web|url=https://technet.microsoft.com/en-us/library/cc733160(v=ws.10).aspx|title=Gpresult|author=Archiveddocs|website=technet.microsoft.com|date=18 April 2012 }}</ref>

===Inheritance===
A policy setting inside a hierarchical structure is ordinarily passed from parent to children, and from children to grandchildren, and so forth. This is termed ''inheritance''. It can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed.

Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured, then the value of the Group Policy Setting will take precedence.

===Filtering===
''WMI filtering'' is the process of customizing the scope of the GPO by choosing a (WMI) filter to apply. These filters allow administrators to apply the GPO only to, for example, computers of specific models, RAM, installed software, or anything available via WMI queries.