Welcome to the fifth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. I was going to discuss the Lightweight Directory Access Protocol (LDAP) this week, but I had a few people write to me about Group Policy so I thought I would write about Active Directory Group Policy instead and delay my Lightweight Directory Access Protocol (LDAP) article until next week.
There are two types of group policy settings within the Windows 2000 Active Directory; computer configuration settings and user configuration settings. There are also two types of scripts that are run at start up; computer startup scripts and user logon scripts. The following sections will give an overview of how these configuration settings are applied.
[NOTES FROM THE FIELD] - Much of this information is an Exam Requirement for both the 70-217 AND the 70-219 exams. Some would argue it is more so for the 219 and I would agree, but you need to know both the Group Policy Administration pieces of 70-217 and the Group Policy Design requirements for 70-219 and much of this overlaps both exams. I took both exams singly and saw it for myself.
Computer Configuration Settings and Startup Scripts Overview
Computer configuration settings are
used to set specific policies on local systems and are applied
when the operating system initializes. They are the first
things that are applied to any system due to the obvious
fact that the system needs to fully initialize before a user
can log on. The computer configuration settings are applied
to everyone that logs on to that system. There may be user
configuration settings (which are applied next) that
override the computer configuration settings, but this does
not mean they were not applied to the local system, only that they were
overwritten by a subsequent user configuration setting or
Computer configuration settings are processed synchronously (one after another, after another) by default, but this setting can be changed by the domain administrator. These settings are processed in a specific order. Local GPOs are first, then site GPOs, followed by domain GPOs, and finally OU GPOs. There is not an option to log on while the computer configuration settings are being processed.
Any computer startup scripts that are set to run for the system start after all of the GPOs are processed. This is also hidden from the user's view and runs synchronously by default. This is important because each script must complete or time out before the next one starts. If there are issues with any one single script, this will delay the startup competition of the system, as the default timeout period is set for 600 seconds (10 minutes). It is not recommended to change the synchronous execution nature of the scripts, as one may have a dependency on another, but it can be done at the administrator's discretion. The default timeout period of 600 seconds can be changed and often is.
[NOTES FROM THE FIELD] - In the following section titled Group Policy Settings Processing Order, I detail the full GPO processing as it follows the GPO order and inheritance tree.