Group Policy provides a means of configuring various settings and preferences on Windows devices locally or via Active Directory. Group Policy in the Austin Active Directory consists of multiple key items: Group Policy Objects, Organizational Units, computer objects, and user objects. A Group Policy Object (GPO) is a collection of one or more settings or preferences that can be applied to computers and/or users. An Organizational Unit (OU) is a container in Active Directory that can contain objects such as users, computers, groups, or other OUs. Each OU in Active Directory can have one or more GPOs assigned or linked to the OU. A computer object is the representation of a Windows device joined to the Austin Active Directory. A user object is the representation of a user account in the Austin Active Directory.
Group Policy is applied to Windows devices by the Group Policy service on each device. The service queries Active Directory to retrieve the GPOs and Group Policy information assigned to each OU between the device and root of the domain. The Group Policy information includes details such as the precedence order for the GPOs on each OU as well as any restrictions regarding applying OUs to particular devices. The service processes the combined list of GPOs and Group Policy information to compile the list of applicable setting and preferences then applies them to the device.
Group Policy is applied to user accounts by the same process as Windows devices due to loopback processing. Loopback processing enables the Group Policy service to modify the default behavior for retrieving settings and preferences for user accounts. The application of Group Policy to user accounts in the Austin Active Directory requires that loopback processing be enabled and set to Replace mode. This configures Group Policy to retreive user policy using the same method as computer policy.
Department-managed Group Policy Objects
Department administrators can create GPOs via the Department GPO Tools (https://www.austin.utexas.edu/deptgpotools/) as well as directly via PowerShell or the Group Policy Management Console (GPMC). The setttings and preferences in a GPO can be managed via the Group Policy editor or, where supported, via PowerShell. The GPOs must adhere to the Active Directory naming policy.
Centrally-managed Group Policy Objects
The Active Directory team creates and applies required GPOs to support Active Directory processses or to enforce security policy set by the Information Security Office (ISO). The required GPOs created by the Active Directory team will have the AUSTIN prefix and will be linked to either the domain root or the Departments container as needed. The required GPOs that enforce security policy will append ISO to the AUSTIN prefix. The required GPOs are documented below:
The Active Directory team also creates optional GPOs that implement common settings. These GPOs are available for departments to apply to their own OUs. The optional GPOs created by the Active Directory team will have the AUSTIN prefix to identify them to department administrators. A selection of the these GPOs are documented below.