Group Policy provides a means of configuring various settings and preferences on Windows devices locally or via Active Directory. Group Policy in the Austin Active Directory consists of multiple key items: Group Policy Objects, Organizational Units, computer objects, and user objects. A Group Policy Object (GPO) is a collection of one or more settings or preferences that can be applied to computers and/or users. An Organizational Unit (OU) is a container in Active Directory that can contain objects such as users, computers, groups, or other OUs. Each OU in Active Directory can have one or more GPOs assigned or linked to the OU. A computer object is the representation of a Windows device joined to the Austin Active Directory. A user object is the representation of a user account in the Austin Active Directory.
Group Policy is applied to Windows devices by the Group Policy service on each device. The service queries Active Directory to retrieve the GPOs and Group Policy information assigned to each OU between the device and root of the domain. The Group Policy information includes details such as the precedence order for the GPOs on each OU as well as any restrictions regarding applying OUs to particular devices. The service processes the combined list of GPOs and Group Policy information to compile the list of applicable setting and preferences then applies them to the device.
Group Policy is applied to user accounts by the same process as Windows devices due to loopback processing. Loopback processing enables the Group Policy service to modify the default behavior for retrieving settings and preferences for user accounts. The application of Group Policy to user accounts in the Austin Active Directory requires that loopback processing be enabled and set to Replace mode. This configures Group Policy to retreive user policy using the same method as computer policy.
Department-managed Group Policy
Department administrators can create GPOs via the Department GPO Tools (https://www.austin.utexas.edu/deptgpotools/) as well as directly via PowerShell or the Group Policy Management Console (GPMC). The setttings and preferences in a GPO can be managed via the Group Policy editor or, where supported, via PowerShell. The GPOs must adhere to the Active Directory naming policy.
Domain-managed Group Policy
The Active Directory team creates and applies GPOs required for the operation of the domain and as required by security policy set by the Information Security Office (ISO). The Active Directory team also creates optional GPOs that implement common settings. These GPOs are available for departments to apply to their own OUs. The GPOs created and managed by the Active Directory team will have the AUSTIN prefix to identify them to department administrators. A selection of the these GPOs are documented below.