# GPO(incomplete) ### What are Group Policies Objects (GPOs)? *** Group Policy Object (GPO) is a collection of rules and group policy settings that allows administrators to manage and configure operating system, apps, user or computer's setting within a domain. The GPO is applied to a container that could be a domain or an OU to target users or the entire domain. For example: If your organization has 50 users and you want to disable USB port so that no external device can be attached on each computer that your users uses, now you won't walk to each computer and manually disable USB port setting , instead you create a GPO and links it to a specific site, domain or OU in which these 50 employees were working. AD automatically will enforce this GPO to every user in that specific site, domain or OU. The enforcement happens through the Group Policy engine on each machine that periodically pulls policy updates from GPO, applies them and re-applies them (even if user tries to make changes). {% hint style="info" %} If you can modify a GPO, your changes will be continously enforced on each domain within that specific container periodically. {% endhint %} #### GPO linking and scopes GPOs are not applied randomly on any object, they are linked to containers such as site, domain or OU. Every object inside these containers receives the policy automatically. A single object can receive multiple GPOs. GPO are applied in a specific order that follows LSDOU hierarchy to avoid conflicts. ``` Local policy -> Site -> Domain -> OU (parent -> child) ``` * Local Policy - The setting stored directly on the individual window server. * [Site](/notes/active-directory/physical-structure-in-ad.md#site) - Policies linked here apply to every object in that physical branch. * [Domain](/notes/active-directory/logical-structure-in-ad.md#domain) - Policies linked here apply to evrey user and computer in the entire domain. * [Organizational Unit (OU)](/notes/active-directory/ad-objects-and-ous.md#organizational-unit-ou) - Policies linked here are the most granular and specific. Later applied policies overwrite earlier ones by default means if two GPOs configure the same setting, the last one applied wins. That is why child OU linked policies override parent OU linked polices or OU linked policies override Domain linked policies. For example: If domain linked GPO configured to disables Powershell and OU linked GPO configures to enable Powershell, then Powershell will enabled by default (OU wins). {% hint style="info" %} If you have write access to OU GPO, you can modify GPO applied later in the chain by adding your own policy for example if PowerShell is disabled, you add enable powershell policy to that OU. Now even if domain linked GPO has disabled powershell policy, it will get override by your policy that you applied on OU. {% endhint %} #### Computer vs User GPO has two halves of configurations: * Computer Configuration - These configurations applies during system boot and refreshes in the background (every 90 mins or depends GPO conf) that runs in the context of SYSTEM means high privilege which affects the machine regardless of who logs in. \ For example: Startup scripts, system services, scheduled task or security policies. * User Configuration - These configurations applies during user logon that run in the user's context which follows the user across machine.\ For example: Logon script, desktop restriction or registry settings such as HKCU. #### Components and storage of GPO Each and every GPO is stored in two places: * Group Policy Template (GPT) : Stored in the SYSVOL folder of domain controllers that contains policy files, scripts and templates. * Group Policy Container (GPC) : Stored in domin partition of Active Directory that holds metadata such as version, status and permission. These component are replicated across domain controllers via AD replication. ### SYSVOL SYSVOL is shared folder that exists on every domain controller and is replicated across all DCs automatically. It stores GPO files, login scripts and policy templates. The content of the SYSVOL folder are replcated using either the File Replication Service (FRS) or the Distributed File System Replication (DFSR). The SYSVOL folder is accessed by network clients through two shared folders: SYSVOL and NETLOGON. It contains various subdomais, including those for Group Policy templates and scripts. SYSVOL is readable by every domain user by default. No special privileges needed, any domain account can browse it. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kaizoku.gitbook.io/notes/active-directory/gpo-incomplete.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.