by Jason Zandri
Welcome to the fifth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. I was going
to discuss the Lightweight Directory Access Protocol (LDAP)
this week, but I had a few people write to me about Group
Policy so I thought I would write about Active Directory Group Policy
instead and delay my Lightweight Directory Access Protocol (LDAP)
article until next week.
Jason Zandri’s latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week takes an in-depth look at the topic of Active Directory Group Policy.
There are two types of group policy
settings within the Windows 2000 Active Directory; computer
configuration settings and user configuration settings.
There are also two types of scripts that are run at start up;
computer startup scripts and user logon scripts. The
following sections will give an overview of how these
configuration settings are applied.
[NOTES FROM THE FIELD] – Much
of this information is an Exam Requirement for both the
70-217 AND the
70-219 exams. Some would argue it is more so for the 219
and I would agree, but you need to know both the Group
Policy Administration pieces of 70-217 and the Group Policy
Design requirements for 70-219 and much of this overlaps
both exams. I took both exams singly and saw it for myself.
Computer Configuration Settings and
Startup Scripts Overview
Computer configuration settings are
used to set specific policies on local systems and are applied
when the operating system initializes. They are the first
things that are applied to any system due to the obvious
fact that the system needs to fully initialize before a user
can log on. The computer configuration settings are applied
to everyone that logs on to that system. There may be user
configuration settings (which are applied next) that
override the computer configuration settings, but this does
not mean they were not applied to the local system, only that they were
overwritten by a subsequent user configuration setting or
Computer configuration settings are processed synchronously
(one after another, after another) by default, but this setting can be changed by the domain
administrator. These settings are processed in a specific
order. Local GPOs are first, then site GPOs, followed by
domain GPOs, and finally OU GPOs. There is not an option to log
on while the computer configuration settings are being
Any computer startup scripts that are set to run for the
system start after all of the GPOs are processed. This is
also hidden from the user’s view and runs synchronously by default.
This is important because each script must complete or time
out before the next one starts. If there are issues with any
one single script, this will delay the startup competition of
the system, as the default timeout period is set for 600
seconds (10 minutes). It is not recommended to change the
synchronous execution nature of the scripts, as one may have
a dependency on another, but it can be done at the
administrator’s discretion. The default timeout period of
600 seconds can be changed and often is.
[NOTES FROM THE FIELD] – In
the following section titled Group Policy Settings Processing
Order, I detail the full GPO processing as it follows
the GPO order and inheritance tree.