How would you apply a Group Policy object to an individual user or computer?

Types of GPOs

There are three types of GPOs: local, non-local and starter. 

• Local Group Policy Objects. A local Group Policy Objectrefers to the collection of group policy settings that only apply to the local computer and to the users who log on to that computer. Local GPOs are used when policy settings need to apply to a single Windows computer or user. Local GPOs exist by default on all Windows computers. 
• Non-local Group Policy Objects. A non-local group policy objectis used when policy settings have to apply to one or more Windows computers or users. Non-local GPOs apply to Windows computers or users once they’re linked to Active Directory objects, such as sites, domains or organizational units.
• Starter Group Policy Objects. Introduced in Windows Server 2008, starter GPOs are templates for Group Policy settings. These objects enable an administrator to create and have a pre-configured group of settings that represent a baseline for any future policy to be created.

Data Security and Group Policy Object

There are some Group Policy settings that can help secure a company’s network. For example, through Group Policy, an organization can run scripts, stop users from accessing certain resources and perform simple tasks, such as forcing a particular home page to open for every network user.

Some of these security measures include:

• Limiting access to Control Panel -- through Control Panel, a company can control all aspects of a computer. Limiting who has access to a computer enables organizations to keep data and other resources safe.
• Disabling Command Prompt -- A company can use Command Prompts to run commands that give high-level access to users and bypass other system restrictions. That’s why it’s prudent to disable Command Prompt to ensure the security of system resources. If a user tries to open a command window after Command Prompt has been disabled, the system will display a message indicating that some settings are preventing this.
• Prevent software installations -- if users are allowed to install software, they may install unwanted applications or malware that can compromise a company’s system. As such, it’s better to prevent software installations through Group Policy.

Benefits of Group Policy Objects

There are several benefits to implementing GPOs in addition to security, including:

• More efficient management -- GPOs already in place apply a standardized environment to all new users and computers that join an organization’s domain, saving time on setup.
• Ease of administration -- system administrators can deploy software, patches and other updates via GPO.
• Better password policy enforcement -- GPOs determine password length, reuse rules and establish other requirements for passwords to keep a company’s network safe.
• Configuring folder redirection -- GPOs enable companies to ensure users are keeping important company files on a centralized and monitored storage system. For instance, an organization can redirect a user’s Documents folder, which is usually stored on a local drive, to a network location.

Limitations of GPOs

The limitations of Group Policy Objects include:

• They run sequentially -- GPOs process actions one after another. Consequently, if many GPOs have to be configured, it can take a long time for users to log on.
• Flexibility is limited -- GPOs can only be applied to users or computers. So they’re limited when it comes to applying settings based on context.
• Limited triggers -- GPOs can only be applied at computer startup, when a user logs on or at set intervals. GPOs can’t react to changes in environment, such as network disconnect or reconnect.
• Difficult to maintain -- there’s no built-in search or filter option to find a specific setting within a GPO, making it difficult to find or fix issues with existing settings.
• No Version control -- changes made to GPO settings aren’t audited. So if an incorrect change is made, it’s impossible to tell what the change was or who made it.

Processing order of GPOs

The processing order of Group Policies effects what settings are applied to the computer or end-user. This processing order is known as LSDOU: local, site, domain, organization unit. First the local computer policy is processed, followed by Active Directory policies from site level to domain, then into OU (GPOs in nested organizational units apply from the OU closest to the root first, and continues from there). If there are any conflicts, the last applied policy will take effect.

How is group policy applied to user?

Which option allows an administrator to apply group policy to a specific user?