What's the difference between Local GRP, GRO, and MMC?

I'm having a hard time differentiating between the 3 and when to, and when not to use them. Could someone elaborate on this? Thanks.

Find more posts tagged with

Comments

Mishra

Group, ??, and MMC? Will you list which items are you wanting to know without abbreviations?

Rulkiewicz

Whoops, I mean:

MMC = Microsoft Management Console
LGPO = Local Group Policies Objects
GRO = Group Policy Objects

Through my studyies, it seems that there are many differenet policies that resides in with GPO's and MMC's. I just don't know when to use which, and for what policies and such.

sprkymrk

Rulkiewicz wrote:

Whoops, I mean:

MMC = Microsoft Management Console
LGPO = Local Group Policies Objects
GRO = Group Policy Objects

Through my studyies, it seems that there are many differenet policies that resides in with GPO's and MMC's. I just don't know when to use which, and for what policies and such.

The MMC is simply the interface through which you view Group Policies and other administrative tools. For example, IIS Manager uses an MMC, ADUC uses an MMC, even third party programs like Symantec use the MMC for their products on Windows environments. If you type MMC at the RUN start menu item, it will open an "empty" MMC to which you can add and remove snap ins.

Local Group Policy objects are simply Group Policy settings that are only applied to the local computer. They are not enforced through the domain, site or OU policies. These can be used for stand alone or workgroup computers. They are also used in a domain environment, but will only take effect if the same domain/site/OU policies are not configured. If for instance, there is no domain policy for the screen saver, but there is a Local Group Policy that says it will come on after 10 minutes, then it will work. If the Domain Group policy does specify something, say 15 minutes, then that will over ride the Local Group policy and the screen saver won't come on until 15 minutes of inactivity. The basic order that Group policy is applied in order from first to last is:

Local Group Policy
Site Group Policy
Domain Group Policy
OU Group Policy

The last Group Policy applied takes effect.

GRO should be GPO. It is simply a set of policies saved. You can configure a set of polices, save it as a GPO, and then apply that particular GPO to one or more sites, domains or OU's.

Rulkiewicz

So an OU GPO trumps all over policies?

sprkymrk

Rulkiewicz wrote:

So an OU GPO trumps all over policies?

In most cases yes. You can also have child OU's, which is an OU nested inside another OU.

I say "in most cases" because there is still a way for a Domain Administrator to make sure that policies he sets at the Domain Level will take effect all the way down. An admin can set the "No Override" setting on a GPO. This means that no down-level GPO's can override what the Domain Admin sets in these GPO's. So the "No Override" trumps all OU GPO's.

Special considerations are to be noted whenever trouble shooting or designing Group Policy:

1. The order of GPO processing which I listed above.
2. The "No Inheritance" setting.
3. The "No Override" setting.
4. And finally, the Domain Password Policy. There can be only 1, and it is set at the Domain Level. Any other GPO's that specify password policies only affect local machine user accounts, and not domain user accounts.

royal

Definitely good info Mark. One thing I'd like to add that changes the order of policies applied is the loopback policy. In the case of loopback policy being appied, Computer policy will override the user policy even though user policy is applied last.

sprkymrk

icroyal wrote:

One thing I'd like to add that changes the order of policies applied is the loopback policy. In the case of loopback policy being appied, Computer policy will override the user policy even though user policy is applied last.

That's a good point, and it can merge or replace.

"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.

It's used for situations where you need to modify the user setting based on the computer that is being used. I use Loopback Processing for conference room computers where I do not want the screen saver kicking on in the middle of a presentation.