How Does DSC Differ From Group Policy
Eduviges Gearlds
Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems. Preference settings are administrative configuration choices deployed to desktops and servers. Preference settings differ from policy settings because users have a choice to alter the administrative configuration. Policy settings administratively enforce setting, which restricts user choice.
The Group Policy service decides which GPOs apply to computers (there are many ways to filer GPOs from applying, which is beyond the scope of this introduction) and applies those policy settings. Client-side extensions (CSEs) are responsible for applying policy settings contained in the GPOs. A Group Policy client-side extension is a separate component from the Group Policy service that is responsible for reading specific policy setting data from the GPO and applying it to the computer or user. For example, the Group Policy registry client-side extension reads registry policy setting data from each GPO and then applies that information into the registry. The security CSE reads and applies security policy settings. The Folder Redirection CSE reads and applies Folder Redirection policy settings.
In this analogy, the Group Policy service is the postal carrier-- it delivers the information without out any knowledge about the information. The information delivered by the postal carrier represents the different policy settings. The Group Policy client-side extension represents the person receiving the information. Addresses can have many recipients. Each recipient receives their own mail in an expected format. The Group Policy client side extension reads its respective policy setting information and performs actions based on information contains in the policy settings.
Linking Group Policy objects to these Active Directory objects is strategic in deploying Group Policy. These are container objects. Container objects, as the name implies, means they can include other objects within them-- they representing hierarchical grouping of objects in a directory. Site objects can contain computer objects from multiple domains. Domain objects can contain multiple Organizational Units, computers and user objects. Organizational Unit objects can contain other Organizational Unit objects, computers, and users. Let's look at the distinguished name again.
Group Policy has a specific order in which it applies Group Policy objects. Understanding the order in which Group Policy objects apply is important because Group Policy uses the order of application to resolve conflicting policy settings among different Group Policy objects linked to different locations within Active Directory.
Group Policy enables you to link multiple Group Policy objects at each site, domain, and organization unit locations in the directory. Until now, conflict resolution only identified resolutions between conflicting policy settings linked at two different locations in Active Directory. What about conflicting policy settings in Group Policy objects that are linked at the same location?
Disabling the link of a Group Policy objects prevents the Group Policy service from including that GPO in the list of GPOs within scope of the targeted user or computer. The distinguishedNameOfGroupPolicyContainer and the linkOptions token are enclosed in square brackets ( [ ] ) and separated by a semicolon (;). This represents a singly linked Group Policy object. Linking another Group Policy object to the location inserts a new distingushedNameOfGroupPolicyContainer and linkOptions combination before the existing combination; it does not add the new combination to the end. The linking pattern continues to insert newly linked GPOs at the beginning of the value; by moving existing values to the right.
The Enforced link option is the exception to all rules. The Enforced option ensures the settings from the linked GPO always win conflicts regardless of any other Group Policy object that contains policy settings that may conflict with those of the linked GPO. The GPMC visually represents an enforced Group Policy link by adding a padlock to the existing linked policy icon. Group Policy settings from an enforced link always apply, even if the organizational unit has block policy inheritance enabled
For example, policy settings linked to the domain apply to computers and users within the entire domain, regardless of their parent organizational unit. However, you can use GPMC to block inheritance on the domain or an organizational unit to prevent normal Group Policy setting from applying to users and computers within that container. Blocking policy inheritance on the domain prevents Group Policy settings from GPOs linked to the Active Directory site from applying to the domain. Blocking policy inheritance on organizational units prevents normal Group Policy settings from GPOs linked to sites and domains from applying to the organizational units.
Block policy inheritance does not prevent Group Policy settings from enforced linked Group Policy objects from applying to users and computers. Group Policy settings from enforced links apply regardless of the block policy inheritance status on domain and organizational unit objects.
Group Policy Preferences enables you to deploy desired configurations to computers and users without limiting the user from choosing a different configuration. It is important to remember that while the user can change the configuration, Group Policy Preferences are Group Policy client-side extensions. Group Policy Preferences refresh with Group Policy; therefore, Group Policy overwrites any preference settings altered by the user with the value configured in a Group Policy Preference. Replacing a user configured preference setting with one configured using Group Policy Preferences is not the same as Group Policy. A true Group Policy setting enforces the setting and restricts the user from changing the setting. Users can easily change preference values enabled by Group Policy Preferences until the next refresh of Group Policy (which returns the preference settings back to the value configured in the Group Policy Preference item).
If the Stop processing items in this extension if an error occurs on this item option is selected, a failing preference item prevents remaining preference items within the extension from processing. This change in behavior is limited to the hosting Group Policy object (GPO) and client-side extension. It does not extend to other GPOs.
Group Policy provides filters to control which policy settings and preference items apply to users and computers. Preferences provide an added layers of filtering called targeting. Item-level targeting enables you to control if a preference item applies to a group of users or computers.
A Portable Computer targeting item allows a preference item to be applied to computers or users only if the processing computer is identified as a portable computer in the current hardware profile on the processing computer or if the processing computer is identified as a portable computer with the docking state specified in the targeting item. When Is Not is selected, it allows the preference item to be applied only if the processing computer is not identified as a portable computer in the current hardware profile on the processing computer or if the docking state of the processing computer differs from the docking state specified in the targeting item.
The Group Policy Preference extension uses the information about the changed and out-of-scope Group Policy objects to process its policy settings. Group Policy Preference client-side extensions process preference items in order from the top of the list to the bottom of the list.
Until now I had been exclusively using Security Filtering to determine whether a GPO gets applied and to which groups, but now there is a new patch to Windows Server which stops my GPOs from applying unless I add Domain Computers to Security Filtering... (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10)
The next important point is that Azure Policies are assigned to all the things inside the policy "scope" - that is, a management group, a subscription or a resource group. You can exclude things from that scope - for example, apply the Policy to a management group of subscriptions, but exclude particular subscriptions or apply the Policy to a resource group and exclude particular resources. You cannot apply an Azure Policy to individual resources.
Policies can also have different effects, depending on if you want to add a setting (append), change a setting (modify), audit if something does or does not exist, deploy something if it does not exist, or deny something. This gives you a broad range of flexibility, from outright blocking the creation of or changes to some types of resources, to having visibility of configuration drift on the compliance dashboard, allowing you to then address each instance manually. For more information on policy effects and the order they are evaluated in, visit:
This article primarily concerns Group Policy at the Active Directory level, which can apply across an organizational unit (OU) or an entire domain. However, there is another type of Group Policy, Local Group Policy. It offers many of the same options as AD Group Policy, but the settings affect only the local Windows workstation. You can create multiple local policies; for example, you can assign a different group of settings to each of the business users who might log on to the machine, and yet another group of settings to machine administrators.
The first level under both the User and the Computer nodes contains Software Settings, Windows Settings and Administrative Templates. However, within those divisions, there are differences. For instance, the Administrative Templates section of the Computer node includes Printers but that section of the User node does not; its options include Shared Folders, Desktop, Start Menu and Taskbar.
e2b47a7662