Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls

the working environment of user accounts and computer accounts. Group Policy is an infrastructure
that allows to implement specific configuration for users and computers. Group Policy provides the
centralized management and configuration of operating systems, applications, and users' settings in
an Active Directory environment.
GPO scope means objects (Users computers OU) on GPO apples
GPO can be link with multiple sites or OU,s
GPO applies
Computer
1 start-up
2 every 90-120 minute
3 GPU update command
users
1 login
2 every 90-120 minute
3 GPU update command
Group Policy Objects are processed in the following order (from top to bottom):[4]
1. Local - Any settings in the computer's local policy. Prior to Windows Vista, there was only
one local group policy stored per computer. Windows Vista and later Windows versions
allow individual group policies per user accounts.[5]
2. Site - Any Group Policies associated with the Active Directory site in which the computer
resides. (An Active Directory site is a logical grouping of computers, intended to facilitate
management of those computers based on their physical proximity.) If multiple policies are
linked to a site, they are processed in the order set by the administrator.
3. Domain - Any Group Policies associated with the Windows domain in which the computer
resides. If multiple policies are linked to a domain, they are processed in the order set by the
administrator.
4. Organizational Unit - Group policies assigned to the Active Directory organizational unit
(OU) in which the computer or user are placed. (OUs are logical units that help organizing
and managing a group of users, computers or other Active Directory objects.) If multiple
policies are linked to an OU, they are processed in the order set by the administrator.

Administrators can use Computer Configuration to set policies that are applied to a computer,
regardless of who logs on to the computer

Default Domain Policy refers all objects at Domain

Default Domain Controllers Policy refers only the Domain Controllers
The User Configuration can be used to set policies that apply to users, regardless of which
computer they log on to

The group policy settings that you see in the editor are contained in so called Group Policy Object
(GPO). These objects are in turn associated with selected Active Directory containers, such as sites,
domains, or organizational units (OUs).
You can use the Group Policy Editor to define policies in the following areas:
Registry-based policies...
Registry-based policies include group policies related to the Windows XP operating system and its
components. Registry-based policies also include group policies for programs. You would use the
Administrative Templates node that you can find in the left pane of the Group Policy snap-in to do
this type of configuration.
Security options...
Security options include configuration settings for local computer, domain, and also network
security settings, such as automatic proxies, default gateways, and others.
Software installation and maintenance options...
Group policy can also be used to centrally manage program installation, updates, and removal. This
is a very important feature which helps large corporations to save millions of dollars in installation
and maintenance costs.
Scripts options...
Group policies related to scripts options include scripts for computer startup and shutdown, and user
logon and logoff.
Folder redirection options...
Folder redirection policies allow administrators to redirect users' folders to the network folders

Right click on your Organization Unit (ou) just created and select Create a GPO in this domain,
and Link it here.

On the New GPO prompt enter a descriptive name for this new GPO and the hit OK.

To start editing this file right click on this file name and select Edit.

This will open Group Policy Management Editor for this file (this settings will apply only on
users and computers moved to this OU).

Navigate to Computer Configuration > Windows settings > Security Settings > Local
Policies > Security Options > Interactive Logon > Message text/title for users attempting to
logon, enter some text on Define this policy settings on both settings and hit OK.

Navigate to User Configuration > Policies > Administrative Templates > Control Panel >
prohibit Access to Control Panel and PC Settings, double click and select Enabled.

You can do all sorts of security settings related to Users and Computers for this Organizational
Unit

Windows machines joined in this domain to see the effect