• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

GPO vs AD

Recommended Posts

Bruinator    31

Hi,

 

I am wondering if a person could accomplish the same thing in Group policy and Active directory? if so, why and why not.

 

thx

Share this post


Link to post
Share on other sites
sc302    1,666

Your question does not make sense.  

 

AD is a database that gives the ability to centrally manage users and computers.  This allows you to create rules via Group Policy Objects and distribute them to users and/or computers that exist on the domain.  In earlier versions of Active Directory the group policy objects were created directly in Active Directory Uses and Computers.  In 2003 r2, Microsoft has changed that to only be controlled through the Group Policy Management Console, this is how GPOs are currently managed.

 

That being said your Title "AD vs GPO" and your question "I am wondering if a person could accomplish the same thing in Group policy and Active directory?" does not make sense as they are part of each other and cannot be separated...you could choose to not use GPOs but you cannot uninstall the function of GPOs from Active Directory.

Share this post


Link to post
Share on other sites
Bruinator    31

Ok, what is the difference of gpedit.msc on a win10 pc vs AD users and computers? I hope I am asking the question correctly.

Share this post


Link to post
Share on other sites
rfirth    740
19 minutes ago, Bruinator said:

Ok, what is the difference of gpedit.msc on a win10 pc vs AD users and computers? I hope I am asking the question correctly.

gpedit.msc is local group policy, and AD allows you to set group policy for sets of users and/or computers.

 

Do you need to manage a single computer, or an entire network of computers?

Share this post


Link to post
Share on other sites
Daedroth    483

Active Directory and Group Policy are two very different products to serve very different purposes.

 

Active Directory Users and Computers - This is where you create and manage your user and computer accounts, as well as security groups and such.

 

Group Policy - This is where you create rules/restrictions for users or computers. You assign a GPO to a specific OU within Active Directory to that it affects all objects within that OU.

Share this post


Link to post
Share on other sites
sc302    1,666
24 minutes ago, rfirth said:

gpedit.msc is local group policy, and AD allows you to set group policy for sets of users and/or computers.

 

Do you need to manage a single computer, or an entire network of computers?

Gpedit.msc brings up the local group policy of the machine.  

 

Group policy management console brings up the domain administered group policies. You can create and assign group policies to users, computers, and/or OUs.  AD group policies take precedence and override local group policies. This allows you to push similar policies to multiple computer and user objects and/or groups that contain computer objects and/or user objects. 

Share this post


Link to post
Share on other sites
Bruinator    31
42 minutes ago, rfirth said:

gpedit.msc is local group policy, and AD allows you to set group policy for sets of users and/or computers.

 

Do you need to manage a single computer, or an entire network of computers?

Oh, that explains it very well and simplistic. TYVM, and you as well sc302.

Share this post


Link to post
Share on other sites
sc302    1,666
18 minutes ago, Daedroth said:

Active Directory and Group Policy are two very different products to serve very different purposes.

 

Active Directory Users and Computers - This is where you create and manage your user and computer accounts, as well as security groups and such.

 

Group Policy - This is where you create rules/restrictions for users or computers. You assign a GPO to a specific OU within Active Directory to that it affects all objects within that OU.

If you did not understand what I wrote, I fully understand why this comment exists. 

 

Just so that we are clear, ad group policy management is as much a part of active directory as DNS, active directory sites and trusts, as is the active directory scheme. While they serve different purposes they are part of Active Directory as a whole.  With the exception of DNS they cannot be uninstalled or installed separately. 

 

By default, there is a default group policy that gets implemented and a domain server group policy that gets implemented at the install of Active Directory.   Again, cannot be uninstalled, optioned out of, or installed separately. It is part of an Active Directory install regardless of what it specifically can or cannot do. 

 

And so we are very clear, windows 2000 ad group policy management was done within active directory users and computers. The “group policy management console” was not an invention until windows server 2003 r2 Active Directory which allowed more fine tuned management outside of Active Directory users and computers of windows 2000 server Active Directory.  You can try to google if you want to prove this (I am going off experienced memory, not a google search). 

Share this post


Link to post
Share on other sites
Daedroth    483
3 minutes ago, sc302 said:

If you did not understand what I wrote, I fully understand why this comment exists. 

 

Just so that we are clear, ad group policy management is as much a part of active directory as DNS, active directory sites and trusts, as is the active directory scheme. While they serve different purposes they are part of Active Directory as a whole.  With the exception of DNS they cannot be uninstalled or installed separately. 

 

By default, there is a default group policy that gets implemented and a domain server group policy that gets implemented at the install of Active Directory.   Again, cannot be uninstalled, optioned out of, or installed separately. It is part of an Active Directory install regardless of what it specifically can or cannot do. 

 

And so we are very clear, windows 2000 ad group policy management was done within active directory users and computers. The “group policy management console” was not an invention until windows server 2003 r2 Active Directory which allowed more fine tuned management outside of Active Directory users and computers of windows 2000 server Active Directory.  You can try to google if you want to prove this (I am going off experienced memory, not a google search). 

Yeah, I just thought with the question as it was, I didn't want to over-explain the response.

Share this post


Link to post
Share on other sites
Bruinator    31

Ok, thx to all.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.