Local Group Policy is great and is a wonderful way to test new settings and to poke around and find out what kind of restrictions you can put into place on your workstations, but running the Local Group Policy Editor on every workstation in your environment and configuring all of the same settings sounds like an administrative nightmare. How do we overcome the centralized administration challenge? This is where we up-shift and start talking about Active Directory Group Policy.
Active Directory Group Policy takes all of these local policy settings and makes them available anywhere inside your domain. The interface for editing policies and settings is almost exactly the same as the local policy editor, but an additional layer of technology is introduced by being integrated with Active Directory. Inside AD-based Group Policy, you have the ability to create a policy (or hundreds of different policies) and quite easily choose which users and/or which computers that those policies apply to. In an organization that is making good use of Group Policy, it is very normal to see dozens of different Group Policy Objects (GPOs) that are being assigned to all sorts of different users, computers, or groups of users or computers. AD Group Policy stores its information on your Domain Controller servers, which is an incredibly nice aspect from an IT perspective because it means you don't need additional servers or infrastructure to utilize Group Policy.
For the rest of this book, we will be focusing on using Group Policy within an Active Directory domain environment.