Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista

New Group Policy Service

One of the major changes that came with Windows Vista and is now being leveraged in Windows Server 2008 is a new Group Policy service. Earlier operating systems used the WinLogon service to run Group Policy. There were no inherent problems with using WinLogon, but there are significant benefits to using a separate service to control Group Policy. Considering the emphasis that Microsoft is putting into Group Policy, with advanced technologies being included in Group Policy and new management tools, the move to a separate service was not surprising.

The new Group Policy service improves the overall stability of the Group Policy infrastructure and computer by completely isolating it from WinLogon. The Group Policy service uses a completely new architecture for performing notifications and processing Group Policy. Not only does the Group Policy service change the architecture, it also adds these benefits:

• New Group Policy–related files can be delivered to computers administrating GPOs and computers consuming GPO settings without requiring a restart of the operating system.

• Group Policy application is more efficient because fewer resources are required for background processing.

• Less memory is used for Group Policy on computers consuming GPO settings, increasing performance and eliminating the need to load Group Policy in multiple services.

• The Group Policy service is started automatically and cannot be disabled, which creates a more stable environment.

To find the service in running services, look for gpsvc, as shown in Figure 4-1.

Figure 4-1 The new Group Policy service runs as gpsvc and can be seen in a list of running services on a computer running Windows Vista or Windows Server 2008.