Home > Sample chapters > Servers > Windows Server

Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista

Architectural Parts of a GPO

A GPO is not as straightforward as you might think. The GPO is made up of two independent parts. These parts are not stored in the same location, they do not have the same structure, and they do not store the same information. If you were to look at the two parts separately, it would be hard to tell that they are related through Group Policy. However, they both perform very important duties for Group Policy and the storage of policy settings.

The first component is the GPT, which is responsible for storing the settings that are made in the GPO. The structure of the GPT can be very complex, because it is a dynamic set of folders and files. The information stored in the files is delivered to the target computers during Group Policy processing.

The second component is the Group Policy container (GPC). The GPC is the “glue” that ensures that all references, paths, network locations, Active Directory objects and paths, and so on are accounted for and correct. The contents of the GPC are usually limited or blank. The details for the GPC are in the Active Directory properties that are associated with each GPC.

Group Policy Template

The Group Policy template (GPT) is the portion of the GPO that is stored in the SYSVOL folder on the domain controllers. The GPT is not a single file or folder, but rather a suite of folders and files that are used to store and maintain the settings that are established in a GPO. The GPT is very dynamic, yet very simple.

Each GPO has a unique GPT where the files are stored. The GPT is kept unique between GPOs by its GUID (globally unique identifier). When a GPO is initially created, a new folder is created under the %windir%\SYSVOL\sysvol\<domainname>\Policies folder. This new folder is named the same as the GPO’s GUID, as you can see in Figure 4-5.

Figure 4-5

Figure 4-5 All Group Policy templates are stored in a unique folder named after the GPO’s GUID; they are all stored in the SYSVOL\Policies folder on each domain controller.

During the creation of the GPT main folder, additional folders and files are created under this root folder. These folders and files include:

  • Group Policy folder Holds the GPE.ini file. The GPE.ini file tracks the GUIDs for the CSEs that are referenced in the GPO. As settings within the GPO are added or removed, the associated GUID for the CSE controlling the setting is added or removed from this file.

  • Machine folder Stores all GPO settings that are configured under the Computer Configuration node in the GPO.

  • User folder Stores all GPO settings that are configured under the User Configuration node in the GPO.

  • Gpt.ini file Tracks the GPO version number. The version number changes each time the GPO is modified.

Figure 4-6 illustrates the default folders and files that exist in the GPT.

As settings are created in the GPO, additional folders and files are created in the appropriate folder, depending on whether a Computer Configuration setting or a User Configuration setting is made.

Figure 4-6

Figure 4-6 Newly created GPOs have only two default folders and one default file that make up the GPT in SYSVOL.

Not all settings create the same type of files. The different portions of the GPO make up the different client-side extensions supported in the GPO. When a setting is made for each client-side extension, the file in which it is stored within the GPT is also different. Table 4-1 shows the client-side extension in addition to the files used within the GPT for that extension. For more information about client-side extensions, refer to the section later in this chapter on the topic.

Table 4-1. Group Policy Template Files

Client-Side Extension

Folder Structure in GPT

File Name and Extension in GPT

Software Installation

Machine\Applications

User\Applications

<GUID>.aas

Scripts

Machine\Scripts\Startup

Machine\Scripts\Shutdown

User\Scripts\Logon

User\Scripts\Logoff

Varies (typically with .vbs, .bat, .cmd, .exe extension)

Security

Machine\Microsoft\Windows NT\SecEdit

GptTmpl.inf

Windows Firewall and Advanced Security

Machine

Registry.pol

Public Key Policies

Machine

User

Registry.pol

Software Restriction Policy

Machine

User

Registry.pol

Network Access Protection

Machine

Registry.pol

Policy Based QoS

Machine

User

Registry.pol

Registry

Machine

Registry.pol

Remote Installation Services

Microsoft\RemoteInstall

Oscfilter.ini

Folder Redirection

User\Documents & Settings

Fdeploy1.ini

Internet Explorer Maintenance

User\Microsoft\IEAK

Various folders and files

Group Policy Environment

Machine\Preferences\EnvironmentVariables

User\Preferences\EnvironmentVariables

EnvironmentVariables.xml

Group Policy Data Sources

Machine\Preferences\DataSources

User\Preferences\DataSources

DataSources.xml

Group Policy Devices

Machine\Preferences\Devices

User\Preferences\Devices

Devices.xml

Group Policy Files

Machine\Preferences\Files

User\Preferences\Files

Files.xml

Group Policy Folder Options

Machine\Preferences\Options

User\Preferences\Options

Options.xml

Group Policy Folders

Machine\Preferences\Folders

User\Preferences\Folders

Folders.xml

Group Policy Local Users and Groups

Machine\Preferences\Groups

User\Preferences\Groups

Groups.xml

Group Policy Ini Files

Machine\Preferences\IniFiles

User\Preferences\IniFiles

IniFiles.xml

Group Policy Network Options

Machine\Preferences\NetworkOptions

User\Preferences\NetworkOptions

NetworkOptions.xml

Group Policy Network Shares

Machine\Preferences\NetworkShares

User\Preferences\NetworkShares

NetworkShares.xml

Group Policy Power Options

Machine\Preferences\PowerOptions

User\Preferences\PowerOptions

PowerOptions.xml

Group Policy Printers

Machine\Preferences\Printers

User\Preferences\Printers

Printers.xml

Group Policy Registry

Machine\Preferences\Registry

User\Preferences\Registry

Registry.xml

Group Policy Scheduled Tasks

Machine\Preferences\ScheduledTasks

User\Preferences\ScheduledTasks

ScheduledTasks.xml

Group Policy Services

Machine\Preferences\Services

User\Preferences\Services

Services.xml

Group Policy Shortcuts

Machine\Preferences\Shortcuts

User\Preferences\Shortcuts

Shortcuts.xml

Group Policy Applications

User\ Preferences\Applications

Applications.xml

Group Policy Drive Maps

User\ Preferences\Drives

Drives.xml

Group Policy Internet Settings

User\ Preferences\InternetSettings

InternetSettings.xml

Group Policy Regional Options

User\ Preferences\RegionalOptions

RegionalOptions.xml

Group Policy Start Menu

User\ Preferences\StartMenuTaskbar

StartMenuTaskbar.xml

Figure 4-7 illustrates what a complex set of GPO settings might look like through the files and folders that are created in the GPT.

Figure 4-7

Figure 4-7 When a GPO has many settings configured in different areas of the GPO, folders and files may be created in the GPT.

As you can see, the GPT is responsible for housing all of the raw settings that are made in a GPO. Each setting is stored in a unique file structure, which correlates with the client-side extension under which it is categorized. The files that are stored in the GPT are delivered to the target computer during Group Policy processing.

Group Policy Container

The Group Policy container (GPC) is the portion of the GPO that is stored in Active Directory. The subfolder format of the GPC is similar to that of the GPT, but the GPC is radically different in content and overall use. The GPC has a suite of Active Directory properties associated with it, giving it the same feel as a typical Active Directory object, such as a user or computer object.

The GPC is also similar to the GPT, in the way in which it is tracked in the system; the GPC is also named after the GPO’s GUID. You can find the GPC by using one of many tools that display the Active Directory objects. By using Active Directory Users and Computers, you can access the full list of GPCs by following these steps:

  1. In Active Directory Users and Computers, expand the domain node.

  2. Expand the System node.

  3. Expand the Policies node to expose the list of GUIDs that represent the GPCs, as shown in Figure 4-8.

    Figure 4-8

    Figure 4-8 All GPCs are stored in Active Directory under the GPO’s GUID, allowing the system to keep each GPO unique and distinguishable.

During the creation of the GPC, two main folders are created: Machine and User. These folders are empty by default; you can see nothing from the Active Directory Users and Computers interface with regard to the GPC. However, if you create some policy settings, you can see some folders and content within the Active Directory Users and Computers. Table 4-2 lists the folders and files associated with the policies that update the GPC.

Table 4-2. GPC Files

Client-Side Extension

Folder Structure in GPC

File Name and Extension in GPC

Software Installation

Machine\Class Store\Packages

<GUID>, which is a packageRegistration object

User\Class Store\Packages

IP Security

Machine\Microsoft\Windows

IPSEC, which is an ipsecPolicy object

Wireless Network (IEEE 802.3) Policies

Machine\Microsoft\Windows\IEEE8023

<policyname>, which is a ms-net-ieee-8023-GroupPolicy object

Wireless Network (IEEE 802.11) Policies

Machine\Microsoft\Windows\Wireless

<policyname>, which is a msieee80211-Policy object

If you want to see details of the GPC, you can use Active Directory Users and Computers or an LDAP tool, such as ADSIEdit, which allows you to see the properties associated with the GPC. These properties help Active Directory and Group Policy apply the appropriate settings and point to the correct GPT and any other network location that might be configured within the GPO. Table 4-3 shows the default properties associated with the GPC.

Table 4-3. GPC Active Directory Properties

Property

Default Value

adminDescription

<not set>

adminDisplayName

<not set>

cn

(GUID of GPO)

defaultClassStore

<not set>

description

<not set>

displayName

(Name of GPO)

displayNamePrintable

<not set>

distinguishedName

CN={GUID of GPO}

dSASignature

<not set>

dSCorePropagationData

0x0 = ( )

extensionName

<not set>

flags

0

fSMORoleOwner

<not set>

gPCFileSysPath

\\<domainname>\SysVol\<domainname>\Policies

gPCFunctionalityVersion

2

gPCMachineExtensionNames

<not set>

gPCUserExtensionNames

<not set>

gPCWQLFilter

<not set>

instanceType

0x4 = (WRITE)

isCriticalSystemObject

<not set>

isDeleted

<not set>

lastKnownParent

<not set>

mS-DS-ConsistencyChildCount

<not set>

mS-DS-ConsistencyGuid

<not set>

msDS-NcType

<not set>

msDS-ObjectReference

<not set>

Name

(GUID of GPO)

objectCategory

CN=Group-Policy-Container,CN=Schema,

CN=Configuration,

DC=<domainname>,

DC=<domain name extention>

objectClass

Top;container;groupPolicyContainer

objectGUID

GUID of GPO

objectVersion

<not set>

otherWellKnownObjects

<not set>

partialAttributeDeletionList

<not set>

partialAttributeSet

<not set>

proxiedObjectName

<not set>

proxyAddresses

<not set>

replPropertyMetaData

<Octet string table>

replUpToDateVector

<not set>

repsFrom

<not set>

repsTo

<not set>

revision

<not set>

schemaVersion

<not set>

showinAdvancedViewOnly

TRUE

subRefs

<not set>

systemFlags

<not set>

url

<not set>

uSNChanged

Dynamic numeric variable

uSNCreated

Dynamic numeric variable

uSNDSALastObjRemoved

<not set>

USNIntersite

<not set>

uSNLastObjRem

<not set>

uSNSource

<not set>

versionNumber

0

wbemPath

<not set>

wellKnownObjects

<not set>

whenChanged

Date of change

whenCreated

Date of creation

wWWHomePage

<not set>

Figure 4-9 shows what the GPC looks like when viewed with ADSIEdit.

The GPC is not responsible for storing the settings that are in the GPO”that is the job of the GPT. The GPC ensures that all network links, resources, and paths are correct and tracked. When Group Policy processing occurs, the GPC properties are used to find all of the pertinent information for the GPT, software installation nodes, and so on.

Figure 4-9

Figure 4-9 Each GPO is represented with a GPC, which in turn has a suite of Active Directory object properties that store information about the GPO resources.