Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista
- 3/5/2008
Architectural Parts of a GPO
A GPO is not as straightforward as you might think. The GPO is made up of two independent parts. These parts are not stored in the same location, they do not have the same structure, and they do not store the same information. If you were to look at the two parts separately, it would be hard to tell that they are related through Group Policy. However, they both perform very important duties for Group Policy and the storage of policy settings.
The first component is the GPT, which is responsible for storing the settings that are made in the GPO. The structure of the GPT can be very complex, because it is a dynamic set of folders and files. The information stored in the files is delivered to the target computers during Group Policy processing.
The second component is the Group Policy container (GPC). The GPC is the “glue” that ensures that all references, paths, network locations, Active Directory objects and paths, and so on are accounted for and correct. The contents of the GPC are usually limited or blank. The details for the GPC are in the Active Directory properties that are associated with each GPC.
Group Policy Template
The Group Policy template (GPT) is the portion of the GPO that is stored in the SYSVOL folder on the domain controllers. The GPT is not a single file or folder, but rather a suite of folders and files that are used to store and maintain the settings that are established in a GPO. The GPT is very dynamic, yet very simple.
Each GPO has a unique GPT where the files are stored. The GPT is kept unique between GPOs by its GUID (globally unique identifier). When a GPO is initially created, a new folder is created under the %windir%\SYSVOL\sysvol\<domainname>\Policies folder. This new folder is named the same as the GPO’s GUID, as you can see in Figure 4-5.
){kind=link}
Figure 4-5 All Group Policy templates are stored in a unique folder named after the GPO’s GUID; they are all stored in the SYSVOL\Policies folder on each domain controller.
During the creation of the GPT main folder, additional folders and files are created under this root folder. These folders and files include:
Group Policy folder Holds the GPE.ini file. The GPE.ini file tracks the GUIDs for the CSEs that are referenced in the GPO. As settings within the GPO are added or removed, the associated GUID for the CSE controlling the setting is added or removed from this file.
Machine folder Stores all GPO settings that are configured under the Computer Configuration node in the GPO.
User folder Stores all GPO settings that are configured under the User Configuration node in the GPO.
Gpt.ini file Tracks the GPO version number. The version number changes each time the GPO is modified.
Figure 4-6 illustrates the default folders and files that exist in the GPT.
){kind=link}
As settings are created in the GPO, additional folders and files are created in the appropriate folder, depending on whether a Computer Configuration setting or a User Configuration setting is made.
Figure 4-6 Newly created GPOs have only two default folders and one default file that make up the GPT in SYSVOL.
Not all settings create the same type of files. The different portions of the GPO make up the different client-side extensions supported in the GPO. When a setting is made for each client-side extension, the file in which it is stored within the GPT is also different. Table 4-1 shows the client-side extension in addition to the files used within the GPT for that extension. For more information about client-side extensions, refer to the section later in this chapter on the topic.
Table 4-1. Group Policy Template Files
Client-Side Extension |
Folder Structure in GPT |
File Name and Extension in GPT |
Software Installation |
Machine\Applications User\Applications |
<GUID>.aas |
Scripts |
Machine\Scripts\Startup Machine\Scripts\Shutdown User\Scripts\Logon User\Scripts\Logoff |
Varies (typically with .vbs, .bat, .cmd, .exe extension) |
Security |
Machine\Microsoft\Windows NT\SecEdit |
GptTmpl.inf |
Windows Firewall and Advanced Security |
Machine |
Registry.pol |
Public Key Policies |
Machine User |
Registry.pol |
Software Restriction Policy |
Machine User |
Registry.pol |
Network Access Protection |
Machine |
Registry.pol |
Policy Based QoS |
Machine User |
Registry.pol |
Registry |
Machine |
Registry.pol |
Remote Installation Services |
Microsoft\RemoteInstall |
Oscfilter.ini |
Folder Redirection |
User\Documents & Settings |
Fdeploy1.ini |
Internet Explorer Maintenance |
User\Microsoft\IEAK |
Various folders and files |
Group Policy Environment |
Machine\Preferences\EnvironmentVariables User\Preferences\EnvironmentVariables |
EnvironmentVariables.xml |
Group Policy Data Sources |
Machine\Preferences\DataSources User\Preferences\DataSources |
DataSources.xml |
Group Policy Devices |
Machine\Preferences\Devices User\Preferences\Devices |
Devices.xml |
Group Policy Files |
Machine\Preferences\Files User\Preferences\Files |
Files.xml |
Group Policy Folder Options |
Machine\Preferences\Options User\Preferences\Options |
Options.xml |
Group Policy Folders |
Machine\Preferences\Folders User\Preferences\Folders |
Folders.xml |
Group Policy Local Users and Groups |
Machine\Preferences\Groups User\Preferences\Groups |
Groups.xml |
Group Policy Ini Files |
Machine\Preferences\IniFiles User\Preferences\IniFiles |
IniFiles.xml |
Group Policy Network Options |
Machine\Preferences\NetworkOptions User\Preferences\NetworkOptions |
NetworkOptions.xml |
Group Policy Network Shares |
Machine\Preferences\NetworkShares User\Preferences\NetworkShares |
NetworkShares.xml |
Group Policy Power Options |
Machine\Preferences\PowerOptions User\Preferences\PowerOptions |
PowerOptions.xml |
Group Policy Printers |
Machine\Preferences\Printers User\Preferences\Printers |
Printers.xml |
Group Policy Registry |
Machine\Preferences\Registry User\Preferences\Registry |
Registry.xml |
Group Policy Scheduled Tasks |
Machine\Preferences\ScheduledTasks User\Preferences\ScheduledTasks |
ScheduledTasks.xml |
Group Policy Services |
Machine\Preferences\Services User\Preferences\Services |
Services.xml |
Group Policy Shortcuts |
Machine\Preferences\Shortcuts User\Preferences\Shortcuts |
Shortcuts.xml |
Group Policy Applications |
User\ Preferences\Applications |
Applications.xml |
Group Policy Drive Maps |
User\ Preferences\Drives |
Drives.xml |
Group Policy Internet Settings |
User\ Preferences\InternetSettings |
InternetSettings.xml |
Group Policy Regional Options |
User\ Preferences\RegionalOptions |
RegionalOptions.xml |
Group Policy Start Menu |
User\ Preferences\StartMenuTaskbar |
StartMenuTaskbar.xml |
Figure 4-7 illustrates what a complex set of GPO settings might look like through the files and folders that are created in the GPT.
){kind=link}
Figure 4-7 When a GPO has many settings configured in different areas of the GPO, folders and files may be created in the GPT.
As you can see, the GPT is responsible for housing all of the raw settings that are made in a GPO. Each setting is stored in a unique file structure, which correlates with the client-side extension under which it is categorized. The files that are stored in the GPT are delivered to the target computer during Group Policy processing.
Group Policy Container
The Group Policy container (GPC) is the portion of the GPO that is stored in Active Directory. The subfolder format of the GPC is similar to that of the GPT, but the GPC is radically different in content and overall use. The GPC has a suite of Active Directory properties associated with it, giving it the same feel as a typical Active Directory object, such as a user or computer object.
The GPC is also similar to the GPT, in the way in which it is tracked in the system; the GPC is also named after the GPO’s GUID. You can find the GPC by using one of many tools that display the Active Directory objects. By using Active Directory Users and Computers, you can access the full list of GPCs by following these steps:
In Active Directory Users and Computers, expand the domain node.
Expand the System node.
Expand the Policies node to expose the list of GUIDs that represent the GPCs, as shown in Figure 4-8.
Figure 4-8 All GPCs are stored in Active Directory under the GPO’s GUID, allowing the system to keep each GPO unique and distinguishable.
){kind=link}
NOTE
To see the System folder in Active Directory Users and Computers, you must first enable the Advanced Features option. To enable this option, click the domain node in Active Directory Users and Computers. Then click the Tools menu and select the Advanced Features menu option.
During the creation of the GPC, two main folders are created: Machine and User. These folders are empty by default; you can see nothing from the Active Directory Users and Computers interface with regard to the GPC. However, if you create some policy settings, you can see some folders and content within the Active Directory Users and Computers. Table 4-2 lists the folders and files associated with the policies that update the GPC.
Table 4-2. GPC Files
Client-Side Extension |
Folder Structure in GPC |
File Name and Extension in GPC |
Software Installation |
Machine\Class Store\Packages |
<GUID>, which is a packageRegistration object |
User\Class Store\Packages |
||
IP Security |
Machine\Microsoft\Windows |
IPSEC, which is an ipsecPolicy object |
Wireless Network (IEEE 802.3) Policies |
Machine\Microsoft\Windows\IEEE8023 |
<policyname>, which is a ms-net-ieee-8023-GroupPolicy object |
Wireless Network (IEEE 802.11) Policies |
Machine\Microsoft\Windows\Wireless |
<policyname>, which is a msieee80211-Policy object |
If you want to see details of the GPC, you can use Active Directory Users and Computers or an LDAP tool, such as ADSIEdit, which allows you to see the properties associated with the GPC. These properties help Active Directory and Group Policy apply the appropriate settings and point to the correct GPT and any other network location that might be configured within the GPO. Table 4-3 shows the default properties associated with the GPC.
Table 4-3. GPC Active Directory Properties
Property |
Default Value |
adminDescription |
<not set> |
adminDisplayName |
<not set> |
cn |
(GUID of GPO) |
defaultClassStore |
<not set> |
description |
<not set> |
displayName |
(Name of GPO) |
displayNamePrintable |
<not set> |
distinguishedName |
CN={GUID of GPO} |
dSASignature |
<not set> |
dSCorePropagationData |
0x0 = ( ) |
extensionName |
<not set> |
flags |
0 |
fSMORoleOwner |
<not set> |
gPCFileSysPath |
\\<domainname>\SysVol\<domainname>\Policies |
gPCFunctionalityVersion |
2 |
gPCMachineExtensionNames |
<not set> |
gPCUserExtensionNames |
<not set> |
gPCWQLFilter |
<not set> |
instanceType |
0x4 = (WRITE) |
isCriticalSystemObject |
<not set> |
isDeleted |
<not set> |
lastKnownParent |
<not set> |
mS-DS-ConsistencyChildCount |
<not set> |
mS-DS-ConsistencyGuid |
<not set> |
msDS-NcType |
<not set> |
msDS-ObjectReference |
<not set> |
Name |
(GUID of GPO) |
objectCategory |
CN=Group-Policy-Container,CN=Schema, CN=Configuration, DC=<domainname>, DC=<domain name extention> |
objectClass |
Top;container;groupPolicyContainer |
objectGUID |
GUID of GPO |
objectVersion |
<not set> |
otherWellKnownObjects |
<not set> |
partialAttributeDeletionList |
<not set> |
partialAttributeSet |
<not set> |
proxiedObjectName |
<not set> |
proxyAddresses |
<not set> |
replPropertyMetaData |
<Octet string table> |
replUpToDateVector |
<not set> |
repsFrom |
<not set> |
repsTo |
<not set> |
revision |
<not set> |
schemaVersion |
<not set> |
showinAdvancedViewOnly |
TRUE |
subRefs |
<not set> |
systemFlags |
<not set> |
url |
<not set> |
uSNChanged |
Dynamic numeric variable |
uSNCreated |
Dynamic numeric variable |
uSNDSALastObjRemoved |
<not set> |
USNIntersite |
<not set> |
uSNLastObjRem |
<not set> |
uSNSource |
<not set> |
versionNumber |
0 |
wbemPath |
<not set> |
wellKnownObjects |
<not set> |
whenChanged |
Date of change |
whenCreated |
Date of creation |
wWWHomePage |
<not set> |
Figure 4-9 shows what the GPC looks like when viewed with ADSIEdit.
){kind=link}
The GPC is not responsible for storing the settings that are in the GPO”that is the job of the GPT. The GPC ensures that all network links, resources, and paths are correct and tracked. When Group Policy processing occurs, the GPC properties are used to find all of the pertinent information for the GPT, software installation nodes, and so on.
Figure 4-9 Each GPO is represented with a GPC, which in turn has a suite of Active Directory object properties that store information about the GPO resources.