Group Policy Objects
The elements of Group
Policy start with the Group Policy Objects (GPOs) themselves. GPOs are a
predefined set of available settings that can be applied to Active
Directory computer and/or user objects. The settings available within a
particular GPO are created using a combination of administrative
template files included or referenced within that GPO. As the particular
computer or user management needs change, additional administrative
templates can be imported into a particular GPO to extend its
functionality.
Group Policy Object
Storage and Replication
GPOs are stored in both the
file system and the Active Directory database. Each domain in an Active
Directory forest stores a complete copy of that particular domain’s
GPOs.
Within Active Directory, the
GPO links and version information are stored within the domain naming
context partition of the database. Because this partition is only
replicated within a single
domain, processing GPOs linked across domains, either using sites or
just a cross-domain GPO link, can take longer to load and process.
The GPO settings are stored
in the file system of all domain controllers within the sysvol folder.
The sysvol folder is shared on all domain controllers. Each domain GPO
has a corresponding folder located within the
sysvol\companyabc.com\Policies subfolder, as shown in Figure 1 as an example of the companyabc.com domain. The GPO
folder is named after the globally unique identifier (GUID) assigned to
that GPO during creation. The GUID of a GPO is listed when viewing the
properties of a domain GPO using the Group Policy Management Console.
Within the GPO folder are a common set of subfolders and files,
including the User folder, Machine folder, sometimes the ADM folder, and
the gpt.ini file.
Group Policy Object
Replication
Because GPOs are
stored within the Active Directory database and on the domain controller
file system, all GPO information is replicated by the domain
controllers. The file system portion of the domain GPOs is replicated
within the Domain System Volume Distributed File System Replication
group by the Distributed File System Replication service.
The Domain System Volume
replication schedule is controlled by the DFSR schedule, which, by
default, follows the same replication cycle as the Active Directory
database. Replication occurs every 5 minutes or immediately between
domain controllers in a single Active Directory site and follows the
site link schedule between domain controllers in separate sites. Legacy
domains will use the File Replication Service instead of DFSR.
User Subfolder
The
User subfolder contains the files and folders used to store the
settings, software, scripts, and any other policy settings specific to
user and user object policies configured within a particular GPO.
Machine Subfolder
The Machine subfolder
contains the files and folders used to store the settings, software,
scripts, and any other policy settings specific to machine or computer
object policies configured within a particular GPO.
ADM Subfolder
The ADM subfolder is created
on new GPOs when legacy administrative template files are imported into
a GPO. Any GPOs created using Windows 2000 and Windows XP client
software, or Windows 2000 Server and Windows Server 2003 system
software, will contain an ADM subfolder to store all the legacy
administrative template files referenced and imported into the GPO.
registry.pol Files
Within a particular group
policy, the settings are segmented into several sections. Many settings
with the GPO configure keys and values within the Registry. The
configuration status and value of these settings are stored within the
registry.pol files in either the User or Machine subfolders. The
registry.pol file contains only the configured settings within the GPO
to improve processing.
gpt.ini File
When a GPO is created, a folder
for the GPO is created within the connected domain controller’s sysvol
folder. At the root of that GPO folder is a file named gpt.ini. This
file contains the revision number of the GPO. The revision number is
used when a GPO is processed by a computer or user object. When a GPO is
first processed, the revision number is stored on the system and when
subsequent GPO processing occurs, the reference number in the gpt.ini
file is compared with the stored value on the local system cache. If the
number has not changed, certain portions of the GPO are not processed.
There are, however, certain portions of a GPO that are always processed,
like scripts.
Each time a GPO is
changed, the reference or revision number is increased, and even though
the gpt.ini file contains a single number, it actually represents a
separate revision number for the computer and user section of the GPO.
The default configuration of not
processing certain GPO sections if the revision number has not changed
can be overridden. In some cases, even though the GPO has not changed,
the intended settings could have been changed by the user or a program
and sometimes forcing the entire GPO to always be processed is required.
