Logo
programming4us
programming4us
programming4us
programming4us
Windows XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
 
Windows Server

Windows Server 2012 Group Policies and Policy Management : Understanding Group Policy (part 1) - GPO Storage and Replication

7/5/2013 5:14:10 PM

This section discusses various concepts and terminology related to Group Policy to provide system administrators with the information required to understand, support, and deploy group policies in an Active Directory forest.

1. Group Policy Objects

Group policy objects (GPOs) are predefined sets of available settings that can be applied to Active Directory computer/user objects. The settings, available within a particular GPO, are created using a combination of administrative template files included or referenced within that GPO. As the particular computer or user management needs change, additional administrative templates can be imported into a particular GPO to extend its functionality.

2. GPO Storage and Replication

GPOs are stored in both the file system and the Active Directory database. Each domain in an Active Directory forest stores a complete copy of that particular domain’s GPOs.

Within Active Directory, the GPO links and version information are stored within the domain naming context partition of the database. Because this partition is replicated only within a single domain, processing GPOs linked across domains, either using sites or just a cross-domain GPO link, can take longer to load and process.

The GPO settings are stored in the file system of all domain controllers within the SYSVOL folder. The SYSVOL folder is shared on all domain controllers. Each domain GPO has a corresponding folder located within the Sysvol\Companyabc.com\Policies subfolder, as shown in Figure 1. The GPO folder is named after the globally unique identifier (GUID) assigned to that GPO during creation. The GUID of a GPO is listed when viewing the properties of a domain GPO using the Group Policy Management Console. The GPO folder includes a common set of subfolders and files, including the User folder, Machine folder (and sometimes the ADM, Preferences, Scripts, and other folders) and the gpt.ini file. Each subfolder within a GPO folder hierarchy contains the necessary files and folders associated with the particular policy or preference section.

Image

Figure 1. Examining the SYVOL policies folder.

GPO Replication

Because GPOs are stored within the Active Directory database and on the domain controller file system, all GPO information is replicated by the domain controllers. The file system portion of the domain GPOs is replicated within the Domain System Volume Distributed File System Replication (DFSR) group by the Distributed File System Replication service.

The Domain System Volume replication schedule is controlled by the DFSR schedule, which, by default, follows the same replication cycle as the Active Directory database. Replication occurs every 5 minutes, or immediately between domain controllers in a single Active Directory site, and follows the site link schedule between domain controllers in separate sites. Legacy domains use the File Replication Service instead of DFSR.

User Subfolder

The User subfolder contains the files and folders used to store the settings, software, scripts, and any other policy settings specific to user and user object policies configured within a particular GPO.

Machine Subfolder

The Machine subfolder contains the files and folders used to store the settings, software, scripts, and any other policy settings specific to machine or computer object policies configured within a particular GPO.

Preference Subfolder

The Preference subfolder contains the files and folders used to store the settings, tasks, or any other policy settings specific to machine or computer object preference configured within a particular GPO.

ADM Subfolder

The ADM subfolder is created on new GPOs when legacy administrative template files are imported into a GPO. Any GPOs created using Windows 2000 and Windows XP client software, or Windows 2000 Server and Windows Server 2003 system software, contain an ADM subfolder to store all the legacy administrative template files referenced and imported into the GPO. New GPOs created by Window Server 2012 do not contain this subfolder by default.

Registry.pol Files

Within a particular group policy, the settings are segmented into several sections. Many settings within a GPO configure keys and values within the Registry. The configuration status and value of these settings are stored within the registry.pol files in either the User or Machine subfolders. The registry.pol file contains only the configured settings within the GPO to improve processing.

Gpt.ini File

When a GPO is created, a folder for the GPO is created within the connected domain controller’s SYSVOL folder. At the root of that GPO folder is a file named gpt.ini. This file contains the revision number of the GPO. The revision number is used when a GPO is processed by a computer or user object. When a GPO is first processed, the revision number is stored on the client system, and when subsequent GPO processing occurs, the reference number in the gpt.ini file is compared with the stored value on the local system cache. If the number has not changed, certain portions of the GPO are not processed by default.

Each time a GPO is changed, the reference or revision number is increased, and even though the gpt.ini file contains a single number, it actually represents a separate revision number for the computer and user section of the GPO.

The default configuration of not processing certain GPO sections if the revision number has not changed can be overridden. In some cases, even though the GPO has not changed, the intended settings could have been changed by the user or a program, and sometimes forcing the entire GPO to always be processed is required. 

3. Group Policy Administrative Templates

Group policy administrative templates are, in most cases, offsets of text or Extensible Markup Language (XML)-based files that include clearly defined settings that can be set to a number of different values.

Administrative templates are provided to give administrators easy access to many configurable settings commonly used to manage server and workstation computers and end users.

When a new GPO is created, a base set of administrative templates are imported or referenced within that policy. Additional administrative templates can be imported to a particular policy to add functionality as required. When new OSs are released on an existing network (for example, Windows 8 and Windows Server 2012), Group Policy administrators will see different values within Group Policy editors when editing a policy on the newer OS. This can cause confusion and issues, and when new OSs are introduced, the new administrative templates should be used by all administrators. A quick way to make this work efficiently is for organizations to leverage the Group Policy central store and to update the administrative templates within that store with each new OS.

4. Windows 8 and Windows Server 2012 Central Store

Each GPO in the Active Directory forest has a corresponding folder stored in the SYSVOL folder on each domain controller in the domain in which the GPO is created. If the domain controllers in the particular domain are running Windows Server 2003, each of these GPO folders contains a copy of each of the administrative templates loaded in that particular GPO, within the ADM subfolder. This legacy GPO storage scenario created many duplicated administrative template files and required additional storage space and increased replication traffic between domain controllers.

Starting with the new Group Policy infrastructure included with Windows Vista and Windows Server 2008, and continuing with Windows 8 and Windows Server 2012, newly created GPOs only store the files and folders required to store the configured settings, scripts, registry.pol, and other GPO-related files. When the GPO is opened for editing or processed by a Windows Vista, Windows Server 2008, or later OS, the local copy of the administrative templates is referenced but not copied to the new GPO folder in SYSVOL. Instead, the administrative templates are referenced from files stored on the local workstations or the domain central store.

The GPO central store is a file repository that houses each of the next generation administrative templates. The central store contains all the new ADMX and ADML administrative templates, and each workstation references the files on the domain controller they are using to process group policies. With a central store created, when a GPO is opened or processed, the system first checks for the existence of the central store, and then uses only the templates stored in the central store.

The GPO central store can be created within Active Directory infrastructures running any version of Windows Server 2003 or later domain controllers.

5. Starter GPOs

Windows Server 2008, Windows Server 2008 R2, and the Windows Server 2012 Group Policy Management Console provide a new feature of GPO management called starter GPOs. Starter GPOs are similar to regular GPOs, but they only contain settings available from administrative templates. Just as security templates can be used to import and export the configured settings within the security section of a policy, starter GPOs can be used to prepopulate configured settings in the Administrative Templates sections of the Computer Configuration and User Configuration nodes within a GPO. After the release of Windows Server 2008 and included in Windows Server 2012, Microsoft released a set of predefined starter GPOs for Windows Vista and Windows XP. The predefined settings in these starter GPOs are based on information that can be found in the Windows XP and Windows client security guide published by Microsoft. These particular starter GPOs are read-only policies, but administrators can create their own starter GPOs as needed by the organization.

6. Policy Settings

Policy settings are simply the configurable options made available within a particular GPO. These settings are provided from the base administrative templates, security settings, scripts, policy-based quality of service (QoS), and, in some cases, software deployment packages. Many policy settings correspond one to one with a particular Registry key and value. Depending on the particular settings, different values, including free-form text, might be acceptable as a legitimate value.

GPO policy settings are usually configurable to one of three values: Not Configured, Enabled, or Disabled. It is important for administrators to understand not only the differences between these three values, but to also understand what the particular policy setting controls. For example, a policy setting that disables access to Control Panel will block access to Control Panel when enabled but will allow access when disabled.

GPO policy settings apply to either a computer or a user object. Within a particular GPO, an administrator might find the same policy setting within both the Computer Configuration and User Configuration nodes. In cases like this, if the policy setting is configured for both objects, the computer setting overrides the user setting if the policy is linked to the user object and the workstation to which the user is logged on.

7. Preference Settings

Group policies have two main setting nodes: the Computer node and User Configuration nodes. Each node contains two other nodes: the Policies and Preferences setting nodes. The Group Policy extensions presented in the Preferences node enable administrators to configure many default or initial configuration and environmental settings for users and computers. One really great feature of the GPO Preferences node is item-level targeting, which applies a certain preference (for instance, setting the Start menu on Windows 8 workstations to configure the power button to perform a logoff rather than a computer shutdown) to only defined users or groups within the item-level target definition of that GPO. When a user logs on to a workstation and has that preference applied, this will be the initial setting, but users can change that setting if they want. One important distinction that all GPO administrators must make is that policies set and enforce settings, whereas preferences configure initial settings but do not block the settings from changes.

8. GPO Links

GPO links are the key to deploying GPOs to a predetermined set of Active Directory computers/users. GPO links define where the particular policy or policies will be applied in terms of the Active Directory domain and site hierarchy design.

GPOs can be linked to Active Directory sites, domains, and OUs. Also, a single GPO can be linked to multiple sites, domains, and OUs in a single forest. This gives administrators the flexibility to create a single policy and apply it to several different sets of computers and users within an Active Directory forest.

The design of the Active Directory infrastructure, including site design, domain and tree design, and OU hierarchy, is critical to streamlining targeted GPO application. Careful planning and consideration should be taken into account during the Active Directory design phase with regard to how GPOs will be used and how user, group, and computer objects will be organized.

GPO links can also be disabled as required, to assist with troubleshooting GPO application or processing.

Other -----------------
- Windows Server 2012 Group Policies and Policy Management : Local Group Policies, Domain-Based Group Policies
- Windows Server 2012 Group Policies and Policy Management - Group Policy Processing: How Does It Work?
- BizTalk Server 2010 : Installation of WCF SAP Adapter (part 4) - IDOC Deep Dive, Building a BizTalk application — Sending IDOC
- BizTalk Server 2010 : Installation of WCF SAP Adapter (part 3) - IDOC schema generation
- BizTalk Server 2010 : Installation of WCF SAP Adapter (part 2) - WCF-SAP Adapter vs WCF Customer Adapter with SAP binding
- BizTalk Server 2010 : Installation of WCF SAP Adapter (part 1) - SAP Prerequisite DLLs
- Exchange Server 2007 : Leveraging the Capabilities of the Outlook Web Access Client - Getting to Know the Look and Feel of OWA 2007
- Exchange Server 2007 : Leveraging the Capabilities of the Outlook Web Access Client - Logging On to OWA 2007
- Exchange Server 2007 : Leveraging the Capabilities of the Outlook Web Access Client - What’s New in OWA 2007?
- SQL Server 2012 : Data Architecture (part 2) - Smart Database Design
 
 
Video tutorials
- How To Install Windows 8

- How To Install Windows Server 2012

- How To Install Windows Server 2012 On VirtualBox

- How To Disable Windows 8 Metro UI

- How To Install Windows Store Apps From Windows 8 Classic Desktop

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
 
programming4us
Women
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone