This section discusses various concepts and
terminology related to Group Policy to provide system administrators
with the information required to understand, support, and deploy group
policies in an Active Directory forest.
1. Group Policy Objects
Group policy objects (GPOs) are predefined
sets of available settings that can be applied to Active Directory
computer/user objects. The settings, available within a particular GPO,
are created using a combination of administrative template files
included or referenced within that GPO. As the particular computer or
user management needs change, additional administrative templates can be
imported into a particular GPO to extend its functionality.
2. GPO Storage and Replication
GPOs are stored in both the file system and
the Active Directory database. Each domain in an Active Directory forest
stores a complete copy of that particular domain’s GPOs.
Within Active Directory, the GPO links and
version information are stored within the domain naming context
partition of the database. Because this partition is replicated only
within a single domain, processing GPOs linked across domains, either
using sites or just a cross-domain GPO link, can take longer to load and
process.
The GPO settings are stored in the file system
of all domain controllers within the SYSVOL folder. The SYSVOL folder
is shared on all domain controllers. Each domain GPO has a corresponding
folder located within the Sysvol\Companyabc.com\Policies subfolder, as
shown in Figure 1.
The GPO folder is named after the globally unique identifier (GUID)
assigned to that GPO during creation. The GUID of a GPO is listed when
viewing the properties of a domain GPO using the Group Policy Management
Console. The GPO folder includes a common set of subfolders and files,
including the User folder, Machine folder (and sometimes the ADM,
Preferences, Scripts, and other folders) and the gpt.ini file. Each
subfolder within a GPO folder hierarchy contains the necessary files and
folders associated with the particular policy or preference section.
Figure 1. Examining the SYVOL policies folder.
GPO Replication
Because GPOs are stored within the Active
Directory database and on the domain controller file system, all GPO
information is replicated by the domain controllers. The file system
portion of the domain GPOs is replicated within the Domain System Volume
Distributed File System Replication (DFSR) group by the Distributed
File System Replication service.
The Domain System Volume replication schedule
is controlled by the DFSR schedule, which, by default, follows the same
replication cycle as the Active Directory database. Replication occurs
every 5 minutes, or immediately between domain controllers in a single
Active Directory site, and follows the site link schedule between domain
controllers in separate sites. Legacy domains use the File Replication
Service instead of DFSR.
User Subfolder
The User subfolder contains the files and
folders used to store the settings, software, scripts, and any other
policy settings specific to user and user object policies configured
within a particular GPO.
Machine Subfolder
The Machine subfolder contains the files and
folders used to store the settings, software, scripts, and any other
policy settings specific to machine or computer object policies
configured within a particular GPO.
Preference Subfolder
The Preference subfolder contains the files
and folders used to store the settings, tasks, or any other policy
settings specific to machine or computer object preference configured
within a particular GPO.
ADM Subfolder
The ADM subfolder is created on new GPOs when
legacy administrative template files are imported into a GPO. Any GPOs
created using Windows 2000 and Windows XP client software, or Windows
2000 Server and Windows Server 2003 system software, contain an ADM
subfolder to store all the legacy administrative template files
referenced and imported into the GPO. New GPOs created by Window Server
2012 do not contain this subfolder by default.
Registry.pol Files
Within a particular group policy, the settings
are segmented into several sections. Many settings within a GPO
configure keys and values within the Registry. The configuration status
and value of these settings are stored within the registry.pol files in
either the User or Machine subfolders. The registry.pol file contains
only the configured settings within the GPO to improve processing.
Gpt.ini File
When a GPO is created, a folder for the GPO is
created within the connected domain controller’s SYSVOL folder. At the
root of that GPO folder is a file named gpt.ini. This file contains the
revision number of the GPO. The revision number is used when a GPO is
processed by a computer or user object. When a GPO is first processed,
the revision number is stored on the client system, and when subsequent
GPO processing occurs, the reference number in the gpt.ini file is
compared with the stored value on the local system cache. If the number
has not changed, certain portions of the GPO are not processed by
default.
Each time a GPO is changed, the reference or
revision number is increased, and even though the gpt.ini file contains a
single number, it actually represents a separate revision number for
the computer and user section of the GPO.
The default configuration of not processing
certain GPO sections if the revision number has not changed can be
overridden. In some cases, even though the GPO has not changed, the
intended settings could have been changed by the user or a program, and
sometimes forcing the entire GPO to always be processed is required.
3. Group Policy Administrative Templates
Group policy administrative templates are, in
most cases, offsets of text or Extensible Markup Language (XML)-based
files that include clearly defined settings that can be set to a number
of different values.
Administrative templates are provided to give
administrators easy access to many configurable settings commonly used
to manage server and workstation computers and end users.
When a new GPO is created, a base set of
administrative templates are imported or referenced within that policy.
Additional administrative templates can be imported to a particular
policy to add functionality as required. When new OSs are released on an
existing network (for example, Windows 8 and Windows Server 2012),
Group Policy administrators will see different values within Group
Policy editors when editing a policy on the newer OS. This can cause
confusion and issues, and when new OSs are introduced, the new
administrative templates should be used by all administrators. A quick
way to make this work efficiently is for organizations to leverage the
Group Policy central store and to update the administrative templates
within that store with each new OS.
4. Windows 8 and Windows Server 2012 Central Store
Each GPO in
the Active Directory forest has a corresponding folder stored in the
SYSVOL folder on each domain controller in the domain in which the GPO
is created. If the domain controllers in the particular domain are
running Windows Server 2003, each of these GPO
folders contains a copy of each of the administrative templates loaded
in that particular GPO, within the ADM subfolder. This legacy GPO
storage scenario created many duplicated administrative template files
and required additional storage space and increased replication traffic
between domain controllers.
Starting with the new Group Policy
infrastructure included with Windows Vista and Windows Server 2008, and
continuing with Windows 8 and Windows Server 2012, newly created GPOs
only store the files and folders required to store the configured
settings, scripts, registry.pol, and other GPO-related files. When the
GPO is opened for editing or processed by a Windows Vista, Windows
Server 2008, or later OS, the local copy of the administrative templates
is referenced but not copied to the new GPO folder in SYSVOL. Instead,
the administrative templates are referenced from files stored on the
local workstations or the domain central store.
The GPO central store is a file repository
that houses each of the next generation administrative templates. The
central store contains all the new ADMX and ADML administrative
templates, and each workstation references the files on the domain
controller they are using to process group policies. With a central
store created, when a GPO is opened or processed, the system first
checks for the existence of the central store, and then uses only the
templates stored in the central store.
The GPO central store can be created within
Active Directory infrastructures running any version of Windows Server
2003 or later domain controllers.
5. Starter GPOs
Windows Server 2008, Windows Server 2008 R2,
and the Windows Server 2012 Group Policy Management Console provide a
new feature of GPO management called starter GPOs. Starter GPOs are
similar to regular GPOs, but they only contain settings available from
administrative templates. Just as security templates can be used to
import and export the configured settings within the security section of
a policy, starter GPOs can be used to prepopulate configured settings
in the Administrative Templates sections of the Computer Configuration
and User Configuration nodes within a GPO. After the release of Windows
Server 2008 and included in Windows Server 2012, Microsoft released a
set of predefined starter GPOs for Windows Vista and Windows XP. The
predefined settings in these starter GPOs are based on information that
can be found in the Windows XP and Windows client security guide
published by Microsoft. These particular starter GPOs are read-only
policies, but administrators can create their own starter GPOs as needed
by the organization.
6. Policy Settings
Policy settings are simply the configurable
options made available within a particular GPO. These settings are
provided from the base administrative templates, security settings,
scripts, policy-based quality of service (QoS), and, in some cases,
software deployment packages. Many policy settings
correspond one to one with a particular Registry key and value.
Depending on the particular settings, different values, including
free-form text, might be acceptable as a legitimate value.
GPO policy settings are usually configurable
to one of three values: Not Configured, Enabled, or Disabled. It is
important for administrators to understand not only the differences
between these three values, but to also understand what the particular
policy setting controls. For example, a policy setting that disables
access to Control Panel will block access to Control Panel when enabled
but will allow access when disabled.
GPO policy settings apply to either a computer
or a user object. Within a particular GPO, an administrator might find
the same policy setting within both the Computer Configuration and User
Configuration nodes. In cases like this, if the policy setting is
configured for both objects, the computer setting overrides the user
setting if the policy is linked to the user object and the workstation
to which the user is logged on.
7. Preference Settings
Group policies have two main setting nodes:
the Computer node and User Configuration nodes. Each node contains two
other nodes: the Policies and Preferences setting nodes. The Group
Policy extensions presented in the Preferences node enable
administrators to configure many default or initial configuration and
environmental settings for users and computers. One really great feature
of the GPO Preferences node is item-level targeting, which applies a
certain preference (for instance, setting the Start menu on Windows 8
workstations to configure the power button to perform a logoff rather
than a computer shutdown) to only defined users or groups within the
item-level target definition of that GPO. When a user logs on to a
workstation and has that preference applied, this will be the initial
setting, but users can change that setting if they want. One important
distinction that all GPO administrators must make is that policies set
and enforce settings, whereas preferences configure initial settings but
do not block the settings from changes.
8. GPO Links
GPO links are the key to deploying GPOs to a
predetermined set of Active Directory computers/users. GPO links define
where the particular policy or policies will be applied in terms of the
Active Directory domain and site hierarchy design.
GPOs can be linked to Active Directory sites,
domains, and OUs. Also, a single GPO can be linked to multiple sites,
domains, and OUs in a single forest. This gives administrators the
flexibility to create a single policy and apply it to several different
sets of computers and users within an Active Directory forest.
The design of the Active Directory
infrastructure, including site design, domain and tree design, and OU
hierarchy, is critical to streamlining targeted GPO application. Careful
planning and consideration should be taken into account during the
Active Directory design phase with regard to how GPOs will be used and
how user, group, and computer objects will be organized.
GPO links can also be disabled as required, to assist with troubleshooting GPO application or processing.