Location: FAQ's » Whitepapers

 | Login

Ads

Skyscraper
Whitepapers

Whitepapers

Please find various Whitepapers and Articles relating to Group Policy.  If you have any comments please post them.

Top Banner
Whitepapers and Articles

Whitepapers and Articles

Current Articles | Categories | Search | Syndication

Understanding Group Policy Storage

By Darren Mar-Elia on Tuesday, June 10, 2008 10:21 PM

Group Policy leverages a complex and sometimes inconsistent model when it comes to storing the settings that you specify within a Group Policy Object (GPO). This is probably owing to the fact that, while there is a central group at Microsoft that is responsible for the Group Policy infrastructure, each product area that has policy settings (e.g. Security, IE, desktop) is responsible for implementing its own policy tools to leverage that infrastructure. As a result, policy settings for a given GPO may be scattered between file system storage and AD-based storage. To better understand this, let’s take a quick look at how Group Policy Objects are structured.

 

Group Policy Structure


A GPO is composed of two pieces. When you create a new GPO, an AD object of class groupPolicyContainer gets created under the System\Policies container within your AD domain, asFigure 1 shows.

 


Figure 1: Viewing the AD portion of a GPO using ADSIEdit

This AD portion of a GPO is called the Group Policy Container, or GPC. As you can see in Figure 1, Windows refers to GPOs by a unique GUID (i.e. the 128-bit identifier shown in braces) rather than by its “friendly” name, which is the name you assign to it when you first create the GPO. The implication here is that you can have many GPOs within a domain that are named with the same friendly name, but they will always be unique because their GUIDs are unique.

In addition to the GPC, a new GPO creates a set of file folders and files within the SYSVOL share of the DC you’re focused during the creation process (by default this is usually the PDC role-holder DC within your domain). These folders and files are created under the Policies folder within SYSVOL. Similar to the GPC, when you create a new GPO, a GUID-named folder is created under the Policies folder within SYSVOL, as shown in Figure 2.


Figure 2: Viewing the SYSVOL portion of a GPO

This portion of a GPO that is stored as folders and files in SYSVOL is referred to as the Group Policy Template, or GPT. The GPT is where the majority of actual settings are stored when you edit a GPO. That is, there are set of folders and files that get created under each GUID-named folder that store the policies that you enable within a GPO. However, while most policy settings are stored in the GPT, some policy areas store their settings in both the GPC and GPT, while still others use only the GPC and even others that don’t use either the GPC or GPT. While this may seem confusing, keep in mind that it is the responsibility of the author of each policy extension (e.g. Administrative Templates, Folder Redirection, Software Installation) to decide on where to store their settings. While the preferred location is the GPT, there may be good reasons an extension author might choose to put their data elsewhere. Let’s look at the default locations for the Microsoft extensions that come with Windows. Table 1 provides a complete list of where settings are stored for each of the standard extensions that ship with XP, Win2K and Windows Server 2003.

 

Table 1: Group Policy Storage Locations

 

Group Policy ExtensionStorage LocationComments
WirelessStored in AD, under the GPC container for a given GPO, within the path: CN=wireless,CN=Windows, CN=Microsoft,CN=MachineWireless policies are stored in AD as objects of class msieee80211-Policy. Because this class is only supported in Windows Server 2003 AD domains, wireless policy can only be defined in such domains, even though XP clients can process them.
Folder RedirectionStored in SYVOL, under the GPT container for a given GPO. FR policy is stored in a file called fdeploy.ini in the sub-folder User\Documents & Settings within the GPT. 
Administrative Template PolicyStored in SYSVOL, under the GPT container for a given GPO. AT policy is stored in a file called registry.pol, which can be defined per user and per computer. Within a given GPT, if you’ve defined both user and computer AT policy, you will see a registry.pol file under both the user and machine sub-folders.ADMs file that are in use by a given GPO are stored with the GPO in the GPT. You’ll find them in a folder called ADM, off the root of the GPT for a given GPO. Thus, each GPO that sets AT policy will store its own copy of the ADM files used to edit it, even if they are the same as another GPO.
Disk QuotaStored in SYSVOL, under the GPT container for a given GPO. Disk quota policy is also stored in registry.pol, however, you’ll only find it in the copy of registry.pol stored under the machine folder, as this is a per-machine policy only. 
QoS Packet SchedulerStored in SYSVOL, under the GPT container for a given GPO. QoS policy is also stored in registry.pol, however, you’ll only find it in the copy of registry.pol stored under the machine folder, as this is a per-machine policy only. 
Startup/Shutdown & Logon/Logoff ScriptsStored in SYSVOL under the GPT container for a given GPO. Machine-specific scripts are stored in the machine\scripts\startup; machine\scripts\shutdown folders.  User-specific scripts are stored in the user\logon and user\logoff folders.Note that script files themselves do not have to be stored in SYSVOL. You can reference scripts located anywhere on your network, as long as they are accessible to the computer or user. The scripts.ini file found in the computer\scripts folder and user\scripts folder in SYSVOL contains the actual references to any scripts that you’ve defined.
Internet Explorer Maintenance and ZonemappingStored in SYSVOL under the GPT container for a given GPO. Specifically IE Maintenance settings are stored in the GPT under the \User\Microsoft\IEAK folder.Basic “branding” settings are stored in a file under this folder called install.ins. Security zone settings are stored in a sub-folder called Branding, and are stored as .inf files.
Security SettingsStored in SYSVOL under the GPT container for a given GPO. Security settings are stored in  the Machine\Microsoft\Windows NT\SecEdit folder in a file called GptTmpl.infThe format of this file is identical to those created when you use the MMC security templates editor to create a security template.
Software InstallationStored in both the GPC and GPT. Within the GPT, deployed package information is stored under the container machine (or user)\Applications, within an “Application Advertisement File” or .AAS file. Within the GPC, a special object of class packageRegistration is created for each application deployed. This object can be found in the GPC for a GPO under machine (or user)\Class Store\PackagespackageRegistration objects found in the GPC contain information such as the path to the MSI file, any transforms (modifications) that have been selected and whether the application is published or assigned.
IP SecurityIP Sec policy is a special case—settings are stored as special objects strictly in AD but not within the GPC. Namely IPSec policy settings are stored under the CN=IP Security, CN=System container within a domain. So, IP Security settings are stored domain wide and can be referenced by any GPO in the domain. When you assign a particular IPSec policy to a GPO, an additional object is created within the GPC of the GPO—specifically, an ipsecPolicy object is created under the Machine\Microsoft\Windows container under the GPO. This object stores the association between the available IPSec policies in the domain and that GPO.


Rating
Comments
Currently, there are no comments. Be the first to post one!
Click here to post a comment

Ads

Banner Inv
Copyright 2008 by GPOGUY.COM
Terms Of Use