Physically, GPOs are represented through a series of template files that are stored on disk. These templates files contain information about the many thousands of policy settings and the state of these policy settings. Each GPO has a master template folder associated with it. This template folder is physically stored in the %SystemRoot%SYSVOL folder on domain controllers and is referred to as a Group Policy template (GPT).
Caution
Keep in mind that you never need to interact with GPCs and GPTs directly. In fact, it is easy to create problems with a GPO if you attempt to make changes directly to the GPC or GPT. Your primary interface for managing Group Policy is the GPMC and the Group Policy Object Editor. However, on the rare occasions when, for troubleshooting purposes, you need to view the GPC and GPT directly, it is useful to understand GPC and GPT structure and what kinds of things they store.
When a new GPO is created, Active Directory creates the associated GPT for that GPO. This GPT is created as a folder and is named with the GUID for the GPO. This GUID is identical to the GUID used to name the related GPC. Within the GPT folder are a set of files and subfolders that contain the actual policy settings that have been made within a GPO.
Note
For new GPOs, the GPTs are stored in the %SystemRoot%SYSVOL folder on the domain controller where you are currently focused (which by default is the PDC emulator domain controller) and is later replicated to all domain controllers in the domain by the File Replication Service (FRS). The %SystemRoot%SYSVOLSYSVOL folder is shared as SYSVOL and is often referred to as the SYSVOL share.
To see how this works, let’s continue the example from the previous section:
You create a GPO called Sales Policy to handle policy settings for the Sales OU in the cpandl.com domain.
Active Directory creates a Group Policy Container (GPC) object with a GUID of {0BF0F7D6-0245-4133-BC78-B98AFBA21F48} and stores it in the CN=Policies,CN=System container within the cpandl.com domain.
Active Directory also create a master template file with this same GUID in the %SystemRoot%SYSVOL folder.
The full local file path to the GPT is %SystemRoot%SYSVOLdomainPolicies{0BF0F7D6-0245-4133-BC78-B98AFBA21F48}. With regard to the SYSVOL share, the path to the GPT is SYSVOLCPANDL.COMPolicies{0BF0F7D6-0245-4133-BC78-B98AFBA21F48}.
Note
Two copies of each GPT are created. One is stored under %SystemRoot%SYSVOLdomainPoliciesGPOGUID. The other is in the SYSVOL share under SYSVOLDomainNamePoliciesGPOGUID.
You can access and view the GPT using Windows Explorer. Simply navigate to the local file path or the SYSVOL share path on a domain controller, as shown in Figure 13-5.
Within each GPT, you’ll find Adm, Machine, and User subfolders as well as a file called Gpt.ini. These resources are used as follows:
Adm. Contains the Administrative Template .adm files that the GPO is using. The .adm files are copied to the GPT by the Group Policy Object Editor when you open that GPO for editing for the first time. In addition to the .adm files themselves, there is a file stored in this folder called Admfiles.ini that lists which .adm files are used within the GPO and their version numbers.
Note
By default, the Administrative Templates are copied from the %SystemRoot%inf folder on the machine that was used to create the policy. From then on, the .adm files are loaded from that GPO into the Group Policy Object Editor. This enables you to use the same version of the .adm files that were used to create the GPO while editing a GPO. You can change this behavior by enabling Always Use Local ADM Files For Group Policy Object Editor under Computer ConfigurationsAdministrative TemplatesSystemGroup Policy. If you enable this setting, Group Policy Object Editor always uses the local .adm files in your %SystemRoot%inf folder when editing GPOs. This is useful in multilanguage environments where you might want to edit the GPO in the local system language. Keep in mind, however that if the Administrative Templates that you require are not all available locally, you might not be able to see all the settings that have been configured in the GPO that you are editing.
Machine. Stores the Computer Configuration policy settings for the GPO and related configuration information, including Security Settings from the Computer Configuration, computer scripts, and per-computer deployed software.
User. Stores the User Configuration policy setting for the GPO and related configuration information, including Security Settings from the User Configuration, user scripts, and per-user deployed software. You’ll also find data from folder redirection and Microsoft Internet Explorer maintenance if these settings have been configured.
Gpt.ini. Contains information concerning the version number of the GPT and the display name of the related GPO.
While we’ll explore the contents of the Adm, Machine, and User subfolders in more detail in "Examining Server-Side Extension Processing," the Gpt.ini file deserves a bit more discussion now. A typical Gpt.ini file contains the following information:
[General] Version=0 displayName=Sales Policy
The displayName key-value pair is the friendly name of the GPO. The Version key-value pair relates to the number of changes that have been made to the GPO; it is equivalent to the versionNumber attribute found on the corresponding GPC. A version value of 0 indicates that this is a new GPO and that no policy changes have yet been applied. As policy changes are made, the version value increases.
Versioning isn’t an exact science. The version number in the GPC and the GPT can be different. This can happen for a variety of reasons. For example, changes might have been recorded in the GPC but not yet written to the GPT on disk, such as when the GPC has been replicated but the GPT has not yet been replicated. Windows 2000, Windows Server 2003, and Windows XP Professional handle version discrepancies in different ways:
In Windows 2000, if the version number of the GPT and GPC are not identical on a given domain controller, any computers or users accessing that GPO on that domain controller will not process that GPO until the versions are identical. This guarantees that all changes between the AD and SYSVOL portions of a GPO are replicated identically.
In Windows Server 2003 and Windows XP Professional, synchronization of version numbers is not required for proper Group Policy processing. If the GPT and GPC version numbers are not in sync on a given domain controller, that GPO is processed if possible and if not, it is processed during the next processing cycle.
The version number of a GPO is incremented differently for computer-specific and user-specific changes:
For each change made to the Computer Configuration, the version number is incremented by 1 in most cases. For example, if we enable three Administrative Template policies within the Group Policy Object Editor, the version number within the GPC and GPT will be incremented by 3 when those changes are committed.
For each change made to the User Configuration, the version number is incremented by 65536. This means that if we change three user-specific Administrative Template policy settings within a GPO, the version number will be incremented by 196608 (65536 x 3).
Note
The version increment is meant to represent each incremental change required. As some Computer Configuration changes must be written more than once, a change to a related policy setting can result in the version number incrementing by 2 or more. Some changes might also require the enabling and configuration of related policies, such as with Account Policies. In this case, the version number would be incremented accordingly.
By making a logical XOR comparison of the current version number, Windows can determine the exact number of separate revisions made to User Configuration and Computer Configuration. You can view this version information by completing the following steps:
In the GPMC, expand the entry for the forest you want to work with, expand the related Domains node, and then expand the related Group Policy Objects node.
Select the GPO for which you want to determine version information, and in the right pane select the Details tab.
As Figure 13-6 shows, the User Version and Computer Version fields provide details on the number of versions made. Active Directory revisions, indicated with (AD), are revisions made to the GPC. SYSVOL revisions, indicated with (sysvol), are revisions made to the GPT.
Each time you edit a GPO, the related changes are made in the GPC and the GPT. For the GPT, this means that the version number in the Gpt.ini file is incremented and client CSE files are updated as appropriate. In the standard configuration with domain controllers running Windows Server 2003 SP 1, there is a 3-second window before the FRS replicates the changes to the GPT. Only the changed files are replicated. On a LAN, that means if you made multiple successive changes to a GPO, FRS replicates the GPT changes as they occur in 3-second intervals. On a WAN, the site replication process consolidates these changes so the changes are replicated according to the configured replication interval. Keep in mind that FRS configuration and other factors can affect or lengthen the replication interval. For example, a future service pack might change the FRS implementation of replication and the interval with which it performs batch updates.
From a security perspective, the NTFS permissions on a GPT for a given GPO should be very similar to the Active Directory permissions on the related GPC. Because permissions that apply to Active Directory objects are different from those that apply to NTFS file system objects, however, there is no one-to-one correspondence. Table 13-3 summarizes how GPO permissions in Active Directory correspond to GPT permissions on NTFS.
Table 13-3. How GPO Permissions Correspond to GPT Permissions
GPO Permission | Corresponding GPT Permission |
|---|---|
Read | If a group has Read permission on a GPO, there will be an ACE for that group on the GPT folder that allows Read and Execute permissions on that folder and its contents. |
Edit Settings | If a group has Edit Settings permission on a GPO, there will be an ACE for that group on the GPT folder that allows Read and Write permissions on that folder and its contents. |
Edit Settings, Delete, Modify Security | If a group has Edit Settings, Delete, Modify Security permissions on a GPO, there will be an ACE for that group on the GPT folder that allows Full Control over the folder and its contents. |