McAfee Secure

Creating and Maintaining Active Directory Object - Group Policy Architecture

Exam: Microsoft 70-640 - Windows Server 2008 Active Directory, Configuring

Group Policy Architecture

For the most part, corporations no longer use the pen-and-paper method of recording their accounting activities. Conversely, they also do not want to spend money needlessly in the implementation and management of their corporate computing systems. Rather, corporations always consider two criteria when evaluating technologies such as Group Policy: return on investment (ROI) and total cost of ownership (TCO).

Three different types of GPOs are commonly used: local GPOs, domain GPOs, and starter GPOs. Each computer running Windows Server 2008, Windows Server 2003, Windows XP Professional, or Windows 2000 has only one local GPO, and the settings in that local GPO will apply to all users who log on to the computer. By default, the local GPO settings are stored on the local computer in the %systemroot%/System32/GroupPolicy folder.

A local GPOs have the following features. First of all, they contain fewer options and do not support Group Policy software installation, or folder redirection. They also have less security settings. The local GPO settings can be overwritten by the non-local one's in case when the two of them have conflicting settings.

As a new feature in Windows Vista, workstations can have multiple local GPOs. This allows you to specify a different local GPO for administrators and to create specific GPO settings for one or more local users configured on a workstation. Active Directory hosts all non-local GPOs, where they are linked to sites and domains. Linked to a container, the GPO is defaulted for all computers within the container. For each non-local GPO, the content is stored in the following locations:

GPC (Group Policy container) is an Active Directory object responsible for storing the properties of the GPO.

GPR (Group Policy template), which can be found in the Policies subfolder of the SYSVOL, is a folder containing policy settings, including security and script files.

Starter GPOs are a new feature in Windows Server 2008. They are used as GPO templates within Active Directory. Starter GPOs allow you to configure a standard set of items that will be configured by default in any GPO that is derived from a starter GPO.

The Group Policy container (GPC) directory object includes sub-containers that hold GPO policy information. By default, when Active Directory is installed, two policies are placed in this container. Each Active Directory GPC is named according to the globally unique identifier (GUID) that is assigned to it when it is created.

Default GPC containers are created when the Active Directory Domain Services role is installed. A new GPC is created to store policy information and settings. The GPC contains two subcontainers - one for computer configuration information and another for user configuration information. The more specific information included in each GPC is as follows:

  • Status information that indicates whether the GPO is enabled or disabled
  • Version information to ensure that the GPC is synchronized and up to date with the most current information
  • A list of components that have settings in this GPO