Group Policy Architecture
Group Policy uses a document-centric approach to creating, storing, and associating Group Policy settings. Similar to the way in which Microsoft Word stores information in .doc files, Group Policy settings are contained in GPOs. A GPO is a virtual object; policy-setting information is stored in two locations: the Active Directory container to which the GPO is linked, and the Sysvol on the domain controller.
Group Policy is configured primarily through the use of two tools: Group Policy Object Editor, (previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit) and Group Policy Management Console (GPMC), available for download from the Microsoft Web site. Whereas Group Policy Object Editor is used to configure and modify settings within GPOs, GPMC is used to create, view, and manage GPOs. Group Policy architecture is shown in the following diagram, which shows how the primary components interact through read or write access. Components are described in the figure below.
Group Policy Architecture
Group Policy Components
| Component | Description | ||||||||||||
|
Server (Domain Controller) |
In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. | ||||||||||||
|
Active Directory |
Active Directory, the Windows-based directory service, stores information about objects in a network and makes this information available to users and network administrators. Administrators link GPOs to Active Directory containers such as sites, domains, and OUs that include user and computer objects. In this way, Group Policy settings can be targeted to users and computers throughout the organization. | ||||||||||||
|
Group Policy object (GPO) |
A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a Group Policy container (GPC) and a Group Policy template (GPT). The GPC, which contains information on the properties of a GPO, is stored in Active Directory on each domain controller in the domain. The GPT contains the data in a GPO and is stored in the Sysvol in the /Policies sub-directory. GPOs affect users and computers that are contained in sites, domains, and OUs. | ||||||||||||
|
Sysvol |
Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes Administrative Template-based Group Policy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated using the File Replication Service (FRS). | ||||||||||||
|
Local Group Policy object |
The local Group Policy object (local GPO) is stored on each individual computer, in the hidden %systemroot%\System32\GroupPolicy directory. Each computer running Windows 2000, Windows XP Professional, Windows XP 64-Bit Edition, Windows XP Media Center Edition, or Windows Server 2003 has exactly one local GPO, regardless of whether the computers are part of an Active Directory environment. Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of Group Policy Object Editor does not support remote management of local GPOs. Local GPOs are always processed, but are the least influential GPOs in an Active Directory environment, because Active Directory-based GPOs have precedence. Although you can configure local GPOs on individual computers, the full power of Group Policy can only be realized in a Windows Server network with Active Directory installed. In addition, some features and Group Policy settings require client computers running Windows XP. | ||||||||||||
|
Group Policy Object Editor |
Group Policy Object Editor is a Microsoft Management Console (MMC) snap-in that is used to edit GPOs. It was previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit. | ||||||||||||
|
Server-Side Snap-Ins |
The MMC snap-in is loaded, by default, in Group Policy Object Editor. Server-side snap-in extensions provide the user interface to allow you to configure various policy settings while client-side extensions implement the actual policy settings on target client computers. Snap-in extensions include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, Internet Explorer Maintenance, Disk Quotas, Wireless Network Policy, and QoS Packet Scheduler. Snap-ins may in turn be extended. For example, the Security Settings snap-in includes several extension snap-ins. Developers can also create their own MMC extension snap-ins to Group Policy Object Editor to provide additional Group Policy settings. | ||||||||||||
|
Client-Side Extensions |
Client-side extensions (CSEs) run within dynamic-link libraries (DLLs) and are responsible for implementing Group Policy at the client computer. The following CSEs are loaded, by default, in Windows Server 2003: Administrative Templates, Wireless Network Policies, Folder Redirection, Disk Quotas, QoS Packet Scheduler, Scripts, Security, Internet Explorer Maintenance, EFS Recovery, Software Installation, and IP Security. | ||||||||||||
|
Group Policy Management Console (GPMC) |
GPMC is a new tool designed to simplify implementation and management of Group Policy. It consists of a new MMC snap-in and a set of scriptable interfaces for managing Group Policy. The Group Policy Management Console provides:
| ||||||||||||
|
Resultant Set of Policy (RSoP) snap-in |
The Resultant Set of Policy (RSoP) snap-in is an MMC snap-in that that simplifies Group Policy implementation and troubleshooting. RSoP uses Windows Management Instrumentation (WMI) to determine how Group Policy settings are applied to users and computers. For RSoP functionality, it is recommended to use the reporting features in GPMC. | ||||||||||||
|
Winlogon |
A component of the Windows operating system that provides interactive logon support, Winlogon is the service in which the Group Policy engine runs. | ||||||||||||
|
Group Policy engine |
The Group Policy engine is the framework that handles common functionalities across client-side extensions including scheduling of Group Policy application, obtaining GPOs from relevant configuration locations, and filtering and ordering of GPOs. | ||||||||||||
|
File System |
The NTFS file system on client computers. | ||||||||||||
|
Registry |
A database repository for information about a computer’s configuration, the registry contains information that Windows continually references during operation, such as:
The registry is organized hierarchically as a tree, and it is made up of keys and their subkeys, hives, and entries. The Group Policy engine has read and write access to the Registry. Registry settings can be controlled via the Group Policy Administrative Templates extension. | ||||||||||||
|
Event Log |
The Event log is a service, located in Event Viewer, which records events in the system, security, and application logs. The Group Policy engine has write access to the Event Log on client computers and domain controllers. The Help and Support Center on each computer has read access to the Event Log. | ||||||||||||
|
Help and Support Center |
The Help and Support Center is a component on each computer that provides HTML reports on the Group Policy settings currently in effect on the computer. | ||||||||||||
|
Resultant Set of Policy (RSoP) infrastructure |
All Group Policy processing information is collected and stored in a Common Information Model Object Management (CIMOM) database on the local computer. This information, such as the list, content and logging of processing details for each GPO, can then be accessed by tools using WMI. In logging mode (Group Policy Results), RSoP queries the CIMOM database on the target computer, receives information about the policies and displays it in GPMC. In planning mode (Group Policy Modeling), RSoP simulates the application of policy using the Group Policy Directory Access Service (GPDAS) on a domain controller. GPDAS simulates the application of GPOs and passes them to virtual client-side extensions on the domain controller. The results of this simulation are stored to a local CIMOM database on the domain controller before the information is passed back and displayed in GPMC. | ||||||||||||
|
WMI |
WMI is a management infrastructure that supports monitoring and controlling of system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status. WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data. WMI Filtering in Windows Server 2003 allows you to create queries based on this data. These queries (also called WMI filters) determine which users and computers receive all of the policy configured in the GPO where you create the filter. |
