It wouldn’t be entirely incorrect to suggest that group policy is one of the most prominent feature because of which all these Big corporations invest millions in deploying and maintaining Active Directory infrastructure. And why not, The level of control it provides over the domain clients, its highly inconvenient or rather impossible to do that Manually.

I have been working with Active directory for over 9 years and during this time, I have had a lot of exposure with group policies or rather troubleshooting Group Policies, so I decided to sum as much as possible in this article. This is going to be a multipart series where I am going to start from basics technical of group policies, then explain how exactly the group policy works and finally troubleshooting Group policies.

Part 1 : Basics of Group Policy

Lets get started with this very basic question here, What is Group Policy ?

Group Policy are a kind of settings object which one can define in Active directory (on local PC as well but we will talk about that later), Multiple settings can be specified  in a single object and what ever users and computers this policy is applied upon or rather fall with in the scope of this object, they all have to abide by the settings defined in that Group Policy Object (GPO).

Now before we speak about the Scope, Settings, Filtering etc of a GPO, lets talk just establish some facts about GPO’s

Facts about Group Policy objects

Every GPO is named as a Guid (Global Unique Identifier) in Active Directory (AD). Nothing special about this fact but usually you will not see the common name of GPO whether you are reading a log or actually working on GPO in AD.  So its better to get aquinted with identifying GPO’s as Guids.  Generally these GUID’s are unique and no two in a single domain would be alike and you cannot guess what its going to be just a very long AlphaNumeric number. Still the two most important GPO’s of AD are Default Domain Policy and Default Domain Controller Policy, and the GUID for these two GPO’s will always start with 31B and 6AC respectively.

Notice how the policies are referred by their Display name under GPMC

Notice how the policies are referred by their Display name under GPMC

Here under ADSIedit they are shown as their GUIDS

Here under ADSIedit they are shown as their GUIDS

Every GPO can have any number of settings there is no limit on it, however usually while defining GPO there is a purpose associated with it and we only define those settings in a certain GPO. For example, if we want to restrict user access to control panel settings on his PC , then we create a GPO called as “Restrict Control Panel” (name can be anything you want ) and apply all the necessary control panel settings in it. Or if we want to force internet explorer proxy on client with a GPO then create a GPO called as “Proxy Settings” and define the required proxy settings in it.

You can possibly define all of these settings under a GPO but its best to stick to specific settings under each GPO

Various subsections and settings under a GPO

Each GPO has two parts, Computer settings and Users Settings. As the name suggest Computer settings are applied on computers and users settings are applied on users.  So if we create a GPO and define all computer settings in it and apply this GPO on users then users will not have any affect on them and vice versa.  The only exception to this rule is “Loop Back Processing” which we will talk about later.

Picture showing computer and user settings

Group Policy Editor showing Computer and User Configuration,  Also notice preferences

Group Policy Editor showing Computer and User Configuration, Also notice preferences

Applying Group policy is a Pull Process:  What I mean is, GPO’s are defined and stored on Domain Controllers (DC). It is the responsiblity of user and computer on which GPO are applied to find out what GPO’s are to be applied on them and then pull the settings from the DC’s during the Boot up process (for computer settings) and During the user login process for user settings and apply on them selves.

Every GPO consist of two components, The GPC and The GPT

GPC or the Group policy Container is an object in Active Directory hirarchy and helps users and computers understand what GPO they are suppose to apply on themselves.  GPC consist of the following information

  • Version information–Used to verify that the information is synchronized with Group Policy template information.
  • Status information–Indicates whether the Group Policy object is enabled or disabled for this site, domain, or organizational unit.
  • List of components–Specifies which extensions to Group Policy have settings in the Group Policy object
Here under ADSIedit they are shown as their GUIDS

Here under ADSIedit they are shown as their GUIDS

GPT or the Group Policy Template: This is an object which is stored in Sysvol directory on each DC, This is a folder named as the Guid of GPO and then it contains subfolder in itself.  As the name suggest its actually the template of settings which are defined in this GPO. So for any reason if this Group Policy folder is inaccessible by the client then despite of knowing that it has to apply the group policy it would not be able to apply any settings as the settings object which is GPT is inaccessible.

Subfolders of the Group Policy template

The Group Policy template folder contains subfolders, including, but not limited to, the following:

  • Adm–Contains all the .adm files for this Group Policy template.
  • Scripts–Contains all the scripts and related files for this Group Policy template.
  • User–Includes a Registry.pol file that contains the registry settings that are to be applied to users. When a user logs on to a computer, this Registry.pol file is downloaded and applied to the HKEY_CURRENT_USER portion of the registry. The User folder contains an Applications subfolder.
  • User\Applications–Contains the application advertisement script files (.aas) that are used by the operating system-based installation service. These files are applied to users.
  • Machine–Includes a Registry.pol file that contains the registry settings that are to be applied to computers. When a computer initializes, this Registry.pol file is downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry. The Machine folder contains an Applications subfolder.
  • Machine\Applications–Contains the .aas files that are used by the operating system-based installation service. These files are applied to computers.
Group Policy Template as seen under Sysvol

Group Policy Template as seen under Sysvol

This is where I would like to conclude the Part 1 of this multipart series, further I will be writing about many other concepts like defining various user and computer settings, advance concepts of group policy like filtering, loop back processing etc, also after explaining all these there will be a final part where I would like to talk about how to approach a possible group policy issue.

The following two tabs change content below.
An automobile enthusiast at heart and computer geek by profession, started my Career with MS in 2005.Left Jobs and started Pledge Technologies (the parent company to Grishbi) back in 2009.We have been providing IT consulting to various Small and Medium businesses across US and UK since then.Our company specialises in Microsoft Server technologies like AD, Exchange, the rest and with numerous Office 365 migrations under our belt, we quite an expert with that too. Whatever we learn in our day to day life, we share it back on Grishbi as a Thank for all the love and support our customers have given us.
%d bloggers like this: