It wouldn’t be entirely incorrect to suggest that group policy is one of the most prominent feature because of which all these Big corporations invest millions in deploying and maintaining Active Directory infrastructure. And why not, The level of control it provides over the domain clients, its highly inconvenient or rather impossible to do that Manually.
I have been working with Active directory for over 9 years and during this time, I have had a lot of exposure with group policies or rather troubleshooting Group Policies, so I decided to sum as much as possible in this article. This is going to be a multipart series where I am going to start from basics technical of group policies, then explain how exactly the group policy works and finally troubleshooting Group policies.
Part 1 : Basics of Group Policy
Lets get started with this very basic question here, What is Group Policy ?
Group Policy are a kind of settings object which one can define in Active directory (on local PC as well but we will talk about that later), Multiple settings can be specified in a single object and what ever users and computers this policy is applied upon or rather fall with in the scope of this object, they all have to abide by the settings defined in that Group Policy Object (GPO).
Now before we speak about the Scope, Settings, Filtering etc of a GPO, lets talk just establish some facts about GPO’s
Facts about Group Policy objects
Every GPO is named as a Guid (Global Unique Identifier) in Active Directory (AD). Nothing special about this fact but usually you will not see the common name of GPO whether you are reading a log or actually working on GPO in AD. So its better to get aquinted with identifying GPO’s as Guids. Generally these GUID’s are unique and no two in a single domain would be alike and you cannot guess what its going to be just a very long AlphaNumeric number. Still the two most important GPO’s of AD are Default Domain Policy and Default Domain Controller Policy, and the GUID for these two GPO’s will always start with 31B and 6AC respectively.
Every GPO can have any number of settings there is no limit on it, however usually while defining GPO there is a purpose associated with it and we only define those settings in a certain GPO. For example, if we want to restrict user access to control panel settings on his PC , then we create a GPO called as “Restrict Control Panel” (name can be anything you want ) and apply all the necessary control panel settings in it. Or if we want to force internet explorer proxy on client with a GPO then create a GPO called as “Proxy Settings” and define the required proxy settings in it.
Each GPO has two parts, Computer settings and Users Settings. As the name suggest Computer settings are applied on computers and users settings are applied on users. So if we create a GPO and define all computer settings in it and apply this GPO on users then users will not have any affect on them and vice versa. The only exception to this rule is “Loop Back Processing” which we will talk about later.
Picture showing computer and user settings
Applying Group policy is a Pull Process: What I mean is, GPO’s are defined and stored on Domain Controllers (DC). It is the responsiblity of user and computer on which GPO are applied to find out what GPO’s are to be applied on them and then pull the settings from the DC’s during the Boot up process (for computer settings) and During the user login process for user settings and apply on them selves.
Every GPO consist of two components, The GPC and The GPT
GPC or the Group policy Container is an object in Active Directory hirarchy and helps users and computers understand what GPO they are suppose to apply on themselves. GPC consist of the following information
- Version information–Used to verify that the information is synchronized with Group Policy template information.
- Status information–Indicates whether the Group Policy object is enabled or disabled for this site, domain, or organizational unit.
- List of components–Specifies which extensions to Group Policy have settings in the Group Policy object
GPT or the Group Policy Template: This is an object which is stored in Sysvol directory on each DC, This is a folder named as the Guid of GPO and then it contains subfolder in itself. As the name suggest its actually the template of settings which are defined in this GPO. So for any reason if this Group Policy folder is inaccessible by the client then despite of knowing that it has to apply the group policy it would not be able to apply any settings as the settings object which is GPT is inaccessible.
Subfolders of the Group Policy template
The Group Policy template folder contains subfolders, including, but not limited to, the following:
- Adm–Contains all the .adm files for this Group Policy template.
- Scripts–Contains all the scripts and related files for this Group Policy template.
- User–Includes a Registry.pol file that contains the registry settings that are to be applied to users. When a user logs on to a computer, this Registry.pol file is downloaded and applied to the HKEY_CURRENT_USER portion of the registry. The User folder contains an Applications subfolder.
- User\Applications–Contains the application advertisement script files (.aas) that are used by the operating system-based installation service. These files are applied to users.
- Machine–Includes a Registry.pol file that contains the registry settings that are to be applied to computers. When a computer initializes, this Registry.pol file is downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry. The Machine folder contains an Applications subfolder.
- Machine\Applications–Contains the .aas files that are used by the operating system-based installation service. These files are applied to computers.
This is where I would like to conclude the Part 1 of this multipart series, further I will be writing about many other concepts like defining various user and computer settings, advance concepts of group policy like filtering, loop back processing etc, also after explaining all these there will be a final part where I would like to talk about how to approach a possible group policy issue.
Latest posts by Shishir Chandrawat (see all)
- Exchange 2010 Std: Mailbox server has reached the maximum database limit of 5 Error RcrExceedDbLimitException - December 12, 2016
- Exchange 2010: Unable to add Mailbox Database copies on DAG member servers, Error: An error occurred while processing a request on server - December 12, 2016
- Unable to Mount Microsoft Exchange DAG Database, Error: Failed to determine the mount status of the active database copy - December 12, 2016