A:
A Group Policy Object (GPO) is composed of two parts—the Group Policy Container (GPC) and the Group Policy Template (GPT). You can see the contents of these two pieces by using some very simple tools.The ability to view the “guts” of a GPO can give you good insight into how this complicated infrastructure works. The GPC is an object in Active Directory (AD) that contains several settings related to its corresponding GPO. The GPT is a set of folders and files that are stored under the SYSVOL share on an AD domain controller. Every GPO has exactly one GPC and GPT. The key value that identifies a GPO and its constituent GPC and GPT is its globally unique ID (GUID)—a 128-bit value that gets assigned to the GPO when it is created.
SYSVOL is replicated to every domain controller in an AD domain. Thus, the GPT and the GPC for a given GPO also get replicated to every domain controller.
Locate the GUID
Let’s look at how you can examine the GPT and GPC of a GPO. First, we’ll start by examining a GPO to determine its GUID. You can easily do so by following these steps.
1. Start either the Active Directory Users or Computers or Active Directory Sites and
Services Microsoft Management Console (MMC) snap-in.
2. Right-click the container object (the site, domain, or organizational unit—OU) in which the GPO you want to examine is linked. Choose Properties from the context menu.
3. Select the Group Policy tab, and highlight the GPO you want to examine.
As you can see in Figure 7.1, the highlighted Unique name is the GUID for this GPO. Make a note of the GUID as we move to examine the GPO’s GPC and GPT.
Navigate to the GPC
Now that we know the GUID for our GPO, we can look at its constituent parts. The easiest way to examine the GPC is to use a familiar tool—the Active Directory Users and Computers MMC snap-in. Follow these steps to view a GPO’s GPC.
1. Start the Active Directory Users and Computers MMC snap-in. Select the View menu on the console, and ensure that the Advanced Features option is selected.
2. Expand the domain list within the left pane of the tool, then expand the System container.
3. Within the System container there is a container called Policies. Expanding this container should reveal a series of containers named with GUIDs.
4. Locate the GUID that you identified in the series of earlier steps for your GPO, and
expand that container, as Figure 7.2 shows. This GUID-named folder is the GPC for the GPO.
If you were to examine the AD attributes on the GUID-named folder that Figure 7.2 shows, you would see several properties related to the GPO, including its current internal version, the path to its GPT in SYSVOL, and its friendly name—the name you see when you’re browsing for GPOs. In Figure 7.2, you can see two folders underneath the GUID-named folder—machine and user. These two folders correspond to the computer and user nodes that you see when you edit a GPO using the Group Policy MMC snap-in tool. If you expand either of these folders, you may see a subfolder called Class Store and a folder underneath that called Packages. The Class Store and Packages folders are present if you have set any software installation policy within the GPO. The Class Store is an AD object that keeps information related to how the package was published or assigned and where the Windows Installer setup file is located for the application.
Determine the GPT
Now lets look at the GPT. As I mentioned, the GPT is located within SYSVOL—the replicated folder structure present on every AD domain controller. The easiest way to view the contents of SYSVOL is to log on to the console of a domain controller in your AD domain, select Run from the Start menu, and in the Run dialog box, type
\\<domainname>\sysvol
This action will open an explorer window with a subfolder that will show the name of your current domain. If you open this folder, you should see the three folders that Figure 7.3 shows.
Figure 7.4: Viewing the GPT for a GPO in SYSVOL.
Just as with the GPC, you see machine and user folders corresponding to machine- and user- specific policy that is set within the GPO. In addition, the ADM folder contains any
Administrative Template .adm files associated with this GPO.
Each GPO can have its own separate and distinct set of .adm Administrative Template files. This ability is different than Windows NT 4.0 System Policy, which lets you use only a single set of .adm files within a domain policy.
You also see a file called GPT.INI. This file contains the internal version number for this GPT. When a computer or user processes a GPO, this version number is compared to the one
contained with the properties of the GPC to determine whether the GPO has been replicated correctly to all domain controllers within a domain. If the version numbers don’t match, the GPO is considered out of sync, and is thus not processed.
If you were to drill further into the machine and user files, you would see any number of subfolders and files corresponding to each of the various policy areas within a GPO (for example, Administrative Templates, Security, Folder Redirection). The GPT is the storage mechanism for the actual settings you make within the GPO when you edit it. If you make a change to a GPO setting, that change is stored within the GPT. The one exception to this behavior is that software installation, as I mentioned earlier, uses the GPC’s class store mechanism as well as the GPT to store settings related to the policy.