1.1.10 Group Policy Structure
Group Policy structure is modeled after the Active Directory structure, in that it has both physical and logical components. At the core of Active Directory's physical architecture is an extensible storage engine that reads and writes information to the Active Directory data store. This engine makes use of the logical, object-based hierarchy that represents data store information.
Group Policy structure is similar to that of Active Directory, because it maintains both a logical and physical representation of GPOs, as follows:
Logical component: Consists of a Group Policy container object, which is stored in the Group Policy Objects container of Active Directory. The Group Policy container object contains attributes that specify basic GPO information, such as the following:
GPO display name
GPO path to the extension policy and Group Policy template (GPT) files.
GPO version number
GPO status
GUID-references to the CSEs that are to be invoked when the core Group Policy engine on the Group Policy client processes the GPO.
When the Group Policy administrator creates a GPO, Active Directory creates a Group Policy container object for that GPO, as described in section 2.1.3.2.1. This Group Policy container is a container object of the groupPolicyContainer class and is named with a GUID that identifies the GPO. The Group Policy container is stored under the CN=Policies,CN=System container within the domain. The Administrative tool and the Group Policy client locate this container according to its DN, which is the exact path to the Group Policy container object in the Active Directory data store.
Physical component: Consists of the Group Policy file share component that stores GPT and Group Policy extension settings on a domain controller or other server.
The physical component of a GPO is represented through a series of files containing Administrative template and extension policy settings that are stored on disk. These files contain numerous policy settings along with the state of these settings. These files are stored in Machine and User subdirectories along with the associated GPO version file gpt.ini, in the following path, which is also known as the GPO path: <dns domain name>\<Group Policy file share-name>\<dns domain name>\Policies\<guid>\.
Whenever the Group Policy administrator creates a new GPO, the <guid> folder in this path is automatically created and named with the GUID of the GPO. Within the <guid> folder are Machine and User subdirectories that contain extension policy settings and Administrative template configuration items. During policy administration, when the Group Policy administrator creates or modifies Group Policy extension or Administrative template settings, the Administrative tool locates the policy files according to the <guid> in the GPO path. During policy application, the Group Policy client locates the policy files in the same manner.