2.1.2 Group Policy Components
The main components of the Group Policy protocols are described as follows:
Administrative tool: An implementation-specific management entity, such as the GPMC, that enables a Group Policy administrator to create, modify, and delete GPOs and policy settings (Administrative templates and extension settings). The Administrative tool manages policy settings that are specific to the Group Policy client implementation. Policy settings and other Group Policy functions are managed through the following administrative tasks:
Authoring or editing GPOs via write access to Active Directory to facilitate configuration of GPOs with specific policy directives or settings.
Updating policy files on the Group Policy file share via file access write operations.
Configuring core aspects of Group Policy, such as SOM and GPO precedence.
The Administrative tool, along with its associated extensions, can be located and run on any computer that is a member of the domain, including the Group Policy server.
-
Note All Group Policy server SKUs, and Group Policy clients with Remote Server Administration Tools [MSDN-RSATW7] installed, have the Administrative tool and extensions.
Group Policy client: The client computer on which Group Policy settings are applied by invoking the core Group Policy engine and the CSEs. The Group Policy client communicates with Group Policy data store components, which includes the Active Directory and Group Policy file share data stores, via the Group Policy: Core Protocol [MS-GPOL], as implemented by the core Group Policy engine on the client computer.
Group Policy Extensions: Consist of CSE and Administrative tool extension protocols that enhance the base functionality of Group Policy. Extension data is typically read from and written to Group Policy data store components.
Group Policy data store: Consists of an Active Directory data store that provides storage and access to GPOs containing Group Policy metadata. It also contains a Group Policy file share data store that serves as a file system repository for user and computer extension policy settings, GPO version information, and administrative template policy settings.
-
The Group Policy administrative templates can be used to configure registry-based settings for a GPO, which can include security settings, script files for custom policy configurations, and software installation information. Administrative template settings are stored on the Group Policy file share; however, note that administrative templates are not a requirement for a GPO.
Group Policy server: A domain controller that implements Active Directory, from which a Group Policy client retrieves GPO metadata via LDAP and policy settings via a file access protocol.
Note The terms domain controller and Group Policy server are used interchangeably throughout this document.
Although Group Policy extends Active Directory functionality to support Group Policy operations, Active Directory is not officially part of Group Policy. Implementers are free to choose Active Directory or any LDAP-accessed directory service with which Group Policy is compatible, to support Group Policy operations. However, for purposes of discussion herein, this document assumes that Active Directory is the LDAP-accessed directory service for Group Policy.
Note The directory service that the implementer chooses are required to support forests.
The following sections describe the Group Policy components and the interrelationships among their parts, consumers, and dependencies. In particular, the following communication and process functionalities of Group Policy are covered in the discussions, along with applicable standards:
Protocol communications between components
Relationships between internal components
Communication architecture and message flows
Policy application and administration processes
Applicability and interoperability standards