1.1.3 Group Policy Objects

Group Policy uses several protocols to create, read, update, and remove GPOs. Group Policy uses a document-centric approach to create, store, and associate policy settings. Group Policy settings are contained in GPOs to maintain various sets of behavior specifications. A GPO is a virtual object that stores policy-setting information with two components:

Directory service: GPOs and their attributes are stored in a directory service, such as Active Directory.

File share: GPOs also store policy settings information on a local or remote file share, such as the Group Policy file share. The Group Policy file share repository in Windows is a system volume (SYSVOL) share on the Group Policy server.

Both of these storage components can reside on the Group Policy server. Through the hierarchical modeling of Active Directory, GPOs can be linked to site, domain, and organizational unit (OU) containers to enable policy settings to be applied to target users and computers that are associated with these containers. This infrastructure provides a high degree of flexibility that enables the Group Policy administrator to customize configurations, such as delivering a specific piece of software to specialized users based on their membership in an OU.

A GPO is uniquely identified by a globally unique identifier (GUID). GPO settings are evaluated by the Group Policy client through the hierarchical nature of Active Directory and by interpreting the extension policy file data on the Group Policy file share. The processes for creating a GPO are described in section 2.1.3.2.1.