Windows Server 2008 and Windows Vista : Architectural Parts of a GPO (part 1) - Group Policy Template

The Group Policy template (GPT) is the portion of the GPO that is stored in the SYSVOL folder on the domain controllers. The GPT is not a single file or folder, but rather a suite of folders and files that are used to store and maintain the settings that are established in a GPO. The GPT is very dynamic, yet very simple.

Each GPO has a unique GPT where the files are stored. The GPT is kept unique between GPOs by its GUID (globally unique identifier). When a GPO is initially created, a new folder is created under the %windir%\SYSVOL\sysvol\<domainname>\Policies folder. This new folder is named the same as the GPO’s GUID, as you can see in Figure 1.

Figure 1. All Group Policy templates are stored in a unique folder named after the GPO’s GUID; they are all stored in the SYSVOL\Policies folder on each domain controller.

During the creation of the GPT main folder, additional folders and files are created under this root folder. These folders and files include:

• Group Policy folder Holds the GPE.ini file. The GPE.ini file tracks the GUIDs for the CSEs that are referenced in the GPO. As settings within the GPO are added or removed, the associated GUID for the CSE controlling the setting is added or removed from this file.

• Machine folder Stores all GPO settings that are configured under the Computer Configuration node in the GPO.

• User folder Stores all GPO settings that are configured under the User Configuration node in the GPO.

• Gpt.ini file Tracks the GPO version number. The version number changes each time the GPO is modified.

Figure 2 illustrates the default folders and files that exist in the GPT.

Figure 2. Newly created GPOs have only two default folders and one default file that make up the GPT in SYSVOL.

As settings are created in the GPO, additional folders and files are created in the appropriate folder, depending on whether a Computer Configuration setting or a User Configuration setting is made.

Not all settings create the same type of files. The different portions of the GPO make up the different client-side extensions supported in the GPO. When a setting is made for each client-side extension, the file in which it is stored within the GPT is also different. Table 1 shows the client-side extension in addition to the files used within the GPT for that extension.

Table 1. Group Policy Template Files

Client-Side Extension	Folder Structure in GPT	File Name and Extension in GPT
Software Installation	Machine\Applications	<GUID>.aas
	User\Applications
Scripts	Machine\Scripts\Startup	Varies (typically with .vbs, .bat, .cmd, .exe extension)
	Machine\Scripts\Shutdown
	User\Scripts\Logon
	User\Scripts\Logoff
Security	Machine\Microsoft\Windows NT\SecEdit	GptTmpl.inf
Windows Firewall and Advanced Security	Machine	Registry.pol
Public Key Policies	Machine	Registry.pol
	User
Software Restriction Policy	Machine	Registry.pol
	User
Network Access Protection	Machine	Registry.pol
Policy Based QoS	Machine	Registry.pol
	User
Registry	Machine	Registry.pol
Remote Installation Services	Microsoft\RemoteInstall	Oscfilter.ini
Folder Redirection	User\Documents & Settings	Fdeploy1.ini
Internet Explorer Maintenance	User\Microsoft\IEAK	Various folders and files
Group Policy Environment	Machine\Preferences\EnvironmentVariables	EnvironmentVariables.xml
	User\Preferences\EnvironmentVariables
Group Policy Data Sources	Machine\Preferences\DataSources	DataSources.xml
	User\Preferences\DataSources
Group Policy Devices	Machine\Preferences\Devices	Devices.xml
	User\Preferences\Devices
Group Policy Files	Machine\Preferences\Files	Files.xml
	User\Preferences\Files
Group Policy Folder Options	Machine\Preferences\Options	Options.xml
	User\Preferences\Options
Group Policy Folders	Machine\Preferences\Folders	Folders.xml
	User\Preferences\Folders
Group Policy Local Users and Groups	Machine\Preferences\Groups	Groups.xml
	User\Preferences\Groups
Group Policy Ini Files	Machine\Preferences\IniFiles	IniFiles.xml
	User\Preferences\IniFiles
Group Policy Network Options	Machine\Preferences\NetworkOptions	NetworkOptions.xml
	User\Preferences\NetworkOptions
Group Policy Network Shares	Machine\Preferences\NetworkShares	NetworkShares.xml
	User\Preferences\NetworkShares
Group Policy Power Options	Machine\Preferences\PowerOptions	PowerOptions.xml
	User\Preferences\PowerOptions
Group Policy Printers	Machine\Preferences\Printers	Printers.xml
	User\Preferences\Printers
Group Policy Registry	Machine\Preferences\Registry	Registry.xml
	User\Preferences\Registry
Group Policy Scheduled Tasks	Machine\Preferences\ScheduledTasks	ScheduledTasks.xml
	User\Preferences\ScheduledTasks
Group Policy Services	Machine\Preferences\Services	Services.xml
	User\Preferences\Services
Group Policy Shortcuts	Machine\Preferences\Shortcuts	Shortcuts.xml
	User\Preferences\Shortcuts
Group Policy Applications	User\ Preferences\Applications	Applications.xml
Group Policy Drive Maps	User\ Preferences\Drives	Drives.xml
Group Policy Internet Settings	User\ Preferences\InternetSettings	InternetSettings.xml
Group Policy Regional Options	User\ Preferences\RegionalOptions	RegionalOptions.xml
Group Policy Start Menu	User\ Preferences\StartMenuTaskbar	StartMenuTaskbar.xml

Figure 3 illustrates what a complex set of GPO settings might look like through the files and folders that are created in the GPT.

Figure 3. When a GPO has many settings configured in different areas of the GPO, folders and files may be created in the GPT.

As you can see, the GPT is responsible for housing all of the raw settings that are made in a GPO. Each setting is stored in a unique file structure, which correlates with the client-side extension under which it is categorized. The files that are stored in the GPT are delivered to the target computer during Group Policy processing.