The Group Policy container
(GPC) is the portion of the GPO that is stored in Active Directory. The
subfolder format of the GPC is similar to that of the GPT, but the GPC
is radically different in content and overall use. The GPC has a suite
of Active Directory properties associated with it, giving it the same
feel as a typical Active Directory object, such as a user or computer
object.
The GPC is also
similar to the GPT, in the way in which it is tracked in the system; the
GPC is also named after the GPO’s GUID. You can find the GPC by using
one of many tools that display the Active Directory objects. By using
Active Directory Users and Computers, you can access the full list of
GPCs by following these steps:
1. | In Active Directory Users and Computers, expand the domain node.
|
2. | Expand the System node.
|
3. | Expand the Policies node to expose the list of GUIDs that represent the GPCs, as shown in Figure 4.
|
Note
To
see the System folder in Active Directory Users and Computers, you must
first enable the Advanced Features option. To enable this option, click
the domain node in Active Directory Users and Computers. Then click the
Tools menu and select the Advanced Features menu option. |
During the creation of the
GPC, two main folders are created: Machine and User. These folders are
empty by default; you can see nothing from the Active Directory Users
and Computers interface with regard to the GPC. However, if you create
some policy settings, you can see some folders and content within the
Active Directory Users and Computers. Table 2 lists the folders and files associated with the policies that update the GPC.
Table 2. GPC Files
| Client-Side Extension | Folder Structure in GPC | File Name and Extension in GPC |
|---|
| Software Installation | Machine\Class Store\Packages | <GUID>, which is a packageRegistration object |
| | User\Class Store\Packages | |
| IP Security | Machine\Microsoft\Windows | IPSEC, which is an ipsecPolicy object |
| Wireless Network (IEEE 802.3) Policies | Machine\Microsoft\Windows\IEEE8023 | <policyname>, which is a ms-net-ieee-8023-GroupPolicy object |
| Wireless Network (IEEE 802.11) Policies | Machine\Microsoft\Windows\Wireless | <policyname>, which is a msieee80211-Policy object |
If
you want to see details of the GPC, you can use Active Directory Users
and Computers or an LDAP tool, such as ADSIEdit, which allows you to see
the properties associated with the GPC. These properties help Active
Directory and Group Policy apply the appropriate settings and point to
the correct GPT and any other network location that might be configured
within the GPO. Table 3 shows the default properties associated with the GPC.
Table 3. GPC Active Directory Properties
| Property | Default Value |
|---|
| adminDescription | <not set> |
| adminDisplayName | <not set> |
| cn | (GUID of GPO) |
| defaultClassStore | <not set> |
| description | <not set> |
| displayName | (Name of GPO) |
| displayNamePrintable | <not set> |
| distinguishedName | CN={GUID of GPO} |
| dSASignature | <not set> |
| dSCorePropagationData | 0x0 = ( ) |
| extensionName | <not set> |
| flags | 0 |
| fSMORoleOwner | <not set> |
| gPCFileSysPath | \\<domainname>\SysVol\<domainname>\Policies |
| gPCFunctionalityVersion | 2 |
| gPCMachineExtensionNames | <not set> |
| gPCUserExtensionNames | <not set> |
| gPCWQLFilter | <not set> |
| instanceType | 0x4 = (WRITE) |
| isCriticalSystemObject | <not set> |
| isDeleted | <not set> |
| lastKnownParent | <not set> |
| mS-DS-ConsistencyChildCount | <not set> |
| mS-DS-ConsistencyGuid | <not set> |
| msDS-NcType | <not set> |
| msDS-ObjectReference | <not set> |
| Name | (GUID of GPO) |
| objectCategory | CN=Group-Policy-Container,CN=Schema,
CN=Configuration,
DC=<domainname>,
DC=<domain name extention> |
| objectClass | Top;container;groupPolicyContainer |
| objectGUID | GUID of GPO |
| objectVersion | <not set> |
| otherWellKnownObjects | <not set> |
| partialAttributeDeletionList | <not set> |
| partialAttributeSet | <not set> |
| proxiedObjectName | <not set> |
| proxyAddresses | <not set> |
| replPropertyMetaData | <Octet string table> |
| replUpToDateVector | <not set> |
| repsFrom | <not set> |
| repsTo | <not set> |
| revision | <not set> |
| schemaVersion | <not set> |
| showinAdvancedViewOnly | TRUE |
| subRefs | <not set> |
| systemFlags | <not set> |
| url | <not set> |
| uSNChanged | Dynamic numeric variable |
| uSNCreated | Dynamic numeric variable |
| uSNDSALastObjRemoved | <not set> |
| USNIntersite | <not set> |
| uSNLastObjRem | <not set> |
| uSNSource | <not set> |
| versionNumber | 0 |
| wbemPath | <not set> |
| wellKnownObjects | <not set> |
| whenChanged | Date of change |
| whenCreated | Date of creation |
| wWWHomePage | <not set> |
Figure 5 shows what the GPC looks like when viewed with ADSIEdit.
The
GPC is not responsible for storing the settings that are in the
GPO—that is the job of the GPT. The GPC ensures that all network links,
resources, and paths are correct and tracked. When Group Policy
processing occurs, the GPC properties are used to find all of the
pertinent information for the GPT, software installation nodes, and so
on.
