Windows Server 2008 and Windows Vista : Architectural Parts of a GPO (part 2) - Group Policy Container

8/27/2012 1:09:57 AM
The Group Policy container (GPC) is the portion of the GPO that is stored in Active Directory. The subfolder format of the GPC is similar to that of the GPT, but the GPC is radically different in content and overall use. The GPC has a suite of Active Directory properties associated with it, giving it the same feel as a typical Active Directory object, such as a user or computer object.

The GPC is also similar to the GPT, in the way in which it is tracked in the system; the GPC is also named after the GPO’s GUID. You can find the GPC by using one of many tools that display the Active Directory objects. By using Active Directory Users and Computers, you can access the full list of GPCs by following these steps:

In Active Directory Users and Computers, expand the domain node.

Expand the System node.

Expand the Policies node to expose the list of GUIDs that represent the GPCs, as shown in Figure 4.

Figure 4. All GPCs are stored in Active Directory under the GPO’s GUID, allowing the system to keep each GPO unique and distinguishable.


To see the System folder in Active Directory Users and Computers, you must first enable the Advanced Features option. To enable this option, click the domain node in Active Directory Users and Computers. Then click the Tools menu and select the Advanced Features menu option.

During the creation of the GPC, two main folders are created: Machine and User. These folders are empty by default; you can see nothing from the Active Directory Users and Computers interface with regard to the GPC. However, if you create some policy settings, you can see some folders and content within the Active Directory Users and Computers. Table 2 lists the folders and files associated with the policies that update the GPC.

Table 2. GPC Files
Client-Side ExtensionFolder Structure in GPCFile Name and Extension in GPC
Software InstallationMachine\Class Store\Packages<GUID>, which is a packageRegistration object
 User\Class Store\Packages 
IP SecurityMachine\Microsoft\WindowsIPSEC, which is an ipsecPolicy object
Wireless Network (IEEE 802.3) PoliciesMachine\Microsoft\Windows\IEEE8023<policyname>, which is a ms-net-ieee-8023-GroupPolicy object
Wireless Network (IEEE 802.11) PoliciesMachine\Microsoft\Windows\Wireless<policyname>, which is a msieee80211-Policy object

If you want to see details of the GPC, you can use Active Directory Users and Computers or an LDAP tool, such as ADSIEdit, which allows you to see the properties associated with the GPC. These properties help Active Directory and Group Policy apply the appropriate settings and point to the correct GPT and any other network location that might be configured within the GPO. Table 3 shows the default properties associated with the GPC.

Table 3. GPC Active Directory Properties
PropertyDefault Value
adminDescription<not set>
adminDisplayName<not set>
cn(GUID of GPO)
defaultClassStore<not set>
description<not set>
displayName(Name of GPO)
displayNamePrintable<not set>
distinguishedNameCN={GUID of GPO}
dSASignature<not set>
dSCorePropagationData0x0 = ( )
extensionName<not set>
fSMORoleOwner<not set>
gPCMachineExtensionNames<not set>
gPCUserExtensionNames<not set>
gPCWQLFilter<not set>
instanceType0x4 = (WRITE)
isCriticalSystemObject<not set>
isDeleted<not set>
lastKnownParent<not set>
mS-DS-ConsistencyChildCount<not set>
mS-DS-ConsistencyGuid<not set>
msDS-NcType<not set>
msDS-ObjectReference<not set>
Name(GUID of GPO)



DC=<domain name extention>
objectVersion<not set>
otherWellKnownObjects<not set>
partialAttributeDeletionList<not set>
partialAttributeSet<not set>
proxiedObjectName<not set>
proxyAddresses<not set>
replPropertyMetaData<Octet string table>
replUpToDateVector<not set>
repsFrom<not set>
repsTo<not set>
revision<not set>
schemaVersion<not set>
subRefs<not set>
systemFlags<not set>
url<not set>
uSNChangedDynamic numeric variable
uSNCreatedDynamic numeric variable
uSNDSALastObjRemoved<not set>
USNIntersite<not set>
uSNLastObjRem<not set>
uSNSource<not set>
wbemPath<not set>
wellKnownObjects<not set>
whenChangedDate of change
whenCreatedDate of creation
wWWHomePage<not set>

Figure 5 shows what the GPC looks like when viewed with ADSIEdit.

Figure 5. Each GPO is represented with a GPC, which in turn has a suite of Active Directory object properties that store information about the GPO resources.

The GPC is not responsible for storing the settings that are in the GPO—that is the job of the GPT. The GPC ensures that all network links, resources, and paths are correct and tracked. When Group Policy processing occurs, the GPC properties are used to find all of the pertinent information for the GPT, software installation nodes, and so on.

  •  Windows Server 2003 : Server Clustering (part 4) - Using the Cluster Application Wizard, Configuring Failover and Failback
  •  Windows Server 2003 : Server Clustering (part 3) - Creating a New Cluster Group, Adding a Resource to a Group
  •  Windows Server 2003 : Server Clustering (part 2) - Creating a True Server Cluster, Adding a Node to an Existing Cluster
  •  Windows Server 2003 : Server Clustering (part 1) - Cluster Terminology, Types of Resources, lanning a Cluster Setup
  •  Windows XP : Participating in Internet Newsgroups - Downloading Messages
  •  Windows XP : Participating in Internet Newsgroups - Working with Newsgroups in Outlook Express
  •  Analysis Ultrabooks
  •  Farewell To Pixels : Retina MacBook Pro brings the new age of dot-free displays to OS X
  •  Computing – OS
  •  Windows Server 2003 : Protecting Network Communications with Internet Protocol Security - IPSec Basics (part 2) - Differences Between AH and ESP, Process and Procedure
  •  Windows Server 2003 : Protecting Network Communications with Internet Protocol Security - IPSec Basics (part 1) - Security Advantages of IPSec
  •  Windows Vista : Communicating with Windows Mail - Handling Incoming Messages (part 2) - Customizing the Message Columns, Setting Read Options
  •  Windows Vista : Communicating with Windows Mail - Handling Incoming Messages (part 1) - Processing Messages
  •  Windows Vista : Communicating with Windows Mail - Setting Up Mail Accounts
  •  Ultra-X P.H.D PCI2 - Solve PC Problems Easily (Part 2)
  •  Ultra-X P.H.D PCI2 - Solve PC Problems Easily (Part 1)
  •  Confessions Of An Internet Troll (Part 2)
  •  Confessions Of An Internet Troll (Part 1)
  •  Windows Vista or Windows Server 2008 : Architecture of Group Policy - Domain Controller Selection During GPO Management
  •  Windows Vista or Windows Server 2008 : Architecture of Group Policy - Group Policy Dependencies
    Top 10
    Canon PowerShot G15 12MP Digital Camera With 3-Inch LCD
    3D Printed Guns
    Dual-channel DDR3 RAM (Part 4)
    Dual-channel DDR3 RAM (Part 3)
    Dual-channel DDR3 RAM (Part 2)
    Dual-channel DDR3 RAM (Part 1)
    In-Win G7 Black Windowed Mid-Tower Case
    Starcraft II Gaming Mouse & Marauder Starcarft II Gaming Keyboard
    The Computers That Came In From The Cold (Part 2)
    Joystick Junkies - The Sim Hardware Roundup (Part 3) : Thrustmaster HOTAS Warthog, Thrustemaster TH8 RS Gear Shifter, ButtKicker Gamer 2
    Most View
    Corsair 16GB Dominator Platinum DDR3 - 2400
    SQL Server 2005 Native XML Web Services : Example Native XML Web Services Project (part 3) - Creating the Client Application
    Gigabyte U2442 V2 Ultrabook Review (Part 2)
    Turn Your Smartphone Into A Safe
    Group Test: Integrated Valve Amps $2,175-$3,000 (Part 4)
    iOS In The Studio
    Web Design: Where To Start (Part 5)
    Systems for All Budgets (Part 3) - WS 1000, Silent 1000
    Which Components Have Hit The Sweet Spot? (Part 3)
    The Best Bluetooth Keyboards (Part 2)