Appendix B: Group Policy Storage

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy objects store information in two locations: a Group Policy container and a Group Policy template.

Group Policy Container

The Group Policy container is an Active Directory container that stores GPO properties; it includes sub-containers for computer and user Group Policy information. The Group Policy container has the following properties:

  • Version information. This is used to ensure that the information is synchronized with the Group Policy template information. Indicates the number of changes made to the GPO.

  • Status information. This indicates whether the GPO is enabled or disabled.

  • List of components (extensions) that have settings in the GPO.

  • File System path. The UNC path to the Sysvol folder.

  • Functionality version. This is the version of the tool that created the GPO. Currently, this is version 1.

For example, the Group Policy container stores information used by the Software Installation snap-in to describe the state of the software available for installation. This data repository contains data for all applications, interfaces, and APIs that provide for application publishing and assigning.

Group Policy Template

Group Policy objects also store Group Policy information in a folder structure called the Group Policy template that is located in the System Volume folder of domain controllers (Sysvol) in the \Policies sub-folder. The Group Policy template is the container where Security Settings, Administrative Template-based policy settings, applications available for Software Installation, and script files are stored.

When you modify a GPO, the directory name given to the Group Policy template is the GUID of the GPO that you modified. For example, assume that you modified a GPO associated with a domain called Seattle. The resulting Group Policy template folder would be named as follows (the GUID is an example):

%systemroot%\sysvol\<SYSVOL>\Seattle.yourcompanyname.com\Policies\{47636445-af79-11d0-91fe-080036644603}

where the second sysvol is shared as Sysvol. (The default location of the Sysvol folder is %systemroot%).

Gpt.ini File

At the root of each Group Policy template folder is a file called Gpt.ini. For local Group Policy objects, the Gpt.ini file stores information indicating the following:

  • Which client-side extensions of the Group Policy Object Editor contain User or Computer data in the GPO.

  • Whether the User or Computer portion is disabled.

  • Version number of the Group Policy Object Editor extension that created the Group Policy object.

For the local GPO, the Gpt.ini file contains the following information:

[General]
gPCUserExtensionNames //Includes a list of GUIDs that tells the client side engine which Client
                       Side Extensions have User data in the GPO.
                       The format is: [{GUID of Client Side Extension}{GUID of MMC
                       extension}{GUID of second MMC extension if appropriate}][repeat first
                       section as appropriate].

GPCMachineExtensionNames //Includes a list of GUIDs that tells the client side engine which
                         Client Side Extensions have Machine data in the GPO.

Options..//Refers to GPO options such as User portion disabled or Machine portion disabled.

GPCFunctionalityVersion //The Version number of the Group Policy extension tool that created
                        the Group Policy object.

Gpt.ini for Active Directory GPOs

The Gpt.ini file for Active Directory GPOs contains the following entries, which are stored in Active Directory:

Version=0  //Version number of the Group Policy Object
DisplayName //Display name of the GPO

Local Group Policy Objects

A local Group Policy object exists on every computer, and by default it contains only security policy (that is, other types of policy settings are not configured by default). The local GPO is stored in %systemroot%\System32\GroupPolicy, and it has the following ACL permissions:

  • Administrators: full control

  • Operating system: full control

  • User: read

Group Policy Template Subfolders

The Group Policy template folder contains the following subfolders:

  • User. Includes a Registry.pol file that contains the registry settings to be applied to users. When a user logs on to a computer, this Registry.pol file is downloaded and applied to the HKEY_CURRENT_USER portion of the registry.

    The User folder may contain the following subfolders (depending on the GPO contents):

    • Applications. Contains the advertisement files (.aas files) used by the Windows installer. These are applied to users.

    • Documents and Settings. Contains the Fdeploy.ini file, which includes status information about the Folder Redirection options for the current user's special folders.

    • Microsoft\RemoteInstall. Contains the OSCfilter.ini file, which holds user options for operating system installation through Remote Installation Services.

    • Microsoft\IEAK. Contains settings for the Internet Explorer Maintenance Snap-in.

    • Scripts\Logon. Contains all the user logon scripts and related files for this GPO.

    • Scripts\Logoff. Contains all the user logoff scripts and related files for this GPO.

  • Machine. Includes a Registry.pol file that contains the registry settings to be applied to computers. When a computer initializes, this Registry.pol file is downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry.

    The Machine folder may contain the following subfolders (depending on the GPO):

    • Scripts\Startup. Contains the scripts that are to run when the computer starts up.

    • Scripts\Shutdown. Contains the scripts that are to run when the computer shuts down.

    • Applications. Contains the advertisement files (.aas files) used by the Windows installer. These are applied to computers.

    • Microsoft\Windows NT\Secedit. Contains the Gpttmpl.inf file, which includes the default security configuration settings for a Windows 2000 domain controller.

  • Adm. Contains all of the .adm files for this GPO.

The User and Machine folders are created at install time, and the other folders are created as needed when policy is set.

Registry.pol Files

The Administrative Templates snap-in extension of Group Policy saves information in the Group Policy template in Unicode files referred to as Registry.pol files; they are stored in the Group Policy template. These files contain the customized registry settings that you specify (by using the Group Policy Object Editor) to be applied to the Computer (HKEY_LOCAL_MACHINE) or User (HKEY_CURRENT_USER) portion of the registry.

Two Registry.pol files are created and stored in the Group Policy template, one for Computer Configuration, which is stored in the \Machine subdirectory, and one for User Configuration, which is stored in the \User subdirectory.

When you use the Administrative Templates extension of the Group Policy Object Editor to define customized registry settings, two Registry.pol files are created and stored in the Group Policy template. One Registry.pol file is for Computer Configuration-related registry settings and is stored in the \Machine sub-directory, and the other is for User Configuration settings and is stored in the \User sub-directory.

The Registry.pol file consists of a header and registry values.

The header contains version information and signature data, both DWORD values:

REGFILE_SIGNATURE 0x67655250
REGISTRY_FILE_VERSION 00000001 (increments each time the file format changes)

The registry values begin with an opening bracket ([) and end with a closing bracket (]):

[key;value;type;size;data]

where:

Key is the path to the registry key to use for the category. Do not include HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER in the registry path. The location of the file determines which of these keys is used.

The following value has special meaning for this field:

  • **DeleteKeys—a semi-colon-delimited list of values to delete.

    For example: **DeleteKeys NoRun;NoFind.

Value is the name of the registry value. The following values have special meaning for this field:

  • **DeleteValues—a semi-colon-delimited list of values to delete. Use as a value of the associated key.

  • **Del.valuename—deletes a single value. Use as a value of the associated key.

  • **DelVals—deletes all values in a key. Use as a value of the associated key.

Type is a data type. The field can be any of the standard registry value types, for example:

  • REG_DWORD

  • REG_EXPAND_SZ

  • REG_SZ

Note that although the file format supports all the registry data types (such as REG_MULTI_SZ), the Administrative Templates node does not support these registry types: REG_BINARY, REG_MULTI_SZ.

Size is the size of the data field in bytes. For example, 4.

Data is the raw information. For example, 4 bytes of data 0x00000001.

It is possible that the valuename, type, data, and size could be missing or 0. In this case, only the key should be created.

This pattern of [] entries continues until the end of the file.

The following special values are used for deleting keys and values:

  • **DeleteKeys // Semi-colon-delimited list of keys to delete.

    For example: **DeleteKeys REG_SZ NoRun;NoFind.

  • **DeleteValues // Semi-colon-delimited list of values to delete.

    Used as a value of the designated key.

  • **Del.valuename // Deletes a single value name.

    Used as a value of the designated key.

  • **DelVals // Deletes all values in a key.

    Used as a value of the designated key.

The Registry.pol file contains data to be written to the registry based on the settings specified with the Group Policy Object Editor, and the names of any scripts and their command lines (in the form of registry keys and values).

How Registry.pol Files Are Created

The following section outlines how to form Registry.pol files:

  • When you start the Group Policy Object Editor, a temporary registry tree is created that consists of two nodes: USER and MACHINE.

  • As you navigate the Administrative Templates node of the Group Policy Object Editor, .adm file nodes are displayed. The .adm files within the Group Policy Object Editor nodes are loaded dynamically when a particular node is selected, and the .adm file is then cached.

  • When a policy is selected in the details pane (the right side of MMC console window), the temporary registry is queried to determine whether the selected policy already has registry values assigned to it; if it does, those values are displayed in the Policy dialog box.

    If the selected policy does not have a registry value assigned to it, the default value from the .adm file or from the associated MMC snap-in extension is used.

  • After you modify a policy, the registry values that you specify are written to the appropriate portion of the temporary registry (either MACHINE or USER).

  • When you close the Group Policy Object Editor, the temporary registry hives are exported to the Registry.pol files in the appropriate folders of the Group Policy template.

  • The next time you start the Group Policy Object Editor for the same Group Policy Object for which you have previously set Group Policy settings, the registry information from the corresponding Registry.pol files is imported into the temporary registry tree. Therefore, when you view the policy settings, they reflect the current state.