How Group Policy Object Editor Works

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In this section

  • Group Policy Object Editor Architecture

  • Group Policy Object Editor Processes and Interactions

Administrators use Group Policy Object Editor to manipulate the settings in Group Policy objects (GPOs). The ideal environment contains:

  • Windows Server 2003 with Active Directory installed

  • Windows XP client computers

In this environment, an administrator can work with GPOs stored on the server. For these types of GPOs, all of the extensions to Group Policy Object Editor are functional. If Active Directory is not installed on your network, Group Policy Object Editor can be used only to edit the local GPO on individual client computers. For the local GPO, some of the extensions to Group Policy Object Editor are not functional.

Group Policy Object Editor Architecture

The Group Policy Object Editor is one of three administrative tools used to manage Group Policy. The following diagram shows all three of the tools as well as the domain controller and a client. In addition, the diagram describes the different communication protocols being used by each tool (LDAP, SMB, RPC/COM, DNS), the interactions between the tool, the domain controller and the client, and whether those interactions are READ or READ/WRITE.

Group Policy Object Editor Architecture

Group Policy Object Editor Architecture

Component Descriptions of the Group Policy Object Editor Architectural Diagram

Component Description

Group Policy Object Editor

The Group Policy Object Editor is the Microsoft Management Console (MMC) snap-in used to edit GPOs. It was previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit. The most notable feature of the Group Policy Object Editor is its extensibility. Administrators can extend the server-side snap-ins that ship with Group Policy Object Editor or they can develop completely new extensions for implementing Group Policy.

The Group Policy Object Editor is capable of read and write access to Active Directory, Sysvol, and the Local GPO.

Server Side Snap-ins

The nodes of the Group Policy Object Editor are also MMC server-side snap-ins. These snap-ins include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, and Internet Explorer Maintenance. Snap-ins can, in turn, be extended. For example, the Security Settings snap-in includes several extension snap-ins. Developers can also create their own MMC extension snap-ins to the Group Policy Object Editor to provide additional policy settings. Extensions are capable of read and write access to the Local GPO.

Server (Domain Controller)

In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. GPOs are stored in two parts of domain controllers: The Active Directory database and the Sysvol.

Active Directory

Active Directory, the Windows-based directory service, stores information about objects on a network and makes this information available to users and network administrators. Administrators link GPOs to Active Directory containers such as sites, domain, and OUs that include user and computer objects. In this way, policy settings can be targeted to users and computers throughout the organization.

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the largest part of a GPO, the Group Policy template (GPT), which includes Administrative Template-based policy settings, security settings, script files, and information regarding applications that are available for software installation. File Replication Service (FRS) replicates this information throughout the network.

Group Policy Object Editor uses .adm files to display available registry-based policy settings in the Administrative Templates section of a GPO. By default it attempts to read .adm files from the Sysvol on the domain controller. Alternatively, the .adm file can be read from the local workstation computer. This behavior can be controlled by a policy setting.

By default, if the time stamp of the .adm file found on the local computer is newer than the version on the Sysvol, the local version is copied to the Sysvol and is then used to display the settings. This behavior can be controlled by a policy setting.

If the GPO contains registry settings for which there is no corresponding .adm file, these settings cannot be seen in the Group Policy Object Editor.

LDAP Protocol

LDAP (Lightweight Directory Access Protocol) is the protocol used by the Active Directory directory service. Group Policy Object Editor uses LDAP to access the directory store on the domain controller. The client also uses LDAP to read the directory store on the domain controller.

SMB Protocol

SMB (Server Message Block) protocol is the primary method of file and print sharing. SMB can also be used for abstractions such as named pipes and mail slots. Group Policy Object Editor uses SMB to access the Sysvol as well as back up and retrieve files to a remote file system. The client also uses SMB to read the sysvol on the domain controller.

Group Policy Engine

The Group Policy Engine is a framework that handles common functionalities across client side extensions.

Client Side Extensions

Client-side extensions (CSEs) are dynamic-link libraries (DLLs) that are responsible for implementing Group Policy at the client computer. CSEs correspond to server-side snap-ins: Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, and Internet Explorer Maintenance.

The client-side extensions are loaded on an as-needed basis when a client computer is processing policy. The client computer first gets a list of Group Policy objects. Next, it loops through all the client-side extensions and determines whether each client-side extension has any data in any of the GPOs. If a client-side extension has data in a GPO, the client-side extension is called with the list of Group Policy objects that it should process. If the client-side extension does not have any settings in any of the GPOs, it is not called.

Local Group Policy object

The local Group Policy object (local GPO) is stored on each individual computer, in the hidden %systemroot%\System32\GroupPolicy directory. Each computer running Windows 2000, Windows XP Professional, Windows XP 64-Bit Edition, or Windows Server 2003 has exactly one local GPO, regardless of whether the computers are part of an Active Directory environment.

Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of the Group Policy Object Editor does not support remote management of local GPOs. Local GPOs are always processed, but are the least influential GPOs in an Active Directory environment, because Active Directory-based GPOs have precedence.

Group Policy Object Editor Processes and Interactions

Administrators using Group Policy Object Editor need to understand that Administrative template files are handled differently, depending upon whether they are working with Group Policy Object Editor or Group Policy Management Console. The way each of the tools handles Administrative template files can be manipulated using Group Policy, but it is important to understand the differences between the two.

Administrative Templates in Group Policy Object Editor and GPMC

Administrative templates, or .adm files, enable administrators to control registry settings using Group Policy. Windows comes with a predefined set of Administrative template files, which are implemented as text files (with an .adm extension), that define the registry settings that can be configured in a GPO. These .adm files are stored in two locations by default: inside GPOs in the Sysvol folder and in the %windir%\inf directory on the local computer.

Windows Server 2003 includes the following .adm files: System.adm*,* Inetres.adm, Conf.adm, Wmplayer.adm, and Wuau.adm. These files contain all the settings initially displayed in the Administrative Templates node.

Default Administrative Templates

.Adm file Contains For Use on Description

System.adm

Settings to configure the Operating System.

Windows 2000 or Windows Server 2003.

Loaded by default.

Inetres.adm

Settings to configure Internet Explorer.

Windows 2000 or Windows Server 2003.

Loaded by default.

Conf.adm

Settings to configure NetMeeting v3.

Windows 2000 or Windows Server 2003. Note: This tool is not available on Windows XP 64-Bit Edition and the 64-bit versions of the Windows Server 2003 family.

Loaded by default.

Wmplayer.adm

Settings to configure Windows Media Player.

Windows XP, Windows Server 2003. Note: This tool is not available on Windows XP 64-Bit Edition and the 64-bit versions of the Windows Server 2003 family.

Loaded by default.

Wuau.adm

Settings to configure Windows Update.

Windows 2000 SP3, Windows XP SP1, Windows Server 2003.

Loaded by default.

Handling .Administrative Template Files in Group Policy Object Editor

Group Policy Object Editor uses .adm files to display available registry-based policy settings in the Administrative Templates section of a GPO. These settings include registry-based Group Policy for the Windows Server 2003 operating system and its components and for applications.

By default Group Policy Object Editor attempts to read .adm files from the GPO (from the Sysvol on the domain controller). Alternatively, the .adm file can be read from the local workstation computer. This behavior can be controlled by a policy setting.

By default, if the version of the .adm file found on the local computer is newer (based on the time stamp of the file) than the version on the Sysvol, the local version is copied to the Sysvol and is then used to display the settings. This behavior can be controlled by a policy setting.

If the GPO contains registry settings for which there is no corresponding .adm file, these settings cannot be seen in the Group Policy Object Editor. However, the policy settings are still active and will be applied to users or computers targeted by the GPO.

Policy settings pertaining to a user who logs on to a given workstation or server are written to the User portion of the registry database under HKEY_CURRENT_USER. Computer-specific settings are written to the Local Machine portion of the registry under HKEY_LOCAL_MACHINE.

Handling Administrative Template Files in GPMC

GPMC uses .adm files to display the friendly names of policy settings when generating HTML reports for GPOs, Group Policy Modeling, and Group Policy Results.

By default, GPMC uses the local .adm file, regardless of time stamp. If the file is not found, then GPMC will look in the GPO’s directory on Sysvol.

The user can specify an alternate path for where to find .adm files. If specified, this takes precedence over the previous locations.

GPMC never copies the .adm file to the Sysvol.