1.1.11 GPO Configuration Model

  • Article

The GPO configuration model accommodates settings for users and computers, and includes Software, Windows, and Administrative Templates settings for both user and computer configurations. Software settings enable the Group Policy administrator to specify software applications to be installed on Group Policy client computers; Windows settings hold the extension configurations; and Administrative Templates represents Group Policy client subsystems for which registry settings can be configured.

Policy targets in Active Directory are individual user and computer accounts that exist within domain, site, or OU containers. Each site, domain, and OU has a gpLink attribute that associates it with one or more Group Policy container objects, which represent GPOs in Active Directory. Each GPO contains various attributes that are associated with users and computers. This includes an attribute that specifies the GPO path to policy files that store user and computer policy settings. The file system component of a GPO itself is configured with directories that hold policy data for users and computers. Therefore, when the Group Policy administrator views a GPO in a management interface such as the GPMC, two different sets of configuration settings are provided, as shown in the diagram of section 2.1.3.2.2:

User Configuration: Contains all information related to user policies that Group Policy clients retrieve during policy application in user policy mode, which includes data for the applicable CSEs. These CSEs store all server state for policy settings within the user configuration, in a format that is described in corresponding extension specifications.

Computer Configuration: Contains all information related to computer policies that Group Policy clients retrieve during policy application in computer policy mode, which includes data for the applicable CSEs. These CSEs store all server state for policy settings within the computer configuration, in a format that is described in corresponding extension specifications.

The logical component of each GPO contains a user extension list and a computer extension list that specifies the GUIDs of CSEs that apply to users and computers, respectively. The actual settings for these extensions are stored in the physical (file system) component of the GPO, as described in section 1.1.10. The extension settings for the user and computer configuration are configurable from the Administrative tool. When the Group Policy administrator creates or modifies extension settings, they are sent to the Group Policy data store. For example, any modifications to GPO attributes are communicated to Active Directory on the Group Policy server via LDAP [RFC2251], while the actual extension policy settings are communicated to the Group Policy file share via a file access protocol, both of which protocols are invoked by the Administrative tool.