Local Group Policy Objects

A local Group Policy object exists on every computer, and by default only nodes under Security Settings are configured. Settings in other parts of the local Group Policy object's namespace are not enabled or disabled. The local Group Policy object is stored in %systemroot%\System32\GroupPolicy, and it has the following permissions set through discretionary access control lists (DACLs):

  • Administrators: full control

  • Operating system: full control

  • User: read

If Read permission is withdrawn from the Local Administrator group, Group Policy does not apply. This is a convenient way to exempt Local Administrators from a group Policy object even though they have the Apply Group Policy permissions set to Allow .

The local Group Policy object Gpt.ini file contains the following information:

GPCUserExtensionNames    This Includes a list of GUIDs that tells the client side engine which client-side extensions have User data in the Group Policy object. The format is: [{< GUID of client-side extension >}{< GUID of MMC extension >}{< GUID of second MMC extension if appropriate >}][repeat first section as appropriate].

GPCMachineExtensionNames    This includes a list of GUIDs that tells the client-side engine which client-side extensions have Computer data in the Group Policy object.

Options    This refers to Group Policy object options such as User portion disabled or Computer portion disabled.

GPCFunctionalityVersion    This is the version number of the Group Policy extension tool that created the Group Policy object.

Group Policy Template Subfolders

The Group Policy template folder contains a tree of subfolders. The number of subfolders that are present in the tree depends on the Group Policy object; however, at least two subfolders are always present. They are Machine and User. The following is a description of each folder:

Machine    Includes a Registry.pol file that contains the registry settings that are applied to computers. When a computer initializes, this Registry.pol file is downloaded and applied to the HKEY_LOCAL_MACHINE portion of the registry.

User    Includes a Registry.pol file that contains the registry settings that are applied to users. When a user logs on to a computer, this Registry.pol file is downloaded and applied to the HKEY_CURRENT_USER portion of the registry.

The Group Policy template folder also includes a Gpt.ini file which contains version information. For Active Directory–based Group Policy objects, this file contains the version number of the Group Policy object in a line of this form:

Version=< version number>

The version number is the decimal representation of an eight-digit hexadecimal number (a DWORD). The four least significant digits represent the Computer Settings version number, and the four most significant digits represent the User Settings version number. For example, if you see

Version=65539

then the Computer Settings version is 3, and the User Settings version is 1, because 65539 converted to hexadecimal is 0X00010003.

The Group Policy template folder can also include the following subfolders:

Adm    Contains all of the .adm files for this Group Policy object.

Machine\Scripts\Shutdown    Contains scripts that run when the computer shuts down.

Machine\Scripts\Startup    Contains scripts that run when the computer starts.

Machine\Applications    The contents depends on what applications are computer-assigned with a given Group Policy object.

Machine\Microsoft\Windows NT\Secedit    Contains GptTmpl.inf, the default security configuration settings for a Windows 2000 domain controller.

User\Applications    Contains the advertisement files (.aas files) used by the Windows installer.

User\Documents & Settings    Contains Fdeploy.ini, which holds information about the Folder Redirection status of the current user's special folders.

User\Microsoft\RemoteInstall    Contains OSCfilter.ini, which holds user choices for operating system installation through Remote Installation Services.

User\Microsoft\IEAK    Contains settings for the Internet Explorer Maintenance Snap-in.

User\Scripts\Logoff    Contains scripts that are run when the user logs off the computer.

User\Scripts\Logon    Scripts to be run when the user logs on to the computer.

note-icon Note

The User and Machine folders are created during installation, and other folders are created as needed when policy is set.

Registry.pol Files

The Administrative Templates extension of Group Policy saves information in the Group Policy template in text files with the name Registry.pol. These files contain the customized registry settings that are applied to the Machine or User portion of the registry which you specify using the Group Policy snap-in. The Windows 2000 Registry.pol file is analogous to the Windows 95 or Windows 98 Config.pol file and the Windows NT 4.0 NT Config.pol file.

Two Registry.pol files are created and stored in the Group Policy template, one for Computer Configuration, which is stored in the \Machine subdirectory, and one for User Configuration, which is stored in the \User subdirectory.

note-iconNote

The format of the .pol files in the Group Policy template differs from that of the .pol files in previous versions of Windows.

The .pol files created by Windows NT 4.0 and Windows 95 can be applied only to the operating system on which they were created. The .pol file produced by the Windows NT 4.0 System Policy Editor was a binary file, whereas the Registry.pol file produced by Administrative Templates node of the Group Policy snap-in is a text file with embedded binary strings.

To view .pol files without applying them to the registry, use the Regview.exe tool located on the Microsoft ® Windows ®  2000 Server Resource Kit companion CD.

For additional information about Registry.pol files, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .