Responsibilities of the GPC
The Group Policy Container (GPC) is the portion of a GPO stored in Active Directory that resides on each domain controller in the domain. The GPC is responsible for keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to software installation packages, and other referential aspects of the GPO.
Key aspects of the GPC visible using ADUC
By default, you are not able to see the GPCs using the Active Directory Users and Computers (ADUC). You will need to configure the ADUC to view Advanced Features, which is available under the View menu in the ADUC. When you enable this option, you will see numerous other containers within the domain. These additional containers include LostandFound, Program Data, System and others.
For the GPC, we are concerned with the System container. By expanding this container, you will find a sub container named Policies. Expanding the Policies container will expose a list of GUIDs, which correspond to all of the GPOs that exist within the domain. Each GUID container can be expanded again to show two more containers: Machine and User.
In almost all cases, these containers are empty. The reason is that the GPC is not responsible for storing the policy settings. That job is left for the Group Policy Template (GPT), which is located in the SYSVOL folder structure of the domain controllers. However, you will see information stored under these containers when you configure Software Installation policies. The package GUID and registration is stored in the GPC after a software package is configured. However, it is still not very informative because the key information is hidden from view and must be accessed using a tool that can see the Active Directory object attributes.
Key Object Attributes of the GPC
To see some of the key configurations that are stored within the GPC, you must go directly into the Active Directory database and view the attributes associated with the GPC. To accomplish this, you must use a tool like ADSIEDIT.msc or LDP.exe. These tools allow direct access into the objects stored within Active Directory.
When you use either of these tools, you will expand the Active Directory structure down to the GPC GUID, just like you did within the ADUC. However, once you get to the GUID, right-click on the object and select Properties. This will open up a view of all of the attributes related to the GPC. Scanning through the attributes, you will see some key attributes and their values, such as: cononicalName, gPCFileSysPath, gPCMachineExtensionNames, and versionNumber.
Conclusion
The GPC does not contain a wealth of information related to its corresponding GPO, but it is essential to the functionality of Group Policy. When software installation policies are configured, the GPC helps keep the links associated within the GPO. The GPC also keeps other relational links and paths stored within the object attributes. Knowing the structure of the GPC and how to access the hidden information stored in the attributes will pay off when you need to track down an issue related to Group Policy.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.
