Tip

Understanding the GPC for Group Policy

Responsibilities of the GPC

The Group Policy Container (GPC) is the portion of a GPO stored in Active Directory that resides on each domain controller in the domain. The GPC is responsible for keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to software installation packages, and other referential aspects of the GPO.

Key aspects of the GPC visible using ADUC

By default, you are not able to see the GPCs using the Active Directory Users and Computers (ADUC). You will need to configure the ADUC to view Advanced Features, which is available under the View menu in the ADUC. When you enable this option, you will see numerous other containers within the domain. These additional containers include LostandFound, Program Data, System and others.

For the GPC, we are concerned with the System container. By expanding this container, you will find a sub container named Policies. Expanding the Policies container will expose a list of GUIDs, which correspond to all of the GPOs that exist within the domain. Each GUID container can be expanded again to show two more containers: Machine and User.

In almost all cases, these containers are empty. The reason is that the GPC is not responsible for storing the policy settings. That job is left for the Group Policy Template (GPT), which is located in the SYSVOL folder structure of the domain controllers. However, you will see information stored under these containers when you configure

    Requires Free Membership to View

Software Installation policies. The package GUID and registration is stored in the GPC after a software package is configured. However, it is still not very informative because the key information is hidden from view and must be accessed using a tool that can see the Active Directory object attributes.

Key Object Attributes of the GPC

To see some of the key configurations that are stored within the GPC, you must go directly into the Active Directory database and view the attributes associated with the GPC. To accomplish this, you must use a tool like ADSIEDIT.msc or LDP.exe. These tools allow direct access into the objects stored within Active Directory.

When you use either of these tools, you will expand the Active Directory structure down to the GPC GUID, just like you did within the ADUC. However, once you get to the GUID, right-click on the object and select Properties. This will open up a view of all of the attributes related to the GPC. Scanning through the attributes, you will see some key attributes and their values, such as: cononicalName, gPCFileSysPath, gPCMachineExtensionNames, and versionNumber.

Conclusion

The GPC does not contain a wealth of information related to its corresponding GPO, but it is essential to the functionality of Group Policy. When software installation policies are configured, the GPC helps keep the links associated within the GPO. The GPC also keeps other relational links and paths stored within the object attributes. Knowing the structure of the GPC and how to access the hidden information stored in the attributes will pay off when you need to track down an issue related to Group Policy.


Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

This was first published in November 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.