As Group Policy Objects (GPOs) are created, they are stored on the domain controllers in two different locations. This is a key point when you need to troubleshoot a Group Policy application. One of the two portions of the GPO is kept in a folder structure and stored on domain controllers. There are numerous folders and files that make up this structure. Each file is responsible for storing key configurations that are made within the GPO. Understanding this folder and file structure is essential as you manage Group Policy.
Responsibilities of the GPT
The Group Policy Template (GPT) is the portion of a GPO that is stored in the SYSVOL of the domain controllers within the domain. The GPT is responsible for storing the settings that are configured in the GPO. It is also responsible for storing the Administrative Templates that enable modifications to the Registry values available in each GPO.
Key Folders of the GPT
The GPT for each GPO is located on each domain controller under C:\Windows\Sysvol\sysvol\
- ADM -- This folder contains the default ADM templates and any custom imported ADM templates that are imported into the GPO.
- Machine -- This folder contains the key files that store GPO settings related to the policy settings that exist under the Computer Configuration node within the GPO.
- User -- This folder contains the key files that store GPO settings related to the policy settings that exist under the User Configuration node within the GPO.
Key files of the GPT
A number of files located throughout the GPT keep track of the GPO version, Registry settings and security settings. All of these settings were established in the GPO during the editing process. The key files that you should know about include:
- GPT.ini -- This file resides at the root of the GPT and is responsible for storing the version of the GPO.
- Registry.pol -- This file is located under both the User and Machine folders. When any change is made to a policy setting under the Administrative Templates nodes, the settings are stored in this file. This file also stores all settings that are created under the Software Restriction policy.
- GptTmpl.inf -- This file is only located under the Machine folder structure. It is tucked away under the Microsoft\Windows NT\SecEdit folder. This file is responsible for storing security settings made under the Computer Configuration\Windows Settings\Security Settings node. In particular, it stores Account Policy settings, Audit Policy settings, User Rights, and Security Options policy settings.
- *.ADM -- There are numerous default ADM files for each GPO that is created. The ADM files create the user interface within the Group Policy Object Editor, plus they define the Registry path and value that need to be updated.
Understanding the structure of the GPT can help you track down issues that arise during GPO management and application. When you know which files store certain policy settings, you can troubleshoot down to a very granular level within the GPT. It is rare that you will need to modify any of these files as they reside in the GPT, but knowing how to analyze the contents will go a long way in fixing Group Policy issues.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.