Group Policy Settings: How Settings are Stored (Part 1)

If you would like to read the other parts in this article series please go to:

Introduction

When a GPO setting is created, it must be stored in order to be delivered to the target computer. This article will cover how these settings are stored, where they are stored, and how they are tracked by the domain controllers in an Active Directory domain.

Have you ever created a new GPO and then made some configurations for a policy or two and wondered where and how those settings are stored? This article will describe how the settings in the GPO are stored, as well as where they are stored. This information is essential for domain admins and Group Policy admins during times of troubleshooting and overall knowledge of how Group Policy functions. There are times that you will need to do manual work on a GPO and the settings stored in the files when the GPO becomes corrupt, settings are not viewable in the editor.

Where GPO Settings are Stored

When a GPO is created many events occur in the background. First off, when you create a new GPO the domain controller that controls the PDC Emulator role is the one in charge. This is a built in, default behavior that can be altered, but initially the PDC Emulator is in charge.

What is updated on this domain controller is a “shell” for the contents of what you configured within the GPO during editing. The “shell” for the GPO is a folder, which is stored under the Policies folder. To access this Policies folder you would find the Sysvol folder on the domain controller. By default this would be located at c:\Windows\Sysvol\sysvol\<domainname>\Policies. Under the Policies folder is a list of folders represented by a long alpha-numeric value. This alpha-numeric value is the GUID (Global Unique Identifier) for the GPO. Figure 1 shows you a common Policies folder, where you can see many GUIDs listed. The list of GUIDs represents all of the GPOs that you have for your domain.


Figure 1: GUIDs are represented as folders under the Policies folder on domain controllers

This location within the Sysvol on the domain controller is referred to as the Group Policy Template (GPT). The GPT is located on every domain controller. Once the PDC Emulator creates the GPT for the GPO, replication takes the files and duplicates them on the other domain controllers within the domain. The File Replication Service (FRS) handles this replication to all of the domain controllers.

Note:
FRS might be controlled by DFS-R depending on the version of Windows that you are running.

How the GPO Settings are Stored

Now that we have the “shell” for the GPO created in the form of a folder named after the GPO GUID, you can configure the GPO using the Group Policy Editor. When you edit a GPO you will see two top level sections of the GPO: Computer Configuration and User Configuration, shown in Figure 2.


Figure 2: Each GPO has two main sections: Computer Configuration and User Configuration

If you look at the folder structure of the GPT for the GPO, you will see two main folders: Machine and User, shown in Figure 3.


Figure 3:
The GPT for the GPO stores settings under the Machine or User folder

As if it is not obvious by the names, settings that are configured under the Computer Configuration are stored under the Machine folder and User Configuration settings are stored under the User folder.

From this point on, each setting is handled a bit differently when it is stored under the Machine and User folders. The structure of the file, the file type, and file extension varies widely. Here I will go over many of the settings and how they are stored, but if you want more in depth explanation of each setting type and how it is stored, refer to www.technet.com or my book The Group Policy Resource Kit.

Administrative Templates Settings

There are two areas where these settings can be configured within the GPO. Of course, one is under Computer Configuration|Policies and one is under User Configuration|Policies. Every policy setting under these nodes in the GPO editor represent a Registry modification. All of these settings are stored under a file named Registry.pol under the Machine or User folder, which can be seen in Figure 4.


Figure 4: All Administrative Templates settings are stored in the Registry.pol file

The structure of this file is rather simple. The Registry path, value that needs to be altered, and the data for the value is listed in the file, which can be seen in Figure 5.


Figure 5:
The Registry path, value, and data are detailed in the Registry.pol file

Security Options Settings

You will find a long list of security settings under the Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Options node. These settings are either operating system variable modifications or Registry modifications. All of the settings that fall under this node will be stored in a file named gpttmpl.inf which will be stored under the Machine\Microsoft\Windows NT\SecEdit folder.

For example, if you modify the name of the Administrator account (using the Accounts: Rename administrator account policy), this will create an entry in the gpttmpl.inf file under the System Access section, which can be seen in Figure 6.


Figure 6: Some Security Options settings modify OS variables

Another example is when you modify the UAC settings (using the User Account Control: Admin Approval Mode for the Built in Administrator Account setting), this will create an entry in the gpttmpl.inf file under the Registry Values section, which can be seen in Figure 7.


Figure 7: Some Security Options settings modify Registry values

Preferences Settings

The newest of all Group Policy settings is Group Policy Preferences. These settings can be seen if you edit a GPO on Windows Server 2008 or Windows Vista SP1 (with the RSAT installed) (Read one of my previous articles for more information on Group Policy Preferences).

These settings work in a similar fashion to the other settings, but they are saved as XML files. For example, if you set up a GPP Shortcut under the User Configuration, the XML file for the shortcut will be saved under the User\Preferences\Shortcuts folder in a file named shortcuts.xml.

The structure of the file is not as simple as the other file structures, but you can still see the overall point of the file and the contents of the file.

Summary

Now that you can see where the settings are stored when you create and configure a Group Policy setting, you can perform more investigations of other settings on your own. The overall point is that when a setting is established, there is a file created that will store the settings and details of the configuration. There are two major levels of configuration: user and computer. These levels dictate where the setting will be stored based on which portion of the GPO is configured. Now that you have this information, you can troubleshoot, investigate and solve nearly any GPO storage issue.

If you would like to read the other parts in this article series please go to:

About The Author

2 thoughts on “Group Policy Settings: How Settings are Stored (Part 1)”

  1. A serious concern with my domain controller and all the posts can no longer connect and even locally.
    I explained
    Inadvertently, the following Group Policy has been enabled and all workstations and servers will crash after entering “CTRL + ALT + SUP”, and a black screen will appear which prevents access to the settings entry window authentication.
    I denied the parameter DCOM: Access Restriction to a computer… SDDL Language for everyone
    Please, need your help, I am sincerely in the shit.
    NB: I remind that I have no access to any server

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top