Group Policy Processing At Client Computers
A client computer joined to domain gathers the list of GPOs to be processed as mentioned below:
- Client computer starts.
- Winlogon Service on the client computer starts. The DCLocator component executes an API call; DsGetDcName to find the domain controller. A DNS Query is send to configured DNS Server.
- DNS Server receives the DNS Query and provides the list of domain controllers.
- Winlogon selects one of the Domain Controller listed in the list and then authenticates the client computer.
- Winlogon now processes the GPOs to be applies to the computer.
- It checks the location of Computer Account in the Active Directory and then check the GPOs configured on the OU.
- Winlogon checks the following permissions for the Computer Account.
Authenticated Users: Read and AGP
Note: Authenticated Users is added by default when you create a GPO and this Security Group has all authenticated domain users and computer accounts.
- Winlogon next checks the gpcFilePath in the Active Directory to check the path of the SYSVOL share where this policy resides. A gpcFilePath looks like below:
Note: If this attribute is missing or has an empty value then this Group Policy will not be processed for client computers.
- After it has found the sysvol path, it then processes the Registry.POL file in the GUID folder. The Registry.POL file contains the Registry based settings you have defined in the Group Policy.
- It processes the settings and activity is logged into the Winlogon.log file of client computer.