Windows Server 2012: Group Policy

Administration and Troubleshooting

Module 2: Fundamentals of Group Policies

Microsoft Confidential
Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software
is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content
and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind,
whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-
infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should
be inferred.

Copyright and Trademarks

© 2013 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
 Module Agenda
Lesson 1: Group Policies Explained
Lesson 2: Group Policy Containers
Lesson 3: Group Policy Templates
Lesson 4: Administrative Templates
Lesson 5: Local Group Policies

2 Microsoft Confidential
 Windows Server 2012: Group Policy
Administration and Troubleshooting

Module 2: Fundamentals of Group Policies

Lesson 1: Group Policies Explained

Microsoft Confidential
 Group Policies Explained Objective
Explain what a Group Policy Object is
Describe the Components of a Group Policy
Understand how Group Policies are stored and replicated

4 Microsoft Confidential
 Group Policies Explained Overview
What is a Group Policy?
Group Policy Components

5 Microsoft Confidential
 What is a Group Policy Object?
Group Policy is used to define configurations for groups of
users and computers
A GPO is a collection of configurations used to define and
control the state of users and computers in your enterprise
Policies can be found in Active Directory or on stand alone
client computers
Group Policy has the following advantages
Allows for centralized or decentralized management of policy
options
Offers flexibility and scalability
Allows administrators to delegate control of Group Policy Objects
Provides reliability and security

6 Microsoft Confidential
 Group Policy Components
Group Policy Object (GPO)

Virtual Storage Location for Policy Settings

Group Policy Template Group Policy Container (GPC)

File system policy information Active Directory policy metadata

Named by GUID Stores version, status and policy
Stored in SYSVOL Share information
Replicated by DFSR/FRS Named by GUID
Path: SYSVOL\<Domain>\Policies Replicated by AD Replication

8 Microsoft Confidential
 Group Policies Explained Review
What is a Group Policy?
Group Policy Components

9 Microsoft Confidential
 Windows Server 2012: Group Policy
Administration and Troubleshooting

Module 2: Fundamentals of Group Policies

Lesson 2: Group Policy Containers

Microsoft Confidential
 Group Policy Container Objectives
Describe the purpose of the object
Describe what Group Policy Containers are
Understand the key features
Explain the concept

11 Microsoft Confidential
 Group Policy Containers Overview
What is a Group Policy Container?
Key Attributes
Child Objects

12 Microsoft Confidential
 What is a Group Policy Container?
Object Class within Active Directory
SystemMustContain Attribute
SystemMayContain Attribute
Replicated using Directory Replication Services (DRS)

13 Microsoft Confidential
 Key Attributes
Typical Location
CN=<GUID>,CN=Policies,CN=System,DC=<Domain>,DC=<Domain>

Attribute Description
name Object GUID
displayName Friendly Policy Name
Flags 0 (UE/CE) 1 (UD/CE)
2 (UE/CD) 3 (UD/CD)
gPCFileSysPath Location of the GPT
gPCFunctionalityVersion Management Toolset version
gPCMachineExtensionNames Machine Client Side Extension list
gPCUserExtensionNames User Client Side Extension list
gPCWQLFilter GUID of related WMI Filter
versionNumber Policy revision number

14 Microsoft Confidential
 Child Objects
Below the Group Policy Container
CN=Machine
CN=User
Sub Containers

15 Microsoft Confidential
 Group Policy Containers Review
What is a Group Policy Container?
Key Attributes
Child Objects

16 Microsoft Confidential
 Windows Server 2012: Group Policy
Administration and Troubleshooting

Module 2: Fundamentals of Group Policies

Lesson 3: Group Policy Templates

Microsoft Confidential
 Group Policy Template Objectives
Describe the purpose of the object
Describe what Group Policy Templates are
Understand the key features
Explain the concept

18 Microsoft Confidential
 Group Policy Template Overview
What is a Group Policy Template?
SYSVOL Redirections
Folder Structure
Key File Contents

19 Microsoft Confidential
 What is a Group Policy Template?
Physical representation of the Group Policy
Associated to the GPC by the gPCFileSysPath attribute
Folder name GUID matches GPC “name” GUID
Accessed via a Distributed File System (DFS) share
Replicated by Distributed File System Replication (DFSR)
Legacy systems use File Replication Services (FRS)

20 Microsoft Confidential
 SYSVOL Redirections
Junction Points
SYSVOL\SYSVOL maps to SYSVOL\Domain
Referrals
DFS Root for SYSVOL Share
Users are redirected in the background
SiteCostedReferrals
Connection Order:
1. Local DCs first
2. Next closest site by cost
3. All other domain controllers

22 Microsoft Confidential
 Folder Structure
Default Root folders
Policies
Scripts
Default Group Policy Objects
{31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Policy
{6AC1786C-016F-11D2-945F-00C04fB984F9}
Default Domain Controller Policy
Warning – Don’t delete default GPOs
Typical sub contents
Machine
User
GPT.INI

24 Microsoft Confidential
 Key File Contents
Group Policy Template Contents
GPT.ini
Registry.Pol
GptTmpl.inf
XML

26 Microsoft Confidential
 Group Policy Template Contents
Typical File Types
Extension Description
ADMX Administrative template setting files
ADML Administrative template language files
INF Security files
XML Preference configuration files
POL Registry configuration files
INI Configuration files
CMTX GPO Comment files
PS1,VBS,CMD Logon/Log off Scripts

27 Microsoft Confidential
 GPT.INI
Version numbers are written in the GPT and GPC
Version number formula
1 for each machine-specific change
65536 for each user-specific change
Version stored in AD and GPT.ini
Example
User Side Computer Side Results
Actual changes Actual changes Hex combination
50 4 0x00320004
Converted to hex Converted to hex Value for version
32 4 3276804

28 Microsoft Confidential
 Registry.Pol
Contains Registry based policy settings
Unicode-Encoded text file
Uses [ ] to separate registry values
Uses a semicolon as an item separator, within each value
Registry Key
Key Value
Value type (REG_DWORD)
Size of the value
Value
Size >12k to <48k

31 Microsoft Confidential
 GptTmpl.inf
Common Configuration file
Present by default
Security Configuration
Default Domain Policy

Default Domain Controller Policy

33 Microsoft Confidential
 XML
Typically used by Group Policy Preferences
Contains preference configuration

<?xml version="1.0" encoding="utf-8" ?>

<Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}">
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="S:" status="S:" image="2"
changed="2009-05-01 13:24:33" uid="{65A9497B-947A-4873-886B-E431CB510DF9}">
<Properties action="U" thisDrive="SHOW" allDrives="NOCHANGE" userName=""
path="\\Server1\data" label="" persistent="0" useLetter="1" letter="S" />
</Drive>
</Drives>

34 Microsoft Confidential
 Group Policy Template Review
What is a Group Policy Template?
SYSVOL Redirections
Folder Structure
Key File Contents

35 Microsoft Confidential
 Windows Server 2012: Group Policy
Administration and Troubleshooting

Module 2: Fundamentals of Group Policies

Lesson 4: Administrative Templates

Microsoft Confidential
 Administrative Template Objectives
Describe the purpose of Administrative Templates
Describe what types are present
Understand the key features
Explain how to create a central store

37 Microsoft Confidential
 Administrative Template Overview
What are Administrative Templates?
Legacy Administrative Templates
Legacy Template Searching
What are ADMX Files?
Central Store Management
Administrative Template Best Practices

38 Microsoft Confidential
 What are Administrative Templates?
Define what settings are visible for change in the GPMC
Two types
ADMX/ADML
Introduced with Microsoft Vista
Based on XML
Utilizes one set of ADML files for language
ADM
Pre-Microsoft Vista
Language is not widely supported or flexible
Requires new GPO for each language supported
Stored differently
Not utilized in the application of settings

39 Microsoft Confidential
 Legacy Administrative Templates
Stored on local system %windir%\inf
Copied to SYSVOL automatically
5 default ADM per policy
Approximately 4MB per ADM Folder
The GPT can store only one set of ADM files. You cannot
use the GPT to store ADM files for multiple languages.
Can be Migrated by using ADMX Migrator

41 Microsoft Confidential
 Legacy Template Searching
View\Options within GPMC

42 Microsoft Confidential
 What are ADMX Files?
Define what settings are visible for change
Multiple language management through ADML
Stored on local system by default
%windir%\PolicyDefinitions
One ADMX file set for all GPOs

43 Microsoft Confidential
 Central Store Management
Creating the Central Store
Populating the Central Store

44 Microsoft Confidential
 Creating the Central Store
ADMX files and the central store are backwards compatible
and allow editing of policies created in older versions
Windows 8 and Windows 2012 do not include any .ADM’s
The central store is merely a directory
Central store is used by default if it exists
Windows 8 and Windows 2012 will still consume any
custom ADM files found in a GPO
You can still add ADM files to a GPO
Recommend using ADMX moving forward

45 Microsoft Confidential
 Populate the Central Store with ADMX Files
The central store must be populated manually
Updating the central store is also a manual process
ADMX files in the store are used in Windows Vista SP1 or
newer automatically
ADMX/ADML files need copied to the store
Always use the latest files
Different versions of the files exist between client and server SKUs
New ADMX get released with new products
Available for download

47 Microsoft Confidential
 Administrative Template Best Practices
Administrative Templates are not forward compatible
Edit Policies using latest version of the operating system in the
environment only
Always create a central store
Remove legacy Administrative Templates with care
Filtering the replication of ADM files - KB 813338

49 Microsoft Confidential
 Administrative Template Review
What are Administrative Templates?
Legacy Administrative Templates
What are ADMX Files?
Central Store Management
Administrative Template Best Practices

50 Microsoft Confidential
 Windows Server 2012: Group Policy
Administration and Troubleshooting

Module 2: Fundamentals of Group Policies

Lesson 5: Local Group Policies

Microsoft Confidential
 Local Group Policy Objectives
Describe the purpose of Local Policies
Describe what Local Policies are
Understand the key features

52 Microsoft Confidential
 Local Group Policy Overview
What are Local Polices?
Create a Local Policy
What are Multiple Local Group Policies?
Create a Multiple Local Group Policy

53 Microsoft Confidential
 What are Local Policies?
Common Uses
Internet Kiosks
Reception areas
Local security in a domain
Home use
Storage Location
Windows\System32\GroupPolicy
GPT.ini Contents
gPCMachineExensionNames
gPCUserExensionNames
Version
Turning Off Local Policies

54 Microsoft Confidential
 Create a Local Policy

55 Microsoft Confidential
 What are Multiple Local Group Policies?
Control on a per user basis
Precedence Order
Local Computer GPO
Local Administrators’ or non-Administrators' GPO settings
Local User GPO
Storage Location
Windows\System32\GroupPolicyUsers\<SID>
GPT.ini Contents
gPCMachineExensionNames
gPCUserExensionNames
Version

56 Microsoft Confidential
 Create Multiple Local Group Policies

57 Microsoft Confidential
 Local Group Policy Review
What are Local Polices?
Create a Local Policy
What are Multiple Local Group Policies?
Create a Multiple Local Group Policy

58 Microsoft Confidential
 Module 2 Review
Lesson 1: Group Policies Explained
Lesson 2: Group Policy Containers
Lesson 3: Group Policy Templates
Lesson 4: Administrative Templates
Lesson 5: Local Group Policies

59 Microsoft Confidential
© 2013 Microsoft Corporation. All rights reserved.

Microsoft Confidential