Group Policy Architecture
Group Policy Objects General Preferences
• Each GPO has a GUID belonging to only one.
• GPO Group Policy Object Editor MMC objects are governed by a given name.
• AlGPOs, according to their functions; computers or users are affected and all GPOs again, all within the Active Directory forest, domains, and sites linked to the environment or to only one organizational unit.
• A GPO can be linked to all the sites, trusted domains to be sent. However, this may negatively affect performance, is not recommended.
• Policy will refresh in 60 minutes. This can be changed if desired.
Group Policy Warehouse Structure
All group policy objects, based on the GUI is stored in a domain level. Policy information is collected in the following two classes:
• GP Container
• GP Template
Group Policy container; policy features, version information, link state stores.
If the Group Policy template; admin extension or ADMX template files, script files, software installation necessary information for policy in the SYSVOL folder named stores.
A group policy object, can be integrated with other trusted domains. There are two ways to do this.
• Service File Replication: GPT and GPC objects, file replication through automatic or manual methods to other domains will be transferred. When the transfer is complete, the client and policy objects are applied to computers.
• Domain Trust: All domain controller servers are replicated automatically every 15 minutes with each other. They control all domains under the same forest, and the client automatically captures the policy makes the deployment.
Replication Scheme
http://www.alperyazgan.com/wp-content/uploads/IC197918.gif
Policy Overwrite ( Enforce ) & Blocking
Only one group policy object that you want to apply to a container, the No Overwrite 2003 server, 2008 R2, and then we can use the Enforce option. for instance; a policy hill forest or domain-level, we also want to apply to everyone, as enforced tick, the following can provide all the container from being affected by this policy.
All Policy hierarchy progresses from top to bottom, which is called the Default Domain Policy object, the top will affect all domains are configured. These objects under the container and apply policy-based, object of this policy, on the other himself do not want to be affected by policy, Block Policy Inheritance option, using the inheritance from above policy will deduct the front of the object.
Important: Always, Block Policy Inheritance feature enforced according to precedence.
Important: A Policy on objects, as well as in Block Policy Inheritance enforced simultaneously applied.
http://www.alperyazgan.com/wp-content/uploads/inheritance.JPG
http://www.alperyazgan.com/wp-content/uploads/enforce.JPG
Group Policy History
Each computer policy objects, registry 'is stored under the HKLM.
Path : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
Each user policy object, the logo be changed by the user, although the path is stored in the following registry:
Path : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
About Template Permissions
Some of the Active Directory group objects, the default permissions are given to the GPO templates. Below you can find the reference table.
Trustee |
Access |
Authenticated Users |
Read and Execute |
Administrators |
Full Control |
Group Policy Creator Owners |
Read and Execute |
Creator Owner |
Full Control (Subfolders and Files only) |
System |
Full Control |
Resource : http://technet.microsoft.com/en-us/library/cc784268(v=ws.10).aspx
Ports of the Group Policy Objects
Service Name |
UDP |
TCP |
Lightweight Directory Access Protocol |
n/a |
389 |
SMB |
n/a |
445 |
DCOM |
Dynamicallly assigned |
Dynamically assigned |
RPC |
Dynamically assigned |
Dynamically assigned |
Resource : http://technet.microsoft.com/en-us/library/cc784268(v=ws.10).aspx
Finally, two below I present to you a very useful reporting tool.
Group Policy LogView
Policy Reporter