16/11/2014

4 Understanding the Architecture of Group Policy Processing

4 Understanding the Architecture of Group Policy Processing

Section Topics
Group Policy Components in AD DS
Understanding the Group Policy Processing Sequence
Modifying Group Policy Processing

Section Objectives

After completing this section, you will be able to:

Describe the Active Directory components that you can use to deploy Group Policy
Explain the order in which Group Policy is deployed in Active Directory
Describe the methods that are available to modify Group Policy processing

Section Overview
Troubleshooting Group Policy involves more than knowing when to use which tool. You also
need to understand the Group Policy infrastructure, the GPO structure, and the Group Policy
deployment order. This section describes the concepts that you must grasp in order to
troubleshoot Group Policy. This section also describes the options that are available to change
the standard Group Policy processing sequence.

Group Policy Components in AD DS

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

1/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 80: Group Policy Components in AD DS

All domain controllers and computers that are members of the domain use certain Active
Directory components to deploy Group Policy settings. Figure 80 lists these components.
You must have access to the physical and logical network diagrams of your Active Network
infrastructure to troubleshoot Group Policy.

Sysvol Folder

Figure 81: Sysvol Folder

The Sysvol folder is a system folder located in the NTFS file system of every Active
Directory domain controller in %System Root%\ Sysvol. This folder contains administrative
templates, security settings, applied scripts, and details about MSI packages that will be
installed.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

2/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Sysvol Details
The domain where the user account is located also contains the Group Policy settings of the
authenticating user. These settings are stored in the Sysvol folder on each domain controller
and replicated throughout the domain using the FRS.
The FRS monitors and updates the changes to Group Policy, startup and shutdown scripts,
and logon and logoff scripts. If your Active Directory is made up of multiple sites (subnets),
the location of your Sysvol folders will be separated by WAN links.
If you have multiple sites, and each site contains multiple domain controllers, your network
map can get very complicated and much more dependent on the replication process.

PDC Emulator

Figure 82: PDC Emulator

One domain controller per domain is assigned the role of a PDC (primary domain controller)
emulator. Only one domain controller can have this role per domain. The PDC emulator role
is automatically assigned to the first domain controller in an Active Directory domain.
When Group Policy settings are first created or modified using the Active Directory Users and
Computers console, the current live Group Policy settings are pulled from the domain
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

3/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

controller in the domain that is the PDC emulator.

You can use a variety of tools and utilities to find out which domain controller is currently the
PDC emulator. One of the most helpful methods is using the Netdom support tool with the
following syntax at the command prompt:
c\> netdom query fsmo
Another support tool is Addiag, which can tell you if all the domain controllers in the domain
know who the current PDC emulator is.
Note

You can use the Dcgpofix command-line tool to restore the Default Domain
Policy and Default Domain Controllers OU policy to their original state. This tool works only
in Windows 2003 or later domains.
Client-Side Extensions
Although the components of each GPO are stored in Active Directory, the client itself
processes each linked GPO using client-side extensions. Client-side extensions are a
collection of local DLLs that have one specific job task: to process all enabled GPOs found on
the server at logon or at a specific processing time.
The available policy settings are grouped into specific categories including administrative
templates, security, folder redirection, wireless, IPSec, EFS, and software installation. After
the client determines which GPOs to apply, each GPO is passed to the client-side extensions.
The following topic describes registry client-side extensions, which apply the settings from
within the Administrative Templates section to a client computer.
Registry Client-Side Extensions
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

4/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Registry client-side extensions deal with the Group Policy settings contained in the
Administrative Templates section. Note that some settings are hidden by default; these
hidden settings are defined as true policies. The settings that are available and loaded by
default are called preferences and are listed in Figure 83.

GUID

Group Policy Component

25537BA6-77A8-11D2-9B6C 0000F8080861

Folder redirection

3610EDA5-77EF-11D2-8DC5-00C04FA31A66

Disk quota

42B5FAAE-6536-11D2-AE5A-0000F87571E3

Scripts

827D319E-6EAC-11D2-A4EA-00C04F79F83A

Security

B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A

EFS recovery

C6DC5466-785A-11D2-84D0-00C04FB169F7

Application management

A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B

Internet Explorer settings

35378EAC-683F-11D2-A89A-00C04FBBCFA2

Registry settings

e437bc1c-aa7d-11d2-a382-00c04f991e27

IP Security

Figure 83: Registry Client-Side Extensions

Group Policy Container

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

5/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 84: Group Policy Container

The policy setting information for a GPO is stored in the GPC (Group Policy container) and
the GPT. The GPC stores the details of every GPO that is created in Active Directory. The
GPC contains the version number of each GPO, its current status, and the installed
components.
A portion of the GPO is stored in Active Directory and you can view it by using the Active
Directory Users and Computers console. The GPC Active Directory object is created from an
Active Directory class called the groupPolicyContainer.
Each created GPO creates a separate GPC and corresponding component in Active Directory.
You can link each GPO to other OUs in the same or remote domains. You can also create
links to sites or other domain roots.
The GPC is used by user and computer accounts within the Active Directory database to
process the GPO policies that will be applied.
Each GPO is assigned a unique 128-bit GUID. The GUID can be helpful in locating a policy
object when the friendly name of the policy is not displayed, such as when browsing for the
policy files in the Sysvol directory structure.

Group Policy Template

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

6/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 85: Group Policy Template

The GPT (Group Policy template) is also used to store policy settings. The GPT stores the
files that are created by the GPO in the Sysvol folder. It stores these files on the PDC
emulator for each domain. The GPT stores the computer and user scripts, the GPO template
files, and the Registry.pol files. The GPT is assigned a version number that tracks changes
that are made to the policy.
The GPT and GPC are linked through the same GUID that is assigned to the GPO.
In order for group processing to properly process a computer and user, the contents of both
the GPC and the GPT must be synchronized. Figure 86 lists the details of the essential Group
Policy components and their location in Active Directory.

Active Directory Location

Contents

Active Directory
Container

Active Directory

Binary and string information

GPC

Sysvol\Policies\GUID\User or

Policy settings for user and computer

GPT

Policy related files and data

GPT

Machine\registry.pol
Sysvol\Policies\GUID\User or
Machine\Custom Folder\Custom File(s)

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

7/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 86: Group Policy Components

GPO Versioning

Figure 87: GPO Versioning

The number displayed on the properties of a GPO is not a version number; it is instead a
revision number listing the number of changes to the User or Computer sections.
The version number of the GPO is calculated based on the total user and computer changes,
and it is applied to both the GPC and the GPT.
If the version numbers of the GPT and GPC for a particular GPO are not the same, the GPO
will not be processed until the version numbers match or are in sync. For the GPO to sync,
the version numbers of both the GPT and the GPC must be identical on each domain
controller in the domain.
Note

You can use the Replication Monitor to display the sync status of all GPOs using
the Show Group Policy Object Status context menu option.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

8/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

The following topic describes how the GPO version information is used once the GPO has
been created.
How Version Information Is Used
After the GPOs have been created, the respective site, domain, or OUs link to the created
GPOs using the Active Directory attribute found on each container object that references the
GUID of each site, domain, or OU.
After a policy is linked to a site, domain, or OU, the DN of the policy is entered into the
gPLink property on the selected site, domain, or OU.
A Windows client then uses the GetGPOList API to discover which GPOs it should process
on the client. It also uses the computer name and IP address to identify the site that the user is
in, determining which GPOs to associate with the computer system. In addition, the Windows
client also uses the domain and OU location of the computer system to build the master list of
which GPOs to apply.
Next, the version information and other GPO options (disabled, no override, and block
policy inheritance) are read to determine what, if any, processing will take place. By default,
if the current GPO settings have already been deployed, no reprocessing will be done unless
mandated.
The needed client-side extension DLLs then swing into processing mode and apply their
associated GPO settings.

FRS Replication

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize=

9/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 88: FRS Replication

The process of replication is usually thought to dictate the movement of all changes in Active
Directory.
However, the changes to Group Policy are replicated to the other domain controllers within
the domain using the FRS (File Replication Service). The process is:
1.

When changes are made to Group Policy, the PDC emulator is located and the settings
are read from its Sysvol folder into cache.

2.

After changes have been made, the Group Policy settings are saved back to the Sysvol
folder on the PDC emulator. These changes signal the FRS to replicate the changes.

3.

At the allotted replication time (up to 15 minutes), the FRS replicates the settings to the
other domain controllers throughout the domain.

DFS-R

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

10/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 89: DFS-R

DFS-R was introduced with Windows Server 2008 as a more efficient alternative to FRS.
DFS-R only replicates the changes inside a file, instead of replicating an entire file each time a
change occurs.
In order to use DFS-R for Sysvol replication, you must go through a step-by-step migration
process to convert from FRS to DFS-R.
This process is thoroughly detailed in the following TechNet article:
http://technet.microsoft.com/en-us/library/dd640019(v=ws.10).aspx

If you have installed a new Windows Server 2012 Domain, the DFS-R replication process will
be enabled automatically.

Understanding the Group Policy Processing Sequence

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

11/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 90: Understanding the Group Policy Deployment Order

Group Policy is deployed in the following order:
1.

Local Group Policy settings are deployed first: Local administrators or administrators
can configure local policies from the domain. Local policies can always be overridden by
conflicting options from other levels and, therefore, have the least amount of precedence.

2.

Site policies are applied next: Enterprise administrators can configure site policies.
These policies apply to the subnet IDs that match the site that the computer or user is
located within. This allows for location-based GPO deployment.

3.

Domain policies are applied after the site policies: Enterprise administrators and
domain administrators can configure domain policies. These policies apply to all users
and computers in the same domain. A Default Domain policy already exists at this
level. Additional policies can be applied to the domain; however, they should be limited
because they can impact such a large portion of the environment.

4.

OU policies are applied last: All Administrators and any users that have been delegated
permissions to the OU can configure OU policies. OU policies apply to all users and
computers in the OU that the policy is linked to. Assigning policies to OUs provides more
granularity and flexibility when it comes to determining the users and computers for
which the policies should be effective.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

12/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Local Computer System

Remember that any local Group Policy settings deployed using the Gpedit.msc local policy
editor or through the Local Security Policy console in the Administrative Tool menu will be
deployed first, before any other network-based policy settings. The local Group Policy choices
are pulled from the local Windows\System32\Group Policy folder.
It may be helpful to remember that the local registry hives, the logged in user profile
(NTUSER.DAT), and the Secedit.sdb security database are where all Group Policy settings
are eventually deployed to, even if the settings are deployed from the site, domain, or OU. In
the Local Security Policy console, the Effective Settings and Local Settings columns in the
details pane indicate where the setting was applied.
If you, as a client, have read access to the local GPO, the settings apply to you even if you are
the local administrator. Setting the read access to no access results in the local GPO not being
applied to the local administrator.

Site GPOs
A GPO created within a site applies to all users and computers in the site. A site is one or
multiple subnets joined together under an Active Directory site name.
Any Group Policy settings deployed at the Active Directory site level that are different from
any previously applied local Group Policy overwrite the previously applied local settings. For
example, if you enable a local setting to remove the Settings tab from the properties of the
Display icon in Control Panel, it is deployed first.
If the exact same setting at the site level GPO is set to Not Configured, the end result at this
point of the deployment cycle is that the Setting tab is now available.

Domain GPOs
A GPO created at the domain properties is applied to all users and computers in the domain,
and to all users and computers in all child OUs and user containers.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

13/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

If a conflict occurs with a previously applied local or site setting, the domain settings overwrite
the local and site settings.

Organizational Unit
The OU settings are deployed next, potentially overwriting the local, site, and domain settings
if a conflict occurs with a previously applied setting.
Child OU
If you use multiple OUs in your Active Directory design, any Group Policy settings deployed
at the top of an OU tree flow down through the OU child domains, similar to the
enforcement of permissions on an NTFS partition.
If you have multiple Group Policy settings applied from multiple sources, you have an
effective Group Policy built from the multiple GPOs applied to your network.
Note

For Group Policy to operate properly, the three key components that must be
working are: Active Directory, DNS, and the FRS. Each Active Directory client uses the
FQDN to attach to the domain controller and read the GPO.

Modifying Group Policy Processing

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

14/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 91: Modifying Group Policy Processing

The standard group policy processing behavior is based upon inheritance. Policies
implemented at higher levels of the OU structure are inherited down the OU tree structure.

Using Group Policy Inheritance

Figure 92: Using Group Policy Inheritance

To manage group policies most effectively, you must have a good foundation to apply them
to.
This foundation normally exists as a hierarchy of OUs within the domain environment. Group
policies certainly can be applied to the site and the domain levels, but the real power of Group
Policy is in being able to apply it in a granular fashion.
When you apply a GPO to an OU structure, remember that a policy applied at a parent OU
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

15/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

will automatically be inherited by all child and grandchild OUs. Leverage this default behavior
so that settings that really should apply to a broad range of users and computers are applied at
a higher parent level, while settings that should affect only a subset of accounts are applied at
a child OU.
Structuring the OUs appropriately can make this process much easier.
An example of a useful corporate standard GPO is: Only authorized users can access the
command prompt or the registry editor. One way to define this GPO is to set the Prevent
access to the command prompt, and Prevent access to registry editing tools policy
settings and link these settings to an OU, for example Domain_User_Accounts OU. This
action will result in these settings being applied to all users in the Domain_User_Accounts OU.
Then create a GPO, such as an Administrator_Policy GPO, which explicitly allows
administrators access to the command prompt and registry editing through a security group
filter applied to the Administrator_Policy GPO. Therefore, the GPO linked to the
Administrator_Policy GPO will override the settings configured in the Standard User Policy
GPO.
If another group of users requires access to the command prompt, but not the registry, you
can create another child GPO that allows access. Access to the registry editing tools is still
denied because the new GPO does not override the registry tools setting made in the
Domain_User_Accounts GPO.
When you set the default values for security-related settings, such as restricted group
membership and file system access and registry access permissions, remember that these
settings work on a last-write-wins principle; the settings in this case are not merged.
Changes to a GPO are saved immediately and, therefore, could be applied prematurely if a
client computer refreshes its policies. It is a good idea to keep the GPO unlinked from its
production location (site, domain, or OU) until you have fully tested the policy. While you are
developing the GPO, keep it either unlinked or linked to a test OU.
Sometimes, the default processing is not desired, and can therefore be disrupted using several
mechanisms. The following topics discuss ways to modify Group Policy processing.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

16/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Using the Block Inheritance and Enforce Options

Figure 93: Using Block Inheritance and Enforce Options

Sometimes this normal inheritance process can be limiting. For that reason, you can disrupt
the inheritance of higher-level policies in three different ways:
Contradictory settings: If a child OU has the need to opt out of a particular Group Policy
setting, you can create a new GPO at that level that has the opposite setting. The last policy
applied in the processing sequence wins.
Block inheritance: When a large number of settings are configured at a higher level and
many of them should not apply to a child OU, you can enable the Block Inheritance
attribute on the OU so that no policies from above will apply.
Enforce: You can apply the Enforce option at higher levels of the policy architecture to
ensure that certain policies cannot be overridden or blocked. The Enforce option is applied
to an individual GPO. Some GPOs can be overridden or blocked while others can be
mandatory, so to speak. The Enforce option always wins.

Using Security Filtering

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

17/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 94: Using Security Filtering

In order for a GPO to apply to a given user or computer, that user or computer must have
both read and apply Group Policy permissions on the GPO. By default, authenticated users
have both read and apply Group Policy permissions set to Allow. If you want only a subset
of users within an OU to receive a GPO, remove the authenticated users from the ACL on the
desired GPO.
Next, add a new group with the security filtering permissions that contains the subset of users
who are to receive the GPO. Only members of this group that are within the site, domain, or
OU where the GPO is linked receive the GPO; members of the group in other sites, domains,
or OUs will not receive the GPO.
Isolating Administrators
You might want to prevent certain Group Policy settings from applying to the Administrator
group. To accomplish this, you can do one of the following:
Create a separate OU for administrators and keep this OU out of the user infrastructure.
In this case, administrators will not receive most of the settings that you provide for
managed users. If this separate OU is a direct child of the domain, the only settings that
administrators possibly receive are settings from GPOs linked either to the domain or the
site.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

18/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Because only broadly applicable settings should be linked here, it might be acceptable to let
the administrators receive these settings; otherwise, you can set the Block Inheritance
option on the Administrators OU.

Have administrators use separate administrative accounts only when administrative tasks are
being carried out. Therefore, when not performing administrative tasks, they would still be
managed by the applied Group Policy settings.

Implementing WMI Filters

Figure 95: Implementing WMI Filters

Although you can filter the applied settings of GPOs by modifying the ACLs for the policy
links (security group filtering), there might be times that you want to apply a policy based on
specific attributes of an individual client computer. In such situations, you would use WMI
(Windows Management Instrumentation) filtering.
WMI provides a mechanism to collect various details of a computers configuration through a
programmatic interface. In many respects, WMI is similar to SNMP.WMI runs on Windows
2000 and later platforms.
A WMI filter is a collection of one or more queries (really conditions) written in WQL. A
query might specify, for example that a computer be running at least a Pentium III processor,
or have a minimum OS version number. When you build a WMI filter and apply it to a GPO,
the GPO will apply only if the queries in the filter are all satisfied.
So, for example, you could create a GPO that would apply only to computers with at least a
Pentium III CPU. That sort of capability could come in handy, for example, when you are
thinking of deploying a processor-intensive application.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

19/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

WMI is powerful, but is not appropriate in every situation. To help you create WMI filters,
you can obtain the free WBEMTest tool from Microsoft. Once you have created the WMI
filter, you must link it to a GPO.
Restrictions
WMI filtering has many conditions associated with it, making it unsuitable at present for
deployment in mixed-mode networks. Here is what you should know:
Windows 2000 Professional clients (and earlier) ignore WMI filters and always apply
policies just as if the WMI filter did not exist.
Only Windows Server 2003 and later domains that have been prepped via the adprep
/domainprep command support WMI filters.
WMI filters are domain-local in scope; that is, you cannot link a WMI filter to a GPO in a
different domain.
Any given GPO can have only one associated WMI filter. (That is not too much of a
restriction when you consider that a filter might have a long list of queries contained within
it.)

Using the WBEMTest Tool

Figure 96: Using the WBEMTest Tool

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

20/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

You can use the WBEMTest tool to become familiar with the structure of WMI. The GPMC
does not provide any method to browse the WMI repository. The WBEMTest tool can be
used to display the WMI structure as a reference to build a filter from.
Viewing WMI Classes
A good way to become familiar with the WMI classes is to use the graphical WBEMTest tool,
which you can run from a command prompt.
You will need to specify the namespace via the Open Namespace button, if it is anything
other than root\cimv2.
To view all of the classes beneath a root namespace, click the Enum Classes button, select
Recursive, and then click OK. You will see a dialog box like the one shown in Figure 97.
The WBEMTest Query Result Dialog Box

Figure 97: WBEMTest Query Result Dialog Box

Then, if you double-click the item and click the Instances button, you can see the instances of
objects of that class on the computer. For example, you would see that the Name property of
the Win32_BIOS class on this computer is PhoenixBIOS 4.0 Release 6.0.3. Another way to
express this is:

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

21/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Win32_BIOS.Name = "PhoenixBIOS 4.0 Release 6.0.3"

Explore the WBEMTest tool until you become familiar with the wide range of classes and
properties that are available. Then, read the examples of WQL provided in the GPMC help
system.
You can also get some good information on WMI scripting by searching the Microsoft
TechNet Web site at www.microsoft.com/technet.
Linking the Filter to a GPO
After you build a WMI filter, you need to link it to a GPO for it to become useful. In the
GPMC, this is as simple as dragging the WMI filter object onto the GPO of interest. Other
ways to do the same thing include:
In the GPMC, on the GPO Scope tab, select the desired WMI filter from the WMI filtering
menu.
In the GPMC, on the General tab of the filter, right-click GPOs that use this WMI filter
and then select a target GPO for the WMI filter.

Using PowerShell to Explore WMI (1)

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

22/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 98: Using PowerShell to Explore WMI (1)

Use PowerShell to output a listing of all WMI classes within the root\CIMv2 namespace by
using the following command:
Get-WMIObject -list | Out-GridView
This will output the list of objects to the GridView application which allows for convenient
navigation of the hundreds of items returned.
Using PowerShell to Explore WMI (2)

Figure 99: Using PowerShell to Explore WMI (2)

Use PowerShell to output a listing of the items within a class by using the following command:
Get-WMIObject Win32_OperatingSystem
This will display the properties of the object to the screen. This information can then be used
to design the query you would like to use as a WMI Filter in a GPO.
Using PowerShell to Explore WMI (3)

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

23/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 100: Using PowerShell to Explore WMI (3)

Use PowerShell to test a WQL query before attempting to use it in a GPO. Write the
command as follows:
Get-WMIObject -query {Select * from Win32_OperatingSystem WHERE Version =
'6.2.9200' AND ProductType = '2'}
This command returns results only if the computer it is run against is version 6.2.9200 and the
product type is 2. These are the attributes of a Windows Server 2012 machine.

Creating a WMI Filter

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

24/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 101: Creating a WMI Filter

To create a new WMI filter:
1.

In the GPMC, right-click the WMI Filters node and select New.

2.

Name the filter, provide a description, and create your queries using WQL.

3.

Choose the WMI filter from the Scope tab of a GPO.

Note

WQL is similar to SQL, so if you are familiar with SQL, all you need are the
specifics for the WMI data classes.

Changing the GPO Link Order

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

25/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 102: Changing the GPO Link Order

The GPO link order controls the order in which GPOs are applied within each domain, site,
and OU.
To change the GPO link order, you can change the link order, moving each link up or down in
the list to the appropriate location, by using the Up and Down buttons.
Links with the lowest number have higher precedence for a given site, domain, or OU. For
example, if you add three GPOs, the GPO highest in the list has a link order of 1. This GPO
will be deployed last, and only after the other two GPOs have been deployed. Because it is
deployed last, the settings contained in that policy have a higher priority and will override any
identical settings defined in the other two GPOs.

Using Loopback Processing

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

26/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

Figure 103: Using Loopback Processing

The User Group Policy loopback processing mode policy setting applies the same user
settings for all users who log on to the computer, based on the computer they log on to.
When you apply GPOs to users, normally the same set of user policy settings applies to those
users when they log on to any computer. By enabling the loopback processing policy setting in
a GPO, you can configure user policy settings based on the computer location that they log on
to.
Those settings are applied regardless of which user logs on.
You set the loopback policy inside each GPO by using the User Group Policy loopback
processing mode policy setting under Computer Settings\Administrative
Settings\System\Group Policy. Two options are available:
Merge: In this mode, the list of GPOs for the user is gathered during the logon process.
First, the list of GPOs for the computer is gathered. Next, the list of GPOs for the computer
is added to the end of the GPOs for the user. As a result, the GPOs of the computer have
higher precedence than the GPOs of the user.
Replace: In this mode, the list of GPOs for the user is not gathered. Instead, only the list of
GPOs based on the computer object is used. The user configuration settings from this list
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

27/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

are applied to the user.

When you use the Replace option, you must ensure that both the computer and user
portions of the GPO are enabled.

Acronyms
The following acronyms are used in this section:
ACL

Access Control List

ADSI

Active Directory Service Interfaces

API

application programming interface

BIOS

basic input/output system

CD

compact disc

CPU

central processing unit

DLL

dynamic-link library

DN

distinguished name

DNS

Domain Name System

EFS

Encrypting File System

FQDN

fully qualified domain name

FRS

File Replication Service

GPC

Group Policy container

GPMC Group Policy Management Console

GPO

Group Policy object

GPT

Group Policy template

GUID

globally unique identifier

IP

Internet Protocol

IPSec

IP Security

MSI

Microsoft Windows Installer

NTFS

New Technology File System

OS

operating system

OU

organizational unit

PDC

primary domain controller

SNMP

Simple Network Management Protocol

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

28/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

SQL

Structured Query Language

WAN

wide area network

WMI

Windows Management
Instrumentation

WQL

WMI Query Language

Section Review
Summary
Group Policy is based on the following components:
Sysvol folder: A system folder that is located in the NTFS file system of every Active
Directory domain controller. It contains administrative templates, security settings,
applied scripts, and details about MSI packages that will be installed.
PDC emulator: A single domain controller per domain is assigned the role of a PDC
emulator. This role is automatically assigned to the first domain controller in an Active
Directory domain.
Group Policy Container: Stores the policy setting information for a GPO. It stores the
details of every GPO that is created in Active Directory. The GPC contains the version
number of each GPO, its current status, and the installed components.
Group Policy template: Stores the files that are created by the GPO in the Sysvol
folder on the PDC emulator for each domain. It stores computer and user scripts, the
GPO template files, and the Registry.pol files.
Group Policy is deployed in the following order:
1. Local Group Policy settings
2. Site policies
3. Domain policies
4. OU policies
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

29/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

The methods used to modify Group Policy processing are:

Block Inheritance and Enforce Options: The Block Inheritance attribute prevents
higher-level policies from being applied to lower levels.
Applied at higher levels of the policy architecture, the Enforce option ensures that certain
policies cannot be overridden or blocked. This option is applied to an individual GPO.
Security Filtering: Sets the ACLs to prevent or allow policies from applying to specific
users or groups.
WMI Filters: Consist of a collection of one or more queries (conditions) written in
WQL. When you build a WMI filter and apply it to a GPO, the GPO will apply only if
the queries in the filter are all satisfied.
GPO Link Order: Controls the order in which GPOs are applied within each domain,
site, and OU.
Loopback Processing: Configures the user policy settings based on the computer
location that the users log on to.

Knowledge Check
1.

Which Active Directory component does the following text describe?

A system folder that is located in the NTFS file system of every Active Directory domain
controller. It contains administrative templates, security settings, applied scripts, and
details about MSI packages that will be installed.

2.

What is the Group Policy deployment order?

3.

Match each method used to modify Group Policy processing with its correct description.
Write the letter of the description in the Answer column.
Answer

Method

Description

GPO Link Order

A.It prevents higher-level policies from being applied to lower levels.

1.________
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

30/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

2.________

Security

B.Controls the order in which GPOs are applied within each domain, site,

Filtering

or OU.

WMI Filters

C.Configures the user policy settings based on the computer location that

3.________

the users log on to.

4.________

Block

D.Consist of a collection of one or more queries (conditions) written in

Inheritance

WQL.

Option

5.________

Loopback

E.Sets the ACLs to prevent or allow policies from applying to specific

Processing

users or groups.

Knowledge Check Answer Key

The correct answers to the Knowledge Check questions are bolded.
1.

Which Active Directory component does the following text describe?

A system folder that is located in the NTFS file system of every Active Directory domain
controller. It contains administrative templates, security settings, applied scripts, and
details about MSI packages that will be installed.
Sysvol folder

2.

What is the Group Policy deployment order?

Local
Site
Domain
OU

3.

Match each method used to modify Group Policy processing with its correct description.
Write the letter of the description in the Answer column.
Answer

Method

Description

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

31/32

16/11/2014

4 Understanding the Architecture of Group Policy Processing

1.

GPO Link Order

A.It prevents higher-level policies from being applied to lower levels.

2.

Security Filtering

B.Controls the order in which GPOs are applied within each domain, site,

3.

WMI Filters

4.

Block Inheritance

D.Consist of a collection of one or more queries (conditions) written in

Option

WQL.

5.

Loopback

E.Sets the ACLs to prevent or allow policies from applying to specific

Processing

users or groups.

or OU.
C.Configures the user policy settings based on the computer location that
the users log on to.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=5&FontSize

32/32