GPO from zero to hero

2019/11/06 | 2 minute read |

Today we’re going to talk about Group Policy Object in an Active Directory environment with Windows Server 2019.

  1. Group Policy Object
  2. How to create GPO (Part II)
  3. Manage GPO with PowerShell (Part III )

1. GPO Késako

It’s a set of rules that allow you to set up and set up computer objects or domain users, a group policy applies to objects in organization units. A GPO must be unique in an Active Directory domain:

  • A unique global identifier GUID (Globally Unique Identifier) is assigned to the GPO.
  • A GPC (Group Policy Container) group strategy container is created in the Active Directory domain partition.
  • A container of GPT (Group Policy Template) administration models is created in the SYSVOL-Policies folder of the domain controller who has the role of FSMO Emulator PDC(Primary Domain Controller). Warning by default when promoting your first Domain Controller two GPOs are booted and therefore create:

  • The Default Domain Policy (DDP) that impacts all objects in the Active Directory domain that will always have the same GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
  • The Default Domain Controller Policy (DDCP) that impacts only domain controllers {6AC1786C-016F-11D2-945F-00C04FB984F9}. Auhtors_img

Becarefull: By default the two first GPO have the same GUID in all ADDS Forest.

The group strategy is then divided into two distinct parts, GPC and GPT, which are store at two different locations of the domain controller.

1.1 How to find the GPC container

With the Active Directory Administrative Center: Auhtors_img Or with the MMC Active Directory and Users and Computers Auhtors_img The GPC is stored in the System-Policies container in Active *Directory. It is necessary to display the advanced features in the Users and Computers Active Directory console to access the Policies container.

1.2 How to find the GPT

The GPT is in all Domain Controller in the folder SYSVOL Auhtors_img

2.The synchronization of GPT and GPC

The GPC and GPT elements are the two parties that make up a group strategy. The group strategy container and the group strategy model are both replicated between all domain controllers in AD DS. However, different replication mechanisms are used for both elements. The group strategy container in AD DS is replicated by the Directory Replication Agent(DRA). The data recovery agent uses a topology generated by the Knowledge Consistency Checker (KCC), which you can manually define or refine. The result is that the group strategy container is replicated in seconds to all domain controllers in a site and is replicated between sites according to your inter-site replication configuration. The group strategy model in the SYSVOL volume is replicated using one of two technologies:

  • The File Replication Service (FRS) is used to replicate the SYSVOL volume in domains running Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2012.
  • If all domain controllers run Windows Server 2008 or later version, you need to set up the SYSVOL volume replication using DFS replication (Distributed File System), which is a much more efficient and reliable mechanism.

Auhtors_img Here you could observe the versions available to a Group Strategy Object with an AD Version (GPC) and Sysvol (GPT) the version numbers must be the same otherwise there is a desynchronization for the GPT and the GPC.

3.Applying GPO to workstations

In order to ensure that GPOs work on end-user positions, they must be applied according to certain established rules and respect a defined hierarchy. In network architecture, there are several levels on which group strategies can be applied.

The order of application is :

  • Local strategies,
  • Site-level,
  • Domain,
  • Organizational unit.


Thanks for reading the First post and soon the second post.

Written by Jérôme Bezet-Torres @JM2K69.