3.1.1 Server Abstract Data Model

  • Article

The Group Policy server has no knowledge of the Group Policy: Core Protocol. It is merely an LDAP and file server that stores generic objects. The Group Policy server primarily stores information on managed objects and policies that affect those objects.

The Group Policy server keeps state in two conceptual stores: an LDAP server and a domain-based distributed file system. The LDAP server stores information on policy targets and the policies that affect those targets. The distributed file system part of the Group Policy server is primarily intended for storing large streams of data (by convention, large data is considered to be anything over 100 kilobytes) that are not appropriate for a lightweight store (such as an LDAP server) or for storing data that has traditionally been accessed in files by clients outside the context of the Group Policy: Core Protocol.

The LDAP server portion models policy in the following ways.

  • Policy targets exist in the directory as individual user accounts and computer accounts.

  • Thus policy targets exist in organizational unit containers and domains.

  • Sites need to be defined in the LDAP server.

  • Each site, domain, and organizational unit has an attribute named gpLink that associates that site, domain, or organizational unit with a set of gpContainer objects that logically represent GPOs in the LDAP server.

Logically, GPOs exist in two different sections.

  • User section: Contains all information that relates to user policies, which clients are to retrieve as part of user policy mode. Group Policy extensions store all server state for user policy settings within this section in formats of their own specifications.

  • Computer section: Contains all information that relate to computer policies, which clients are to retrieve as part of computer policy mode. Group Policy extensions store all server state for computer policy settings within this section in formats of their own specifications.

Each of these sections corresponds to a policy mode.

  • User Extension List: The list of Group Policy extensions that stores settings in the User section of the GPO.

  • Computer Extension List: The list of Group Policy extensions that stores settings in the Computer section of the GPO.

GPOs themselves have the following structures on the Group Policy server.

  • GPO Active Directory storage: For each GPO to be communicated through the protocol, the following objects and attributes MUST be accessible under the LDAP path CN=Policies,CN=System,<DN for root of the domain> via LDAP. The "Policies" object is of the class "Container" (as defined in [MS-ADSC]); whereas the GPO object is of the class "groupPolicyContainer" (as defined in [MS-ADSC]). The CN attribute of the object MUST be a GUID that is unique in the domain.

  • GPO user container: The container CN=User,<GPO DN> that stores all Active Directory information to be retrieved for Group Policy extension sequences for user policy mode.

  • GPO computer container: The container CN=Machine,<GPO DN> that stores all Active Directory information to be retrieved for Group Policy extension sequences for computer policy mode.

  • GPO domain-based distributed file system storage: The following file system information MUST be available on the Group Policy server through file access as follows:

    • GPO path: A GPO path MUST be available for the GPO. For a given GPO, the GUID in the GPO DN and the GPO path MUST be the same.

    • GPO user path: The subdirectory <GPOPath>\User (where <GPO Path> is the GPO path) MUST exist; this subdirectory contains all user policy information that is stored in the file system.

    • GPO computer path: The subdirectory <GPOPath>\Machine (where <GPO Path> is the GPO path) MUST exist; this subdirectory contains all computer policy information that MUST be stored in the file system.