Every GPO is made up of two components (the GPC and GPT), and those components are split between two places inside that Domain Controller.
GPOs are initially born in the PDC Emulator, and then, a bit later, they are replicated to the other Domain Controllers within the site and then between sites. Assuming the PDC Emulator is available, you can give your GPO a friendly name, say "Hide Settings Tab / Restore Screen Saver Tab," .
GPOs are initially born in the PDC Emulator, and then, a bit later, they are replicated to the other Domain Controllers within the site and then between sites. Assuming the PDC Emulator is available, you can give your GPO a friendly name, say "Hide Settings Tab / Restore Screen Saver Tab," .
Once that happens, your GPO is officially "born." The PDC Emulator has already performed certain functions on your behalf:
It created a Group Policy Container (GPC) in the "Policies" folder of the Configuration container in the Active Directory database. Think of this as a reference in Active Directory for your new GPO.
It created a Group Policy Template (GPT) in the SYSVOL directory of the PDC Emulator. This is where the real files that make up your GPO live. They're replicated to every Domain Controller for quicker retrieval.
It created a Group Policy Container (GPC) in the "Policies" folder of the Configuration container in the Active Directory database. Think of this as a reference in Active Directory for your new GPO.
It created a Group Policy Template (GPT) in the SYSVOL directory of the PDC Emulator. This is where the real files that make up your GPO live. They're replicated to every Domain Controller for quicker retrieval.
Additionally, if "Create and link a GPO here..." is used when focused on the domain or OU level (or the old-school interface is used), the new GPO you just created is automatically linked to the current level you were focused at--site, domain, or OU.
The GPO is given a unique ID that takes its form as a globally Unique Identifier (GUID).
Group Policy Containers (GPCs) The Active Directory holds GPCs, which hold multiple properties of the Group Policy--for instance, version and status information and some policy settings. A GPC has a name that takes the format of a globally unique identifier (GUID)--see the sidebar that follows. The underlying name is not the friendly name we use when administrating the GPO.
Group Policy Containers (GPCs) The Active Directory holds GPCs, which hold multiple properties of the Group Policy--for instance, version and status information and some policy settings. A GPC has a name that takes the format of a globally unique identifier (GUID)--see the sidebar that follows. The underlying name is not the friendly name we use when administrating the GPO.
You can see the GPCs for every Group Policy you create by diving into the Active Directory Users And Computers console.
To view the GPCs and their GUIDs, follow these steps:
Log on to the server WINDC01 as Administrator of the domain.
Choose Start Ø Programs Ø Administrative Tools Ø Active Directory Users And Computers.
Choose View Ø Advanced Features, to display the Policies folder.
To view the GPCs and their GUIDs, follow these steps:
Log on to the server WINDC01 as Administrator of the domain.
Choose Start Ø Programs Ø Administrative Tools Ø Active Directory Users And Computers.
Choose View Ø Advanced Features, to display the Policies folder.
Expand the System folder to display the Policies folder along with the GPCs,
When a GPC object is created, it is given several attributes:
Common Name (CN) In Active Directory, you'll see attribute is really called cn. An LDAP (Lightweight Directory Access Protocol) designation for the name assigned to an object. GPC names use the GUID format to ensure uniqueness throughout a forest. For example, CN=2C53BFD6-A2DB-44AF-9476-130492934271.
Distinguished Name (DN) In Active Directory, you'll see attribute is really called distinguishedName. The object's common name plus the path to the object from the root of the LDAP tree. For example, CN=2C53BFD6-A2DB-44AF-9476-130492934271, CN=Policies, CN=System, DC=corp, DC=com.
Display Name In Active Directory, you'll see attribute is really called displayName.The friendly name assigned to the Group Policy in the user interface, for example, the Hide Screen Saver Tab GPO.
Version In Active Directory, you'll see attribute is really called versionNumber. A counter that keeps track of updates to a GPC object (more on this topic a little later).
GUID In Active Directory, you'll see attribute is really called objectGUID.The GUID assigned to the object itself. Active Directory uses the object's GUID as a reference for handling table moves, building indexes, and doing other database activities.
You might find it a little confusing for the GPC object to have a GUID that refers to the object itself and a name that uses a GUID format. For an important reason, Microsoft needed a way to make the underlying, real name of GPOs unique, independent of their friendly names. Suppose two administrators create two (or more) GPOs with the same friendly name on their own Domain Controllers. When these GPC objects replicate, one of them would have to be discarded, overwritten, or renamed, depending on the exact circumstances of the replication collision. That could be a bad thing. Therefore, Microsoft solves this problem by using underlying unique names formatted with the GUID format. There is a negligible chance of identical GUIDs being created, not only within one Active Directory but also across the entire world, should the need arise to coexist with GPOs in other forests (such as with cross-forest trusts).
When a GPC object is created, it is given several attributes:
Common Name (CN) In Active Directory, you'll see attribute is really called cn. An LDAP (Lightweight Directory Access Protocol) designation for the name assigned to an object. GPC names use the GUID format to ensure uniqueness throughout a forest. For example, CN=2C53BFD6-A2DB-44AF-9476-130492934271.
Distinguished Name (DN) In Active Directory, you'll see attribute is really called distinguishedName. The object's common name plus the path to the object from the root of the LDAP tree. For example, CN=2C53BFD6-A2DB-44AF-9476-130492934271, CN=Policies, CN=System, DC=corp, DC=com.
Display Name In Active Directory, you'll see attribute is really called displayName.The friendly name assigned to the Group Policy in the user interface, for example, the Hide Screen Saver Tab GPO.
Version In Active Directory, you'll see attribute is really called versionNumber. A counter that keeps track of updates to a GPC object (more on this topic a little later).
GUID In Active Directory, you'll see attribute is really called objectGUID.The GUID assigned to the object itself. Active Directory uses the object's GUID as a reference for handling table moves, building indexes, and doing other database activities.
You might find it a little confusing for the GPC object to have a GUID that refers to the object itself and a name that uses a GUID format. For an important reason, Microsoft needed a way to make the underlying, real name of GPOs unique, independent of their friendly names. Suppose two administrators create two (or more) GPOs with the same friendly name on their own Domain Controllers. When these GPC objects replicate, one of them would have to be discarded, overwritten, or renamed, depending on the exact circumstances of the replication collision. That could be a bad thing. Therefore, Microsoft solves this problem by using underlying unique names formatted with the GUID format. There is a negligible chance of identical GUIDs being created, not only within one Active Directory but also across the entire world, should the need arise to coexist with GPOs in other forests (such as with cross-forest trusts).
Comments