Group Policy is a great mechanism for deploying numerous settings across different Active Directory (AD) objects. But AD can become cluttered over time as more Group Policy Objects (GPOs) become unused and disabled, leading to inefficient GPO processing. In this three-part blog series, we’ll discuss how Group Policy works, how GPOs can become cluttered, as well as what you can do to easily declutter your GPOs. In this first blog, we’ll start out with the basics of Group Policy application.
Imagine that Mr. X is an employee working for ABC Corporation’s California office. Mr. X’s user account can be traced to the LDAP path of OU=UserAccounts, OU=California, DC=abc, DC=com. His computer account can be traced to the LDAP path of OU=ComputerAccounts, OU=California, DC=abc, DC=com. The GPOs that are applied to Mr. X’s user account and computer account are as follows:
User settings GPOs: Local GPO, Default Domain Policy (linked to the domain level), Printer settings policy (linked to the California OU), Network settings policy (linked to the UserAccounts OU)
Computer settings GPOs: Local GPO, Default Domain Policy (linked to the domain level), Printer settings policy (linked to the California OU), Start menu policy (linked to the computer accounts OU)
How are GPOs processed?
Let’s now see how GPOs are processed for Mr. X’s user account and computer account. First Mr. X’s workstation communicates with the domain controller through the SYSVOL share available on the domain controller. The GPOs targeting his workstation are then applied.
The domain controller determines the OU and site Mr. X’s workstation belongs to, and delivers the GPOs that are linked to that domain, site, and OU to the workstation. The list of these GPOs are stored, for tracking, in the registry.
The computer settings GPOs are processed in the following order: Local GPO -> Default Domain Policy -> Printer settings policy -> Start menu policy.
Once the workstation has booted and the computer configurations are applied, the workstation is ready for Mr. X to log on. According to Mr. X’s user account location in AD, the domain controller delivers the applicable set of GPOs.
The user settings GPOs are processed in the following order: Local GPO -> Default Domain Policy -> Printer settings policy -> Network settings policy.
How does the client process the GPO settings?
The client machine has client-side extension (CSE) files which process the GPO settings. Each CSE on the client machine opens every GPO and checks whether it has any settings that need to be processed.
Consider two CSEs named abc and xyz (for simplicity). While processing GPOs linked to Mr. X’s accounts, the abc CSE will check if there are any settings it needs to process in both the Computer Configuration and User Configuration settings for all GPOs. Once this is over, the process will be repeated for the next CSE and so on, until the last CSE file, xyz, finishes going through the GPO settings.
To recap, we discussed how GPOs are processed for computer settings during workstation bootup and for user settings when a user logs on. We also investigated how CSEs play a role in the Group Policy application process. In the coming set of blogs, we’ll be looking into how GPOs become cluttered and see how to declutter them.