{
	"id": "eaf17324-ee3b-45d4-b0d2-288a36896efd",
	"created_at": "2026-04-06T00:12:51.66751Z",
	"updated_at": "2026-04-10T13:12:33.268935Z",
	"deleted_at": null,
	"sha1_hash": "253d8640755e0e25618e8f43910dbe49d78fab43",
	"title": "Group Policy Basics - Part 1: Understanding the Structure of a Group Policy Object",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 507196,
	"plain_text": "Group Policy Basics - Part 1: Understanding the Structure of a\r\nGroup Policy Object\r\nBy kexugit\r\nArchived: 2026-04-06 00:02:55 UTC\r\nAs a Windows administrator, you almost certainly have used Group Policies to control the settings deployed to the\r\nclients of your Active Directory infrastructure.  But with Group Policies getting such heavy use, not as many\r\nadministrators fully understand how Group Policy Objects (GPOs) are structured.  In this post, I will discuss the\r\nstructure of GPOs in order to help bring greater understanding to this topic.  When you're troubleshooting Group\r\nPolicies in your environment, it's helpful to understand how they're structured, and hopefully this post will clear\r\nup a bit of that mystery.\r\nGroup Policy Objects are actually composed of two parts, the Group Policy Container (GPC) which exists in\r\nActive Directory and the Group Policy Template (GPT) where the actual content of your GPOs resides.  A third\r\ncomponent, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to\r\nproperly process the Group Policies assigned to them.\r\nBefore we go through these individual pieces, take a look at how GPOs show up when viewed through the Group\r\nPolicy Management Console (GPMC).\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 1 of 14\n\nIn the early days of Active Directory, the only real way to get to a GPO is to open the location where it was linked\r\n(a domain, organizational unit, or site).  This made it appear that the GPOs existed at those place in the directory\r\nwhen they were actually only linked to those locations so that their settings would apply to the specified objects\r\nthey contained (such as the computer objects within a particular OU).  With the GPMC, it's much clearer to see\r\nthat GPOs do not reside at these different points of the directory but instead exist separately and are only linked to\r\nthese different levels.\r\nTo see an example of where a GPO is linked, you can check the Scope tab of your selected GPO within the\r\nGPMC, as shown below.\r\nYou can see from this picture that the GPO I created named Event Log Size is linked to the Workstations OU\r\nwithin the W2K8Forest domain.  You can further see that the link is enabled (meaning the policy will apply), but it\r\nis not enforced (meaning that the policy can be blocked if the administrator of the Workstations OU wishes to\r\nprevent the policy applying).\r\nBut even the GPMC's view of where GPOs reside is a bit misleading as there really is no Group Policy Object\r\ncontainer in Active Directory.  Instead, the actual structure of the GPO is laid out as follows.\r\nGroup Policy Container (GPC)\r\nThe first piece of the GPO, while not within a container called Group Plicy Objects, is still found within Active\r\nDirectory.  In order to see it, there are several options.  The most common is to use Active Directory Users and\r\nComputers.  If you choose this tool, you'll need to take the following steps to see the appropriate folder:\r\n1. Open Active Directory Users and Computers (you can do this by typing DSA.MSC at Start/Run)\r\n2. Select View from the menu bar and ensure Advanced Features is selected (if not, select it)\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 2 of 14\n\n3. Expand the System container and navigate to the Policies container\r\nIf you don't enable Advanced Features, you won't see the System container.  But after this is enabled, you should\r\nhave a screen similar to the one below:\r\nNotice that there are two containers, each with a string of numbers.  Each of these represents a different GPO (the\r\nstring of numbers is the Globally Unique Identifier, or GUID, of each GPO).  Within each of these containers\r\nyou'll see a Machine and User container.  These contain specific information related to the User and Machine\r\nnodes of the GPO itself (as you might expect, the Machine node refers to computer settings and the User node\r\nrefers to user settings).\r\nAnother tool that you can use to view these folders is LDP.  To use LDP to see these folders, take the following\r\nsteps:\r\n1. Start LDP by typing LDP.EXE at Start/Run\r\n2. Select Connections from the menu bar and select Connect... to connect to the Domain Controller of your\r\nchoice.  Select OK\r\n1. enter the fully qualified domain name of the Domain Controller\r\n2. enter port 389 since you're doing an LDAP query\r\n3. Select Connections again and choose Bind...\r\n1. Make sure you are binding to the directory with an account that has sufficient permissions to do an\r\nLDAP query\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 3 of 14\n\n4. Select View and choose Tree.  Enter the distinguished name of your domain (for example:\r\ndc=W2K8Forest,dc=com).  Select OK\r\n5. In the left-hand column, expand the directory tree and navigate to Policies under the System container\r\nThere is one big difference when using LDP, which becomes immediately obvious after selecting one of the GPO\r\nnodes.  When you double-click it, you will suddenly see a great deal of information in the right-hand pane.  This is\r\nthe critical directory information that client machines use when processing GPOs.  These settings allow clients to\r\nunderstand where the content of the policy is, which Client-Side Extensions will be needed to process the GPO\r\ncontent, etc.\r\nHere is a screenshot of what you'll see within the LDP window:\r\nLooking at the details of our selected GPO, there are several attributes which are of special interest to us:\r\ndisplayName: This attribute is the human-friendly name of your GPO\r\ngPCFileSysPath: This attribute points clients to the location where the GPO content can be found. \r\nCollectively, this is known as the Group Policy Template, which is housed in a share known as SYSVOL\r\ngPCMachineExtensionNames: Here is the list of Client-Side Extensions (CSEs) that will be needed by the\r\nclient in order to process all of the machine-side settings configured for this GPO\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 4 of 14\n\ngPCUserExtensionNames: This attribute contains the list of CSEs that will be needed to process the user-side settings.  As there are no user-side settings configured in this GPO, the attribute is not populated (and\r\nthus not displayed)\r\nAnother important attribute is gPLink and while it's not found as part of the GPO itself, you can find this attribute\r\neverywhere that the GPO is linked.  This allows objects within these other containers to know that there is a GPO\r\nit needs to process.  In the screenshot below, you can see that the gPLink attribute points to a single GPO found\r\nwithin the policies container of the system partition:\r\nSo now we've seen the Active Directory portion of the Group Policy object.  It contains settings so that the client\r\ncan learn which GPOs it must process, which tools it will need to process them, and how to locate the GPO\r\ncontents in order to process.  Now that we've seen the first part, let's take a look at how and where the GPO\r\ncontent itself is stored.\r\nGroup Policy Template (GPT)\r\nThe Group Policy Template is where the meat of the GPO resides.  By way of comparison, think of how Active\r\nDirectory represents a computer object.  It lists all the relevant attributes of the computer, but the object in Active\r\nDirectory is not the computer itself.  In a similar way, the portion of the GPO in Active Directory merely\r\nrepresents the attributes relevant to the GPO content.  The content itself is known as the Group Policy Template,\r\nor GPT, and it resides in a share known as SYSVOL.  This share, like the portion of the GPO stored in Active\r\nDirectory, is replicated to every DC in the domain.  This way, when a client queries for the GPOs it needs to\r\nprocess, it can locate the contents of those GPOs on the same (in most cases) DC where it's conducting the query.\r\nNOTE: The only exception to this rule is cross-domain GPOs where a GPO is defined in another domain, but\r\nis linked in such a way that clients from neighboring domains need to apply them (a Site-level GPO is an\r\nexample, since Active Directory Sites can span multiple domains). In the case of a cross-domain GPO, the\r\nclient will need to pull content from a DC in the neighboring domain which can be a very slow process. For\r\nthis reason, cross-domain GPOs are not generally recommended.\r\nTo see the content of your GPOs, you'll want to look at the SYSVOL share on one of your DCs.  You can find the\r\nSYSVOL share by navigating to %windir%/sysvol/sysvol (yes, there is a shared SYSVOL folder within a parent\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 5 of 14\n\nSYSVOL folder).  The actual sysvol share is set to \\\\\u003cservername\u003e\\sysvol  Within this folder, you will see the\r\nsame list of GPOs that appear within Active Directory's System/Policies container.  These folders are where the\r\nactual settings of your GPO are contained.  Depending on the number of settings you've put in place, there will be\r\nmore or less present in each folder.  Regardless, you are guaranteed to have at least the following folders/files\r\nwithin each of your GPOs:\r\n%windir%\r\nsysvol\r\nsysvol (shared as \\\\servername\\sysvol)\r\n\u003cdomain name\u003e\r\nPolicies\r\nscripts\r\nWithin the policies folder, you'll find the various GPOs and their configured settings.  Again, the following\r\nfolders/files are guaranteed to be present for every GPO in your domain:\r\nPolicies\r\n\u003cGPO GUID\u003e\r\nMachine (folder containing the computer-side settings of the GPO)\r\nUser (folder containing the user-side settings of the GPO)\r\nGPT.INI (file containing the GPO's configuration settings)\r\nDepending on what you've configured, the Machine and User folders may or may not contain additional content. \r\nAs an illustration, lets take a look at the contents of a GPO I've configured to set the various Event Logs on my\r\nclients to their maximum size.  First, here is the Group Policy Management Editor showing the settings I've\r\nconfigured.  This is the tool you'll be working with when you configure the settings for your own environment.\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 6 of 14\n\nIf you need to know how to launch this tool, you do so from within the Group Policy Management Console by\r\nright-clicking your GPO and selecting Edit... as shown below.\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 7 of 14\n\nSo now that you understand how to make these changes, what does the GPT look like once you've made them? \r\nBelow is a series of screenshots to answer that question.\r\nFirst, here is the file structure of the GPT, showing the GPO I've edited with its top level folders visible in the\r\nright-hand pane\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 8 of 14\n\nYou'll notice the file called GPT (it's actually GPT.INI, though the screenshot hides the file extension).  This file\r\ncontains the configuration settings for this GPO, which includes its current version number (which is updated\r\nevery time a change to the GPO is made) and the default GPO display name (which is the same for every GPO\r\nyou create, so don't worry that it's not the name you gave it in the GPMC).  Here is how that file looks (NOTE:\r\nYou can open GPT.INI with Notepad, but make sure you don't accidentally save it as a .txt file or it will\r\nimpact your GPOs ability to do its job)\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 9 of 14\n\nTo see the actual settings we've configured for this GPO, we need to expand the Machine folder (because this is a\r\ncomputer-side setting), which reveals the following:\r\nYou'll notice that there is a folder called SecEdit, which contains the security-specific settings of this GPO.  The\r\nfile within the SecEdit folder is GptTmpl.inf.  It's this file that contains the specific information that your client\r\nneeds to configure its settings.  Because we've configured this GPO so that its Event Logs are set at the maximum\r\nsize, we would expect that this file would contain information directing the client to make this change.  By\r\nopening the file we can see that its contents do exactly as we would expect, as shown below (NOTE: you can\r\nedit it with Notepad, but make sure you don't accidentally save it [or GPT.INI] as a .txt file after looking at\r\nit! ).\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 10 of 14\n\nWe can see from this picture that GptTmpl.inf has clear instructions for our client machine to set its Application,\r\nSecurity and System Event Logs to their maximum size.\r\nAs I said earlier, there can be numerous different settings in the GPT file structure depending on how you've\r\nconfigured your GPO.  Other possible folders and files that might appear include:\r\nScripts folder - This folder can contain information on which scripts to run, or may include the scripts\r\nthemselves.  The possible types of scripts include:\r\nStartup/Shutdown: applies to Computers\r\nLogon/Logoff: applies to Users\r\nApplications folder - if you've published or advertised software through a GPO, this folder will contain an\r\nadvertisement file (.aas file extension) notifying clients of the software being made available\r\nAdm folder - Older GPO versions had Administrative Templates stored within the GPT on each Domain\r\nController.  These templates were actually copied from client machines into the SYSVOL share of the\r\nDomain Controller.  Starting with Vista, GPOs no longer do this (though if you edit a GPO with an pre-Vista OS, it will still behave this way).  GPOs now leverage ADMX files that are stored in a Central Store\r\non client machines (typically c:\\windows\\policydefinitions) instead of the GPT.  But given that many older\r\ndevices are still out there, you may see this folder in your GPT.\r\nDocuments and Settings folder - this folder contains any Folder Redirectoin settings configured by the\r\nGPO.\r\nIEAK folder - this user-side folder contains settings related to Internet Explorer Maintenance.\r\nRegistry.pol - this file contains the registry settings the GPO has been configured to apply.  This file also\r\ncontains any Software Restriction Policy settings that have been configured.\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 11 of 14\n\nIn part 2 of this series, we'll look at details of GPO processing, with an emphasis on Client-Side Extensions\r\n(CSEs).  We'll also discuss how GPOs are replicated, and how a client knows it's getting the latest version of its\r\nGPO (including knowing whether the GPC and GPC are synchronized with each other).\r\nAnonymous\r\nJanuary 01, 2003\r\nGood note, thanks for sharing :)\r\nAnonymous\r\nJanuary 01, 2003\r\nNo words...this is an excellent article!\r\nAnonymous\r\nAugust 21, 2013\r\nThanks for sharing - simple explination for GPO\r\nAnonymous\r\nMay 27, 2014\r\nawesome explaination...hard to find.\r\nAnonymous\r\nJune 12, 2014\r\ngood note, thank u for sharing\r\nAnonymous\r\nJune 14, 2014\r\nGood explanation for easy self-practices...Thanks a lot!\r\nAnonymous\r\nJuly 15, 2014\r\namazing one\r\nAnonymous\r\nAugust 15, 2014\r\nUseful post\r\nAnonymous\r\nAugust 20, 2014\r\ngreat post, thanks for sharing this\r\nAnonymous\r\nSeptember 07, 2014\r\namazing post\r\nAnonymous\r\nSeptember 16, 2014\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 12 of 14\n\nThank You very much; you are appreciated!\r\nAnonymous\r\nOctober 21, 2014\r\nExcellent, very clearly, neatly explained. thank you so much.!\r\nAnonymous\r\nOctober 21, 2014\r\nAmazing......Just what i needed!!!!\r\nThanks a lot!!!!\r\nAnonymous\r\nNovember 24, 2014\r\nNice one, Thanks.\r\nAnonymous\r\nDecember 17, 2014\r\nGood presentation for how to set up group plcy options thanks\r\nAnonymous\r\nJanuary 14, 2015\r\nIt's really helpful for administrators. Thanks a lot!!\r\nAnonymous\r\nJanuary 19, 2015\r\nExcellent explanation of GPO Thanks a lot.\r\nAnonymous\r\nFebruary 06, 2015\r\nHello,\r\nthanks for explanation. Well done!\r\none more thing, didnt you mean in the last sentence whether the GPC and GPT are sync?\r\n(including knowing whether the GPC and GPC are synchronized with each other).\r\nAnonymous\r\nApril 01, 2015\r\nVery helpful post. Many thanks!\r\nAnonymous\r\nApril 07, 2015\r\nIt's good notes but we need short and sweet\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 13 of 14\n\nAnonymous\r\nMay 06, 2015\r\nThank you!!\r\nAnonymous\r\nMay 06, 2015\r\nThank you!!\r\nAnonymous\r\nMay 20, 2015\r\nGPO made a chaotic impression to me until now. Since I read this post, everything is clear. - Thanks a lot!\r\nAnonymous\r\nMay 20, 2015\r\nTrying to find an article to answer the question that if there is a setting in both the user's container in Active\r\nDirectory users and computers AND there is also a group policy object that contains that setting, which one\r\ntakes precedence? I am going to guess the GPO but am not sure (the setting is for the Remote Desktop\r\nServices idle session timeout - a bunch of users have these set on their user's object but I would like to set a\r\npolicy at the domain level to override for everyone.\r\nAnonymous\r\nJuly 10, 2015\r\nVery clear and helpful... Request to post an article for group policy as SME preparation point of view\r\nAnonymous\r\nSeptember 15, 2015\r\ncan one recreate a missing gpt.ini?\r\nAnonymous\r\nSeptember 15, 2015\r\nQuite helpful\r\nAnonymous\r\nOctober 08, 2015\r\nIts very nicely explained and easy to understand\r\nAnonymous\r\nNovember 08, 2015\r\nGreat Work\r\nSource: https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-o\r\nf-a-group-policy-object/\r\nhttps://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
	],
	"report_names": [
		"group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object"
	],
	"threat_actors": [],
	"ts_created_at": 1775434371,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/253d8640755e0e25618e8f43910dbe49d78fab43.pdf",
		"text": "https://archive.orkl.eu/253d8640755e0e25618e8f43910dbe49d78fab43.txt",
		"img": "https://archive.orkl.eu/253d8640755e0e25618e8f43910dbe49d78fab43.jpg"
	}
}