Search notes:

Windows: Group Policy

The purpose of Group Policy is to automate the application of policy settings on computers in an Active Directory domain, thus faciliting the one-to-many management of such policies.

The engine behind Group Policy is located in userenv.dll and runs in the winlogon.exe process.

Group Policy Object (GPO)

GPOs are stored on the SYSVOL share of a domain controller within AD.

These GPOs are transferred to a computer and the applied by a client side execution (CSE) mechanism.

Client Side Execution

The CSEs are started by winlogon.exe at computer startup, user logon and periodically.

Each CSE has a corresponding entry in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Group Policy Extensions

Group Policy Extensions include

gptext.dll
fdeploy.dll
scecli.dll
dskquota.dll
iedkcs32.dll
appmgmts.dll
userenv.dll

Group Policy Folder

A Group Policy is identified by a GUID.

The domain controller manages a folder whose name corresponds to this GUID in the SYSVOL folder. These folders are replicated to other domain controllers.

The content of such the folder includes:

ADM stores all .adm files for the GPO
Machine stores a Registry.pol file that contains all registry settings that need to be applied below HKEY_LOCAL_MACHINE
User also stores a Registry.pol file with settings for HKEY_CURRENT_USER

Common Information Model Object Management (CIMOM) database

The CIMOM database collects all Group Policy processing information.