Group Policy Processing At Client Computers

by [Published on 14 Dec. 2010 / Last Updated on 31 Oct. 2009]

This article explains how Group Policy processing happens at the client computers.

A client computer joined to domain gathers the list of GPOs to be processed as mentioned below:

  • Client computer starts.
  • Winlogon Service on the client computer starts. The DCLocator component executes an API call; DsGetDcName to find the domain controller. A DNS Query is send to configured DNS Server.
  • DNS Server receives the DNS Query and provides the list of domain controllers.
  • Winlogon selects one of the Domain Controller listed in the list and then authenticates the client computer.
  • Winlogon now processes the GPOs to be applies to the computer.
  • It checks the location of Computer Account in the Active Directory and then check the GPOs configured on the OU.
  • Winlogon checks the following permissions for the Computer Account.

Authenticated Users: Read and AGP

Note: Authenticated Users is added by default when you create a GPO and this Security Group has all authenticated domain users and computer accounts.

  • Winlogon next checks the gpcFilePath in the Active Directory to check the path of the SYSVOL share where this policy resides. A gpcFilePath looks like below:


Note: If this attribute is missing or has an empty value then this Group Policy will not be processed for client computers.

  • After it has found the sysvol path, it then processes the Registry.POL file in the GUID folder. The Registry.POL file contains the Registry based settings you have defined in the Group Policy.
  • It processes the settings and activity is logged into the Winlogon.log file of client computer.


See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.

Featured Links