I’m researching how Local Group Policies work on Windows 11 (I will call them policies for simplicity, because there are no non-group policies). There are tons of documentation about what policies manage, but not so much on how it is done. I found this write up, which was of great help.
So far I established these facts (please correct if I’m wrong):
- Policies is just a fancy name for a set of registry values defined by
gpeditand maintained bygpudate. All policies are registry values in the end. - Group Policy Object (GPO) is a virtual term for a set of policies (=registry values). It is a bit misleading as there are no .gpo files.
- There are three logical kinds of policies: registry, security and audit.
- Registry policies are stored as
registry.polfiles inUserandMachinesubfolders ofC:WindowsSystem32GroupPolicy. - Security and audit policies are stored directly in the registry, but can be exported/imported to/from text files (
secpol.infandaudit.csv) using builtin system tools. - The administrative templates defined in
.admand.admxfiles are just UI templates forgpeditand some other tools, such asPolicyPlus. They don’t play any role in the policy propagation chain. - Many third-party configuration tools write registry policies directly to the registry, which is wrong, because they may get overwritten by
gpudate. - Registry policy files (
registry.pol) can be generated and updated not only bygpedit, but by other tools (LGPO.exe) which in turn rely on WinAPI to do the work.
There are some open questions though:
- Are there tools which can generate
registry.polfrom current set of applied registry policies (that is, whatever is defined under theSOFTWAREPoliciessubkeys in HKCU and HKLM)? - Is the policy system limited to the
SOFTWAREPoliciessubkeys? For example, can there be policies forHKEY_CLASSES_ROOTfor maintaining file extension handlers? - Are there tools to validate registry policies defined in a text file (or in some other common format) against
.admxtemplates?
Please help to fill in the blanks. Thanks.