A couple of weeks ago I was in the office writing up a report for a Group Policy Health Check that I was doing for a customer. As I was going through the results I asked myself this question. I didn’t know the answer so I asked two of my PFE colleagues - Jimmy and Marc. Since none of us were able to answer the question straight away (and they are both pretty smart fellas) I deemed the question worthy of a blog post.
The Short Answer: Site-Linked GPOs are stored in the domain where you created them.
The Long (and geekier) Answer:
There are two main components to group policy objects (GPOs):
Figure 1 - You can view the GPC in Active Directory Users and Computers. gPCFileSysPath points to the UNC path of the GPT.
Figure 2 - GPOs are stored in SYSVOL under the "Policies" folder
There is one more piece that glues group policy together: GPLINK
Figure 3- You can view the GPLink value on the domain/OU object where a GPO is linked
Here’s a diagram to piece it all together: I’ve colour coded the major events to show what happens from a client perspective in a GPSvcLog.
That answers the first part of the question. Now for the second part:
Why is it important to know where your site linked GPOs are stored (why should you care)?
Consider this example:
Now you can probably start to see why you should plan carefully when you link GPOs to a site. I’ll explain..
Since the local DC (DC1) only holds a copy of SYSVOL for Contoso.com the client must pull the GPT from a remote DC in the Corp.Contoso.com domain.
Here lies the problem. Depending on the WAN connection, pulling the GPC/GPT from a remote Domain Controller on every boot/logon and background refresh could have a massive impact on group policy performance which usually means a long boot and logon time - which generally makes people upset. A better solution would be either:
 One more important bit of information that was kindly pointed out to me by my mate Steve Moore...
If you created site-linked GPOs on a Windows 2000 domain controller the default behaviour was to store the GPC and GPT in the forest root domain. So its possible that if you have some really really old GPOs in your forest you could be hitting this issue and dont even know about it.
- Scott Duffey