1.3.1 Background

The Group Policy: Core Protocol, as specified in [MS-GPOL], allows clients to discover and retrieve policy settings created by administrators of a domain. These settings are persisted within Group Policy Objects (GPOs) that are assigned to Policy Target accounts in Active Directory. Policy Target accounts are either computer accounts or user accounts in Active Directory. Each client uses Lightweight Directory Access Protocol (LDAP) to determine what GPOs are applicable to it by consulting the Active Directory objects corresponding to both its computer account and the user accounts of any users logging on to the client computer.

On each client, each GPO is interpreted and acted upon by client plug-ins. The client plug-ins that are responsible for a given GPO are specified using an attribute on the GPO. This attribute specifies a list of globally unique identifier (GUID) pairs. The first GUID of each pair is referred to as a client-side extension GUID (CSE GUID). The second GUID of each pair is referred to as a tool extension GUID.

For each GPO that is applicable to a client, the client consults the CSE GUID listed in the GPO to determine what client plug-in on the client will handle the GPO. The client then invokes the client plug-in to handle the GPO.

A client plug-in uses the contents of the GPO to retrieve settings specific to the client plug-in in a manner specific to the client plug-in. After the client plug-in-specific settings are retrieved, the client plug-in uses those settings to perform the client plug-in-specific processing.