1.3 Overview

The Group Policy: Central Access Policies Extension is a Group Policy extension that enhances the functionality of Group Policy. It enables Group Policy administrators to specify CAPs on Group Policy servers that are to be configured on a Group Policy client computer, such as a file server, for control of access to resources on those computers. CAPs are only live after they are applied to resources on Group Policy client computers by a local resource administrator.

Policy settings for the Group Policy: Central Access Policies Extension are specified by one or more Group Policy Objects (GPOs) that reside in the Group Policy data store. Each GPO contains a logical component in Active Directory and a physical (file system) component that is stored on a file share, such as the Group Policy file share, which is either remote or local to the Group Policy server. The logical component defines policy metadata that is held by GPO attributes and is used to define such things as the extensions that apply to a client and the file system location where policy settings and other information is stored. The physical component holds a specially formatted file containing identifiers that enable an implementation to locate CAP objects in Active Directory, to facilitate the subsequent configuration of authorization policies on Group Policy client computers. The Group Policy administrator uses these components to define the central access policy (CAP) configuration that is applied to a policy target, such as a Group Policy client.

The Group Policy: Central Access Policies Extension protocol implements both a client-side and an administrative-side extension, the globally unique identifiers (GUIDs) for which are specified in section 1.9. The administrative side, sometimes referred to as an administrative plug-in, is invoked by the Administrative tool when the Group Policy administrator creates, modifies, or deletes central access policies. The client side, sometimes referred to as a client plug-in, is invoked to initiate the application of client access policies on a target computer, such as a Group Policy client.