1.3.2.1 Central Access Policy Administration

Policy administration is driven by an Active Directory administrator and a Group Policy administrator. The administration of central access policies involves creating a CAP object and associating it with one or more GPOs.

Creating CAPs — An Active Directory administrator authors CAPs in Active Directory by using an administrative interface that can define authorization policies, such as an Active Directory Administrative Console. The schema for a CAP object is specified in [MS-ADSC] section 2.97 and the schema for the object’s attributes is specified in [MS-ADA2] sections 2.115 through 2.121.

Configuring GPOs — Group Policy administrators configure CAP settings in Group Policy by:

  • Using an Administrative tool to create or edit GPOs in Active Directory.

  • Associating computer accounts with one or more GPOs.

  • Specifying the CAPs for the computer accounts with which one or more GPOs is associated.

The administrative side of the Group Policy: Central Access Policies Extension interacts with the CAP policy file through an implementation-specific Administrative tool, such as the Group Policy Management Console. When the administrative-side extension is invoked by the Administrative tool, the Group Policy administrator can either create a new policy or retrieve and edit an existing one. If the Group Policy administrator is working with a new CAP policy, then he or she will create and configure a new GPO in Active Directory, which includes associating the GPO with one or more CAP objects and setting the GPO's gPCFileSysPath attribute to specify the Group Policy file share location where CAP policy settings are to be stored. If the Group Policy administrator is retrieving an existing policy, the GPO data is read and displayed by the Administrative tool and policy settings can then be modified as required.  After the Group Policy administrator creates or modifies policy settings, the changes are propagated back into the logical component of the GPO and to the policy file on the Group Policy file share, via LDAP and a file access protocol, respectively.<1>