1.3.2.2 Central Access Policy Configuration Process

Group Policy clients are notified of changes in Group Policy when Group Policy fires the Process Group Policy event (section 3.2.4.1).

The CSE of the Group Policy: Central Access Policies Extension protocol does not directly apply CAPs to Group Policy client computers; rather, it provides the configuration process that populates the client-side ADM. In turn, the ADM provides accessibility to the state required for the initial application and update of CAPs on Group Policy client computers via client-side administrative tools. These tools are run by a local resource administrator when he/she is ready to apply or update CAPs on Group Policy client computers.

Note  In Group Policy, the periodic application of policy is triggered by the core Group Policy engine at regular refresh intervals, which is known as background policy application. This is different from the manual application of CAPs that is initiated by a local resource administrator.

To facilitate the CAP configuration process, CAP settings are retrieved by the CSE of the Group Policy: Central Access Policies Extension protocol following the trigger of the Process Group Policy event. The CSE uses LDAP to access the GPOs in Active Directory that contain the identifier-attributes that specify the location of CAP data, along with the file access protocol location where the policy settings are stored. The CAP configuration process on Group Policy client computers is then completed when the CSE performs the following:

  • Retrieves the policy file containing the policy settings from the Group Policy file share via file access protocol sequences.

  • Parses the file contents to obtain the LDAP distinguished names (DNs) of applicable CAP objects.

  • Invokes LDAP to retrieve the authorization rules contained in the CAP objects in Active Directory.

  • Populates the client-side ADM to maintain the state that enables the subsequent manual application of CAPs on Group Policy client computers.

Authorization policies are manually applied on a Group Policy client computer, such as a file server, by a local resource administrator with the use of an administrative tool. Following the application of CAPs, a Group Policy client is authorized to provide access to specific resources that are identified by the CAPs. For details on how CAPs are evaluated during the authorization process, refer to [MS-DTYP] section [MS-DTYP] section 2.5.3.2.