1.3.2 Central Access Policies Protocol Extension Overview
CAP settings identify authorization polices that are defined in Active Directory. More specifically, CAP settings contain the identifiers of authorization policies that are to be configured on Group Policy client computers for centralized control of user access to resources. An authorization policy is specified by a central access rule (CAR) that exists within a CAP object.The Group Policy: Central Access Policies Extension enables these authorization policies, specified within CAP settings, to be applied by authorization routines [MS-DTYP] section 2.5.3.2 on Group Policy client computers.
The general sequence in which CAPs are implemented is as follows:
Author CAPs in Active Directory with an appropriate tool. CAP objects contain one or more central access rules (CARs), which in turn specify an authorization policy that defines how access to resources is controlled.
Target specific Group Policy client computers for CAP application through GPO configuration and assignment.
Invoke the CSE to populate the client-side ADM with CAP configuration data.
Apply CAPs to individual Group Policy client resources (by a local resource administrator).
Enforce CAP authorization rules on Group Policy client computers.
When a user attempts to access resources that have a CAP that was applied via access to client-side ADM values, the CAP authorization rules are enforced.