3.2.5.3 Retrieving the Assigned Policy Location, Name, and Description

The client MUST determine the location of the currently assigned policy by accessing the ipsecOwnersReference attribute, as specified in [MS-ADA1] section 2.330, "Attribute ipsecOwnersReference", of the IPSEC object cn=ipsec,cn=Windows,cn=Microsoft,cn=Machine,<GPO DN>, for the last (highest precedence) GPO of the FilteredGPOList ADM element. The ipsecOwnersReference attribute contains the DN of the ipsecPolicy object that is to be applied to the client machine.

Similarly, the assigned policy name and description MUST be read by retrieving the ipsecName and description values. These values MUST be interpreted as a Directory String (section 2.2.2).

To retrieve the assigned IPsec policy location, name, and description for a GPO, an LDAP operation MUST be performed using the operation specified in [MS-ADTS] section 7.6.1.6, "Performing an LDAP Operation on an ADConnection". The TaskInputADConnection value MUST be the ADCONNECTION_HANDLE object ([MS-DTYP] section 2.2.2, "ADCONNECTION_HANDLE") stored in ADConnectionHandle. The TaskInputRequestMessage MUST contain an LDAP searchRequest message ([RFC2251] [RFC2254]) with the values specified in section 2.2.3.1.

The client MUST first send an LDAP SearchRequest message with the objectClass attribute, as specified in 2.2.3.1. If this operation succeeds, then the client MUST send an LDAP SearchRequest message with the ipsecOwnersReference, ipsecName, and description attributes, as specified in 2.2.3.1.

If either LDAP SearchRequest message fails, the local IPsec component MUST be signaled so that it can enter a known-safe state. Otherwise, the client MUST retrieve its assigned policy data (section 3.2.5.4).