1.3.1 Background
The Group Policy: Core Protocol, as specified in [MS-GPOL], allows clients to discover and retrieve policy settings created by administrators of a domain. These settings are persisted within Group Policy Objects (GPOs) assigned to policy target accounts, which are either computer accounts or user accounts in Active Directory. Each client uses the Lightweight Directory Access Protocol (LDAP) to determine which GPOs are applicable to it by consulting the Active Directory objects corresponding to its computer account and the user accounts of any users that log on to the client computer.
On each client, each GPO is interpreted and acted upon by software components known as client-side plug-ins. Each client-side plug-in is associated with a specific class of settings. The client-side plug-ins that are responsible for a given GPO are specified by using an attribute on the GPO. This attribute specifies a list of GUID pairs. The first GUID of each pair is referred to as a client-side extension GUID (CSE GUID). The second GUID of each pair is referred to as a tool extension GUID.
For each GPO that is applicable to a client, the client consults the CSE GUIDs listed in the GPO to determine which client-side plug-ins on the client will handle the GPO. The client then invokes the client-side plug-ins to handle the GPO. Next, the client-side plug-in uses the contents of the GPO to retrieve and process settings specific to its class, in a manner specific to the plug-in.