2.5.2 Applying Group Policy — Group Policy Client

  • Article

Goal

The goal of this use case is to retrieve Group Policy information from the Group Policy server and to apply policy settings on the Group Policy client.

Context of use

Group Policy is applied after the Group Policy client contacts the Group Policy server and successfully retrieves new or updated content. Based on the SOM, the client retrieves the list of GPOs for policy application, as described in [MS-GPOL] section 3.2.5.1.5.

Actors

Group Policy client: Maintains a policy configuration that is consistent with the policy information that is stored on the Group Policy server. This is the primary actor. The primary interests of the Group Policy client are to:

  • Retrieve policy content from the Group Policy server.

  • Ensure that policy settings defined by the Group Policy administrator are enforced on the Group Policy client computer.

    Group Policy Server: A domain controller that contains a database of GPOs that Group Policy clients can retrieve. The Group Policy server responds to requests from the Group Policy client. The primary interests of the Group Policy server are as follows:

    • Enable a Group Policy client to retrieve Group Policy information from the domain, based on the group memberships of domain accounts and domain account locations in Active Directory.

    • Support Administrative tool operations, such as creating, updating, and deleting GPOs.

Stakeholders

Users: An individual who uses a Group Policy-enabled computer and whose primary interests are to understand the following:

  • How the user experience is influenced by policy settings that affect computers.

  • How Group Policy specifically applies to users.

Group Policy administrator: An individual who is responsible for configuring policy settings that align with organizational and business requirements. The primary interests of the Group Policy administrator are to:

  • Ensure that policy settings stored in the Group Policy server are protected from unauthorized use.

  • Target policy settings for users and computers at different levels of granularity, which is known as SOM.

  • Ensure that policy setting management can be delegated as described in [MS-GPSB].

  • Alter the default processing of policy settings.

  • Configure a large number of computers to execute administrator-specified code at computer start, computer shut-down, user logon, or user logoff, as described in [MS-GPSCR].

Preconditions: The Group Policy client is able to access the Group Policy server.

Main Success Scenario

The main success scenario can be summarized as follows:

  1. Trigger: Computer startup, user logon, or the periodic timer (sections 2.8.1 and 2.8.2) trigger this use case. When a trigger occurs, the Group Policy client successfully connects to the Group Policy server.

  2. The Group Policy client can query for applicable policy configuration settings from the Group Policy server.

  3. The Group Policy client successfully retrieves the policy information that is based on the results from queries.

  4. The Group Policy client applies the policy settings.

Extensions

  • Based on WMI filters, the Group Policy client decides whether to apply a specific GPO.

  • Based on the policy source mode, as described in [MS-GPOL] sections 3.2.1.2 and 3.2.1.3, the Group Policy client obtains a set of GPOs that apply to itself.