1.1.7 Group Policy Application
The policy application process utilizes a pull model when it retrieves Group Policy data to apply to the Group Policy client. For example, when retrieving policy settings, the Group Policy client polls the Group Policy server to check for new policy settings specified by the Group Policy administrator that affect either the client computer itself or a domain user that is interactively logged on to the client computer.
To accommodate these requirements, the application of Group Policy is specified in two modes. The first is computer policy mode, which affects the client computer and all users logging on to the client computer; the second is user policy mode, which only affects the users who log on to the client computer. For user policy mode, the policy target is a domain user account, for which policy settings are retrieved. For computer policy mode, the policy target is a domain computer account, for which policy settings are retrieved.
The application of Group Policy is triggered by specific events, such as a user logon or computer startup, as described in section 1.1.7.1. The following is a conceptual summary of the processes that occur whenever Group Policy is applied. The specified actions of the Group Policy client are carried out by the core Group Policy engine running on the Group Policy client:
DC discovery: The Group Policy client searches for a domain controller (DC) and connects to Active Directory. The communication details for this process are described in section 2.1.3.1.1.
DN discovery: The Group Policy client attempts to discover the DN of the policy target, which is used in querying for applicable GPOs, as described in [MS-GPOL] section 3.2.5.1.2.
Domain SOM search: The Group Policy client queries the Group Policy server for any GPOs that are linked to the domain, which therefore applies to the Group Policy client policy target account. The communication details for this process are described in section 2.1.3.1.2.
SOM defines hierarchical levels from which GPOs apply to policy targets; these levels include the domain, site, and organizational unit (OU) levels. For example, a domain SOM search returns the DNs of all GPOs that are linked to the domain container, which holds one or more policy targets to which the GPOs applies. For more information about SOM, refer to section 1.1.8.
Site SOM search: The Group Policy client queries the Group Policy server for any GPOs that are linked to the site container, which therefore applies to the Group Policy client policy target account. The communication details for this process are described in section 2.1.3.1.3.
GPO search: The Group Policy client queries the collection of GPOs defined by the SOM, to obtain various information sets that include the GPO security descriptor, the GPO file system path, GPO version number, the GUIDs of extensions that apply to the Group Policy client, and other GPO metadata, as described in section 1.1.7.3. Communication details for this process are described in section 2.1.3.1.4.
GPO filter evaluation: The Group Policy client processes each GPO to check its functionality version, disabled/enabled status, empty status, and security rights. These checks determine whether the GPO is allowed or denied applicability on the Group Policy client, as described in [MS-GPOL] section 3.2.5.1.6
WMI filter evaluation: The Group Policy client queries the Group Policy server for any Windows Management Instrumentation (WMI) filters that limit the set of GPOs that are to be used by Group Policy extensions. The communication details for this process are described in section 2.1.3.1.5.
Link speed discovery: The Group Policy client attempts to estimate the network speed of its connection to the Group Policy server, as described in section 2.1.3.1.6.
Extension protocol sequences: The Group Policy client determines which CSEs apply to it for user policy mode and computer policy mode, and then invokes a protocol sequence that causes each CSE to apply its settings to the Group Policy client, as described in section 1.1.7.4.
Policy change event: The Group Policy client raises a local PolicyChange event at the end of policy application to indicate that a policy has changed, as described in section 2.8.2.
The programmatic details for these processes are specified in [MS-GPOL] section 3.2.5.1. Formats for the messages that are associated with these processes are specified in [MS-GPOL] section 2.2.