2.5 Use Cases

  • Article

This section describes the basic use cases that explain the main usage of the Group Policy protocols.

Actors

The following actors support the use cases that are described in this section:

Group Policy administrator: An individual who is responsible for configuring policy settings that align with organizational and business requirements. The primary interests of the Group Policy administrator are as follows:

  • Ensuring that policy settings that are stored in the Group Policy server are protected from unauthorized use.

  • Targeting policy settings for users and computers at different levels of granularity, which is known as SOM (section 1.1.8).

  • Ensuring that management of policy settings can be delegated as described in [MS-ADTS].

  • Altering the default processing of policy settings.

  • Configuring a large number of computers to execute administrator-specified code at computer start, computer shut-down, user logon, or user logoff, as described in [MS-GPSCR].

Group Policy Server: A domain controller that holds a database of GPOs that Group Policy clients can retrieve. The primary interests of the Group Policy server are as follows:

  • Enabling a Group Policy client to retrieve Group Policy information from the domain, based on the group memberships of domain accounts and domain account locations in the Active Directory structure.

  • Supporting Administrative tool operations, such as creating, updating, and deleting Group Policy content.

Administrative tool: A tool that is used to administer policy settings. The primary interests of the Administrative tool are as follows:

  • Enabling Group Policy administrators to create, update, and delete policy settings by writing and reading policy information to and from the logical and file system components of GPOs.

Supporting services: The services that provide a common infrastructure to support Group Policy operations:

Authentication services: The authentication services specified in [MS-AUTHSOD] provide identity, authentication, and authorization services through NTLM [MS-NLMP] or Kerberos [RFC4120] to secure communications in Group Policy. This includes authentication services that support client-to-server communication within Group Policy.