1.1.7.4 Retrieving and Applying Extension Settings

  • Article

The last steps of policy application involve the retrieval and application of extension settings. The Group Policy client uses its computed list of GPOs with different classes of settings to begin the process. For each class of settings in the list, the Group Policy client uses a CSE GUID to identify a CSE (a Group Policy extension), such as the Group Policy: Registry Extension Encoding protocol [MS-GPREG]), that contains corresponding extension settings. The core Group Policy engine on the Group Policy client invokes a protocol sequence that uses the CSE GUID to locate the settings associated with the CSEs that are stored in the GPO on the Group Policy server. The CSE retrieves the associated settings that are stored in the GPO by using LDAP to access the Active Directory-based component of the GPO and by using a file access protocol to access the Group Policy file share-based component of the GPO. When the settings are successfully retrieved, the CSE on the Group Policy client interprets the settings and enforces the behaviors that they specify. The Group Policy client of itself cannot interpret and enforce settings because it does not recognize the internal details of the Group Policy extension.

The following summary provides some additional context to the preceding discussion by further clarifying the retrieval and application of extension policy settings to a Group Policy client via a CSE protocol.

  • Prior to the Group Policy trigger, the Group Policy administrator will have configured extension settings with the Administrative tool for a policy target.

    This creates an extension policy file, which is then associated with a GPO in Active Directory and stored on the Group Policy file share. For some extensions, settings are stored on the Group Policy file share and/or in the GPO itself.

  • A Group Policy trigger causes the Group Policy client to invoke the core Group Policy engine to initiate the retrieval of attributes and policy settings from a GPO (or set of GPOs) that apply to the Group Policy client and that specify the applicable CSEs.

  • The core Group Policy engine initiates an LDAP call that reads the GUID of the CSE protocol from a GPO that applies to the Group Policy client and then invokes the CSE protocol for policy application.

  • The CSE protocol reads and parses the settings of the extension policy file on the Group Policy file share and/or reads the extension settings that are stored in the GPO itself, and then applies them to the appropriate Group Policy client.