2.2 Protocol Summary

This section describes the member protocols that accomplish the goals of Group Policy. The Group Policy protocols are organized into the following groups:

  • Group Policy core — consists of the Group Policy: Core Protocol [MS-GPOL]. The core protocol is implemented fully by the core Group Policy engine, which enables the processing and application of Group Policy.

  • Group Policy extensions consist of the extension protocols listed in the following table after the Group Policy: Core Protocol.

The following table provides a comprehensive list and functional description of the Group Policy member protocols.

Note: Group Policy: Network Access Protection (NAP) Extension [MS-GPNAP] and Group Policy: Internet Explorer Maintenance Extension [MS-GPIE] are no longer implemented and are not described in this document. The Product Behavior Appendix in each specification ([MS-GPNAP] section 5 and [MS-GPIE] section 6) lists the Windows versions in which the extensions are implemented.

Protocol Name

Functional Description

Short Name

Group Policy: Core Protocol

Enables discovery and connection to a domain controller, discovery and retrieval of GPOs, support for the authoring of policies and extension settings, and communication of administrator-defined policies from the Group Policy server to the Group Policy client. The Group Policy: Core Protocol is fully implemented by the core Group Policy engine.

[MS-GPOL]

Group Policy: Audit Configuration Extension

Enables advanced audit policies to be distributed to multiple client systems where they are enforced in accordance with administrative intent. The policy settings for this extension enable the underlying audit subsystem to determine the activities to be monitored and logged in the security event log. The GPAC extension has both client-side and administrative-side implementations.

The administrative-side extension enables the Group Policy administrator to author audit policies, store them on the Group Policy file share, and update a GPO with the path to the policy files on the Group Policy file share.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to locate GPO(s) that contain audit configuration settings (as indicated by the GPAC GUID appearing in the GPO Extension list), transfer the policy files to the Group Policy client computer via a file access protocol, and then configure the advanced audit policy, audit options, and global object access auditing settings on the Group Policy client computer.

[MS-GPAC]

Group Policy: Central Access Policies Extension

Provides the means to configure central access policies on Group Policy client computers for centralized control of user access to resources. This protocol extension also contains the mechanisms that enable Group Policy administrators to retrieve policy files and configure central access policy information that is stored in the Group Policy data store.

The administrative-side extension participates in authoring settings for central access policies via GPO configuration. The administrative-side extension of this protocol invokes LDAP to write or retrieve GPO information and invokes a file access protocol to write or read extension-specific data in central access policy files that are stored on the Group Policy file share. Central access policy settings are created or modified by the Administrative tool.

The client-side extension retrieves policy settings from the file system component of one or more GPOs. These settings consist of one or more DNs of central access policy objects that reside in Active Directory. The CSE binds to these objects and retrieves central access policy configuration data from the object attributes. The CSE uses this data to populate local data elements on the Group Policy client, typically a file server, to maintain state that later an administrator applies to enforce the central access policies that authorize user access to resources on the file server.

[MS-GPCAP]

Group Policy: Deployed Printer Connections Extension

Supports the management of printer connections that are hosted by print servers and shared by multiple users. The GPDPC extension has both client-side and administrative-side implementations.

The administrative-side extension enables the Group Policy administrator to configure printer connections by updating settings in a GPO that applies to Group Policy clients.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to enable users to discover the printer connections that were configured by the Group Policy administrator and to apply them to the Group Policy client computer.

[MS-GPDPC]

Group Policy: Encrypting File System Extension

Enables remote administrative configuration of the Encrypting File System (EFS). The GPEF extension has both client-side and administrative-side implementations.

The administrative-side extension enables the Group Policy Administrator to retrieve and edit EFS configuration settings that are stored in a registry-based policy file on the Group Policy file share, for later application to the registry of Group Policy client that are affected by GPO(s) that specify those settings.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to parse the registry policy file settings and copy them to the Group Policy client registry. The EFS extension then reads those registry settings and applies them to the EFS subsystem on the Group Policy client computer.

[MS-GPEF]

Group Policy: Firewall and Advanced Security Data Structure Extension

Enables administrators to use Group Policy to control firewall and advanced security behavior on a Group Policy client with the use of the GPREG protocol.

The GPFAS extension is invoked by the Administrative tool and is responsible for loading and updating the firewall and advanced security settings specified by a GPO. GPFAS reads registry values that are copied to the Group Policy client registry by the Group Policy: Registry Extension Encoding protocol [MS-GPREG] and applies them to the local Firewall and Advanced Security Protocol server. Because this extension relies on the CSE implementation of GPREG, GPFAS is implemented as an administrative-side extension only.

[MS-GPFAS]

Group Policy: Folder Redirection Protocol Extension

Enables the Group Policy administrator to redirect the path of certain file system folders to a new location. The new location can be a folder on the local computer or a shared directory on a network. This enables users to work with documents on a remote server share, as if the documents were located on the hard disk of their local computer. This extension has both client-side and administrative-side implementations.

The administrative-side extension enables the Group Policy administrator to establish and configure folder locations for user folders and to store them on the Group Policy file share.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to retrieve GPFR configuration data from the Group Policy file share and to apply it to the Group Policy client computer.

[MS-GPFR]

Group Policy: IPsec Protocol Extension

Enables centralized configuration of the IPsec component on multiple client systems to provide basic traffic filtering, data integrity, and optional data encryption, for IP traffic. The Group Policy administrator assigns an IPsec policy to a group of managed client computers by using a GPO. This extension has both client-side and administrative-side implementations.

The administrative-side extension enables the Group Policy administrator to create one or more IPsec policies and store them in policy files on the Group Policy file share.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to retrieve the associated policy settings that are stored in the policy files and to apply them to the Group Policy client computer.

[MS-GPIPSEC]

Group Policy:

Name Resolution Policy Table (NRPT) Data Extension

Provides a mechanism for a Group Policy administrator to deploy and control any Name Resolution Policy behavior on a client by using the Group Policy: Registry Extension Encoding [[MS-GPREG].

[MS-GPNRPT]

Group Policy: Preferences Extension Data Structure

Enables the Group Policy administrator to manage and deploy Group Policy preferences. Preferences settings are specified by using an XML file. This extension has both administrative-side and client-side implementations.

The administrative-side extension enables the Group Policy administrator to invoke the preferences extension on his or her computer to define, maintain, and associate extension-specific settings with a GPO.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to read the XML preferences file specified by the GPO and apply its preferences configuration to the Group Policy client computer.

The Group Policy: Preferences Extension supports both computer and use policy modes. Policy application in computer policy mode applies to the Group Policy client computer and all users who log on to it, whereas user policy mode applies to specific users who log on to the Group Policy client computer.

[MS-GPPREF]

Group Policy: Registry Extension Encoding

Provides the mechanism for a Group Policy administrator to control any behavior on a Group Policy client that depends on registry-based settings. This extension has both administrative-side and client-side implementations.

The administrative-side extension enables the Group Policy administrator to use Administrative template settings to write a registry policy file and associate it with a GPO.

The client-side is extension invoked by the core Group Policy engine on the Group Policy client to read the registry policy file specified by a GPO and apply its contents to the registry of the Group Policy client computer.

[MS-GPREG]

Group Policy: Security Protocol Extension

Enables the Group Policy administrator to distribute and apply group security policies to multiple client systems. This extension has both administrative-side and client-side implementations.

The administrative-side extension enables the Group Policy administrator to author security policies as .inf files and save them to the Group Policy file share. The Group Policy administrator assigns security policies by specifying a reference, within the logical structure of a GPO, to the Group Policy file share network location where the security policy files reside.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to process GPOs that refer to security policies. The client-side extracts the Group Policy file share network location from the GPO, transfers the security policy files to the Group Policy client computer by using a file access protocol, and then utilizes the retrieved security policy files to configure the security settings of the applicable subsystems on the Group Policy client computer.

[MS-GPSB]

Group Policy: Scripts Extension Encoding

Provides a mechanism for the Group Policy administrator to configure the execution of administrator-specified code on specific policy targets at computer start, computer shut-down, user logon, or user logoff. The code executed by specified policy targets is contained in a command-line tool or batch-processing script that resides in the file system of the Group Policy client computer or at a network file system location. This extension has both administrative-side and client-side implementations.

The administrative-side extension enables the Group Policy administrator to store and retrieve GPO metadata that specifies a directive for running a command at computer startup or shutdown that affects the configuration of a Group Policy client subsystem.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to identify the directive that runs the administrator-specified command and to configure a command execution subsystem in the Group Policy client operating system with this directive, such that it executes the command at computer startup or shutdown.

[MS-GPSCR]

Group Policy: Software Installation Protocol Extension

Enables a Group Policy administrator to install, update, and remove software applications on Group Policy client computers. This extension has both administrative-side and client-side implementations.

The administrative-side extension enables the Group Policy administrator to specify applications to be installed on Group Policy client computers and to control the manner in which they are installed, for example, with minimum user interaction. The related settings are stored on the Group Policy file share and the metadata that specifies the path to the settings is stored in the logical structure of a GPO.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to locate the GPO(s) containing software installation settings, retrieve those settings from the appropriate Group Policy file share location, and apply them on the Group Policy client computer.

[MS-GPSI]

Group Policy: Wireless/Wired Protocol Extension

Enables a Group Policy administrator to create, update, and store GPWL data in a GPO. This extension has both administrative-side and client-side implementations.

The administrative-side extension is used by the Group Policy administrator to read and edit wireless or wired policy settings through a user interface, and to store the settings within the logical structure of a GPO via LDAP.

The client-side extension is invoked by the core Group Policy engine on the Group Policy client to retrieve the wireless or wired policy settings from the specified location via LDAP, and to apply them on the Group Policy client computer.

[MS-GPWL]

The major functions and interactions of these protocol groups are described in sections 2.1.2 and 2.1.3.

The following sections provide additional technical details about these protocol groups.