2.1.3.2.1.1 Creating the Active Directory Containers

To construct a GPO after the preceding initial protocol sequence, it is necessary to create a Group Policy container object for the GPO in Active Directory on the Group Policy server. The Group Policy container for a GPO is an object of the groupPolicyContainer class. The Group Policy container is typically created in the Group Policy Objects container within the domain; it is then linked to the domain container. Following creation of the Group Policy container object, GPO User and Machine subcontainers have to be created to complete the Active Directory components of the GPO.

To create the Group Policy container for a GPO, the Administrative tool sends LDAP messages to the Group Policy server. The first message is an LDAP addRequest that follows the format specified in [MS-GPOL] section 2.2.8.1.4, to create a Policies container. Additional LDAP messages, as specified in [MS-GPOL] sections 2.2.8.1.5, 2.2.8.1.6, and 2.2.8.1.7, are then required for each of the following:

  • GPO addRequest

  • GPO User subcontainer addRequest

  • GPO Machine subcontainer addRequest

When creating the new GPO, the Administrative tool also sends an LDAP SearchRequest to return the security descriptor for the new GPO. The Administrative tool also creates a unique GUID for the GPO DN. Further details on the process of creating a GPO and the associated hierarchical containers are specified in [MS-GPOL] section 3.3.5.1.

For each of the LDAP addRequest messages, the Group Policy server replies to the Administrative tool with addResponse messages, as defined in [RFC2251] section 4.7. The value of the resultCode field of the addResponse messages determines message success or failure; the value zero indicates success, while any other value indicates failure.