2.4 Assumptions and Preconditions

Preconditions for Group Policy: Core Protocol communications between a Group Policy client and a Group Policy server are as follows:

The Group Policy server is a writeable domain controller.
The Group Policy client is joined to the Group Policy server domain.
For user policy mode, the Group Policy client is joined to a domain for which the user domain has a bidirectional domain trust.
All Group Policy servers in the domain is configured to require signing of traffic from file access operations, for example, as described in [MS-SMB] section 3.2.4.2.4.
All Group Policy servers in the domain is configured to require signing of LDAP traffic, as described in [RFC2251] section 4.2.2.

The following preconditions also apply to the Group Policy client:

To process a policy that applies to a Group Policy client, the core Group Policy engine must be able to read the policy data from the directory service so that the policy settings can be applied to the Group Policy client or the interactive user. It is therefore required that access control list (ACLs) are correctly configured to allow the policy to be read.

Additional resources