2.2.2 Domain SOM Search
The Domain SOM Search message uses LDAP as a transport. The purpose of this message is to allow the client to query the Group Policy server for SOMs that are associated with the policy target account.
An LDAP SearchRequest MUST be sent to the Group Policy server with the following parameters.
|
Parameter |
Value |
|---|---|
|
baseObject |
LDAP DN for the root of the domain. This is an input parameter referenced from the Policy Target Domain DN ADM element. |
|
scope |
MUST be the whole subtree (2). |
|
derefAliases |
MUST be set to 0 (neverDerefAliases). |
|
sizeLimit |
No limit is set (this is set to 0 by default). |
|
timeLimit |
MAY<2> be 0 (infinite), but SHOULD be 240 (seconds). |
|
typesOnly |
MUST be set to 0. |
|
filter |
The following LDAP filter (using the representation specified in [RFC2254]) MUST be used: (|(distinguishedName=<OUPath1>)(distinguishedName=<OUPath2>)... (distinguishedName=<LDAP DN for the root of the domain>)) Where <OUPath1> and <OUPath2> are LDAP DNs for an object of type organizationalUnit, <LDAP DN for the root of the domain> is the DN of the root of the domain, and all other characters are to be taken literally. |
|
attributes |
The following literal attribute names MUST be passed as inputs to the LDAP search request, and the following attributes are of the domain and organizational unit Active Directory containers (that is, SOMs): gpLink and gpOptions. |
A successful reply from the LDAP search request MUST contain one or more LDAP searchResponse messages. Those messages MUST contain one or more searchResultEntries. Those searchResultEntries MUST contain an objectName DN attribute, which is the SOM named by that DN. The searchResultEntry MUST also contain an attributes field with the values in Active Directory for the gpLink and gpOptions attributes of the SOM objects that were searched for. The attributes MUST have the following formats:
gpLink: MUST be a Directory String encoded in UTF-8 as defined in [RFC2252] section 6.10 with the following format:
[<GPO DN_1>;<GPLinkOptions_1>][<GPO DN_2>;<GPLinkOptions_2>]... [<GPODN_n>;<GPLinkOptions_n>]
where "[", "]" and ";" are to be taken literally, <GPO DN*> are GPO DNs, and <GPLinkOptions> is a bit field with the following flags (any bitwise combination of the flag values is valid) defining the state of the association of the GPO referenced by the GPO DN with this and only this SOM:
|
Value |
Meaning |
|---|---|
|
0x00000000 |
The GPO Link preceding the <GPLinkOptions> field is not ignored and is not an enforced GPO. This is the default <GPLinkOptions> value. |
|
0x00000001 |
The GPO Link preceding the <GPLinkOptions> field MUST be ignored. |
|
0x00000002 |
The GPO Link preceding this <GPLinkOptions> is an enforced GPO. |
|
0x00000003 |
The GPO Link preceding the <GPLinkOptions> field MUST be ignored; in other words, when the 0x00000001 bit is set, the 0x00000002 bit is ignored, and the behavior is the same as if the flag value were 0x00000001. |
Note The presence of the GPO DNs in the gpLink attribute of the SOM from which it came defines an association of the GPO DNs with the SOM. The order in which GPO paths appear in this attribute specifies the link order for the associated GPOs. A GPO can be linked one or more times to a SOM object, and the <GPLinkOptions> field can be configured independently on each of the links.
gpOptions: This is an LDAP INTEGER (as defined in [RFC2252] section 6.16). It is used to block Group Policy inheritance. A value of "1" for this attribute in a given SOM container means that non-enforced GPO links to SOM objects higher in the Active Directory hierarchy of this SOM container MUST be ignored. GPO links to the SOM object in which this attribute is set to "1" are not affected. A value of "0" means that GPOs in this SOM's container hierarchy in the Active Directory MUST be honored. The default value is "0".