GPO Filter Evaluation

In this procedure, the client MUST process the GPO as follows:

  1. Check for the functionality version of the GPO. If the gPCFunctionalityVersion field of the Group Policy Object Search message (as defined in [MS-ADA1] section 2.278) is not set to 2, the GPO MUST NOT be included in the rest of the protocol sequence. The GPO MUST be considered denied.

  2. Check whether the GPO has been disabled. The GPO MUST be considered denied in either of the following two cases:

  3. Perform security filtering. Using abstract element Group Policy Client AD Connection Handle, retrieve the attribute nTSecurityDescriptor, defined in [MS-ADLS] section 2.257. This security descriptor, discretionary access control list (DACL), MUST be checked for an access control entry (ACE) that grants the extended right ApplyGroupPolicy (as specified in [MS-ADTS] section to an Active Directory security group for which the policy target account is a member. The access check is done against the abstract element Policy Target Security Token.<20> If the right is denied by an ACE for which the policy target account is a member, the GPO is to be considered denied. Otherwise, the entry grants that right, and that GPO is to be considered allowed.

  4. Checks for an empty GPO: GPO MUST be considered denied if the GPO versions consisting of GPO container version and GPO file system version are both 0. The GPO attribute versionNumber stores the 32-bit container version in Active Directory.