1.3.3.2 GPO Retrieval

The second set of queries assembles the logical GPO from its component parts that include its Active Directory portion and its file system-based portion. This second set of queries is also performed through the LDAP, and it uses the names of GPOs that are returned in the first search to perform a query that returns detailed attributes for each of the GPOs that are associated with the policy target. These attributes describe details such as the following:

  • Precedence between GPOs to allow for resolution of conflicts between different GPOs (for example, if one GPO requests to set the background to green and another requests to set it to blue).

  • Information used for filtering to allow exclusion of some accounts in a container from being associated with a GPO.

  • Identification of classes of settings that are contained within a GPO.

  • Version information on the Active Directory portion of the GPO.

  • Location of information for that GPO stored outside Active Directory on the Group Policy server's SYSVOL domain -based Distributed File System (DFS) share, as specified in [MS-DFSC] section 3.1.5.4.4.

The client also uses file access to query the SYSVOL share for a file that contains version information for the file system storage portion of the GPO. The client uses all of this information to decide which of the GPOs have certain classes of settings that require protocol activity in the next and final step of policy application.