1.3.1 Background

The Group Policy: Core Protocol (as specified in [MS-GPOL]) enables clients to discover and retrieve policy settings created by administrators of a domain. These settings are persisted within group policy objects (GPOs), which are assigned to policy target accounts in Active Directory directory service. Policy target accounts are either computer accounts or user accounts in Active Directory. Each client uses the Lightweight Directory Access Protocol (LDAP), as specified in [RFC2251], to determine what GPOs are applicable to it by consulting Active Directory objects corresponding to its computer account and the user accounts of any users logging on to the client computer.

On each client, each GPO is interpreted and acted on by software components known as client plug-ins. The client plug-ins responsible for a given GPO are specified using an attribute of the GPO. This attribute specifies a list of GUID pairs. The first GUID of each pair is referred to as a client-side extension GUID (CSE GUID). The second GUID of each pair is referred to as a tool extension GUID.

For each GPO applied to a client, the client consults the CSE GUIDs listed in the GPO to determine what client plug-ins on the client are to handle the GPO. The client then invokes the client plug-ins to handle the GPO.

A client plug-in uses the contents of the GPO to retrieve relevant settings in a manner specific to the plug-in. After its settings are retrieved, the client plug-in uses those settings to perform plug-in-specific processing.