3.2.4.1 Process Group Policy

  • Article

All Group Policy extension messages can be considered to have an abstract interface with the following logical input parameters. (An individual Group Policy extension sequence can use every part of the input parameters to obtain its settings.) Refer to the specific Group Policy extension sequence for the format of the data that is actually transmitted between the client and any servers during the protocol sequence. A GPO state of New, Changed, or Deleted is derived by comparing the Filtered GPO list against Group Policy processing results logged on the local machine during the previous policy application session. If the client-specific implementation does not support Group Policy processing results logging, all GPOs MUST be considered New or Changed in order to apply policy.

The logical parameters are:

New or Changed GPO list: Contains one entry for each GPO for which a Group Policy extension will request and retrieve settings as well as the GPO path.

Deleted GPO list: Contains the represented GPOs that were applied in the previous policy application session but are no longer present in the current New or Changed GPO list.

SessionFlags: A set of flags defining aspects of this policy application session. These flag values are listed in the following table.

Value

Description

0x00000001

Computer Policy Application Mode.

0x00000010

Policy applying as a background process.

0x00000020

Policy applying across a slow link.

0x00000040

The Group Policy extension uses verbose logging.

0x00000080

No changes were detected in the GPO List.

0x00000100

A change in link speed was detected in comparison to the previous policy application.

0x00000200

A change in logging was detected in comparison to the previous policy application.

0x00000400

A forced refresh of policy is being applied.

0x00000800

The computer is in maintenance or recovery(Safe) mode.

0x00001000

Policy applying as a foreground process.

SecurityToken: A security token enabling impersonation of the policy target.

The GPO DN list (New or Changed GPOs) passed to each Group Policy extension's specific protocol sequence only contains those GPOs that are marked as containing those Extension Protocol Sequences (section 3.2.5.1.10)). The GPO list does not contain GPOs that are noted by the client as denied (section 3.2.5.1.6), or GPOs for which the WMI query returns no results and are considered denied (section 3.2.5.1.7). The GPO DN list (Deleted GPOs) passed to each Group Policy extension's specific protocol sequence contains only those GPOs that no longer apply but applied during the previous policy application session.