2.2.7 GPO Read Administration
This operation is similar to the sequences for policy application, but it is targeted only at a single GPO. This part of the protocol allows users to view the settings and state of an individual GPO.
Attributes and files MUST be interpreted in the same way as interpreted in section 2.2.4 with the only difference being the search protocol sequence in the LDAP search request. This difference is specified in the following table.
|
Parameter |
Value |
|---|---|
|
baseObject |
Base Search Scope MUST be the GPO DN for some GPO. |
|
Scope |
Search only the root of the computer's domain (this MUST be set to 0). |
|
derefAliases |
MUST be set to 0 (neverDerefAliases). |
|
sizeLimit |
No limit is set (this MUST be set to 0). |
|
timeLimit |
MUST be set to 0 (infinite). |
|
typesOnly |
MUST be set to 0 (FALSE). |
|
Filter |
The following LDAP filter (as specified in [RFC2254]) MUST be used: (objectClass=*) |
|
Attributes |
MAY be NULL, but SHOULD<8> be as specified in section 2.2.4, plus systemFlags, whenCreated, and whenChanged. |
The reply from the search request from the Group Policy server MUST include the attributes in section 2.2.4 as well as the following additional attributes. Any attributes other than those specified here and in section 2.2.4 MUST be ignored.
|
Attribute |
Format |
|---|---|
|
systemFlags |
An integer value that contains flags that define additional properties of this GPO. This value is maintained by the Active Directory server, as specified in [MS-ADA3] section 2.294 and [MS-ADTS]. |
|
whenCreated |
The date when this GPO was created. This value is set by the Active Directory server, as specified in [MS-ADA3] section 2.371. |
|
whenChanged |
The date when this GPO was last changed. This value is managed by the Active Directory server, as specified in [MS-ADA3] section 2.370. |