2.2.10.1 GPO Creation Message

Creation of a GPO requires the creation of a groupPolicyContainer Active Directory object on the GP server and a corresponding directory on the GP server's SYSVOL share. The creation of the Active Directory portion of the GPO MUST be accomplished through an LDAP message from the Client to the Server. The LDAP message is an addRequest message that has the following parameters.

Parameter	Value
entry	A GPO DN that is unique for the GPO in the domain. An administrative tool MUST generate the GUID portion of the GPO DN by using the GUID-generation algorithm, as specified in [C706], to ensure that the DN is unique in the domain.
attributes	MUST contain three attributes: objectClass, versionNumber, and flags.
	Attribute name	Value	Meaning
	objectClass	MUST be the UnicodeString value "groupPolicyContainer".	Name of the Active Directory object class type to create through this message.
	versionNumber	MUST be 0.	Meaning of this attribute is specified in section 2.2.5.
	Flags	MUST be 0.	Meaning of this attribute is specified in section 2.2.5.

The Client receives an addResponse message in reply, as defined in section 4.7 of [RFC2251]. The resultCode field value determines a failure or success for the message. Success is indicated when the value of the addResponse message's resultCode is 0. Any other resultCode value indicates a failure.

Similar addRequest messages MUST be made to create subcontainers of the groupPolicyContainer object. The addRequest messages MUST look like the following.

For a user subcontainer:

Parameter	Value
entry	MUST be the UnicodeString value "cn=user,<GPO DN>".
attributes	MUST contain one attribute: objectClass.
	Attribute name	Value	Meaning
	objectClass	MUST be the UnicodeString value "container".	Name of the Active Directory object class type to create through this message.

For machine subcontainer:

Parameter	Value
entry	MUST be the UnicodeString value "cn=machine,<GPO DN>".
attributes	MUST contain one attribute: objectClass.
	Attribute name	Value	Meaning
	objectClass	MUST be the UnicodeString value "container".	Name of the Active Directory object class type to create through this message.

After these messages are successfully processed, the user-scoped GPO DN and computer-scoped GPO DN MUST be created for this GPO. The following SMB messages make up the remainder of the GPO Creation message, once for the GPO path, once for its subdirectory user, and once for the other subdirectory computer:

1. SMB Open for the policies path, using SPNEGO (as specified in [MS-SPNG]) for authentication.
2. SMB Create Directory request for the directory that is named with the GPO GUID of the GPO DN, using SPNEGO (as specified in [MS-SPNG]) for authentication.
3. SMB Close, using SPNEGO (as specified in [MS-SPNG]) for authentication.
4. SMB Open for the GPO path, using SPNEGO (as specified in [MS-SPNG]) for authentication.
5. SMB Create File request for the file named gpt.ini, using SPNEGO (as specified in [MS-SPNG]) for authentication.
6. SMB Write File request to write the contents as outlined in section 2.2.5 with the required section, "General"; the key, "Version"; and the value, "0", using SPNEGO (as specified in [MS-SPNG]) for authentication.
7. SMB Close, using SPNEGO (as specified in [MS-SPNG]) for authentication.
8. SMB Open for the GPO path, using SPNEGO (as specified in [MS-SPNG]) for authentication.
9. SMB Create Directory request for the directory that is named with the user scoped GPO path, using SPNEGO (as specified in [MS-SPNG]) for authentication.
10. SMB Close, using SPNEGO (as specified in [MS-SPNG]) for authentication.
11. SMB Open for the GPO path, using SPNEGO (as specified in [MS-SPNG]) for authentication.
12. SMB Create Directory request for the directory that is named with the computer-scoped GPO path, using SPNEGO (as specified in [MS-SPNG]) for authentication.
13. SMB Close, using SPNEGO (as specified in [MS-SPNG]) for authentication.

Any failures from the SMB operations mean that the overall GPO Creation message is invalid, and the sequence previously mentioned MUST be terminated.

The final portion of this message is to generate a gpt.ini file with the format and semantics that are described in section 2.2.5. This file Version field MUST be 0.