3.2.5.1.10 Extension Protocol Sequences

The Extension List abstract element is initialized by implementation-specific means.

The Group Policy extension sequence is initiated by invoking the Process Group Policy event specified in the client-side Higher-Layer Triggered Events section of the corresponding Group Policy extension specification. The associated abstract interface is specified in section 3.2.4.1 of this document.

The Group Policy client MUST evaluate the subset of the abstract element Filtered GPO list separately for each Group Policy extension by including in the subset only those GPOs whose gPCUserExtensionNames (for user policy mode) or gPCMachineExtensionNames (for computer policy mode) attributes contain CSE GUID that correspond to the Group Policy extension. If the CSE GUID corresponding to the Group Policy extension is present in Extension List, it is invoked using the Implementation Identifier field. Applicability is determined as specified in section 3.2.1.5. The Group Policy Registry Extension MUST always execute first. All other applicable Group Policy extensions in the Extension List MUST be loaded and executed in Extension List order. A failure in any Group Policy extension sequence MUST NOT affect the execution of other Group Policy extensions.

As a result, each Group Policy extension sequence only generates traffic that references GPOs in which that Group Policy extension's CSE GUID was present in the gPCUserExtensionNames attribute for the user policy mode, and only those GPOs with the CSE GUID present in gPCMachineExtensionNames for the computer policy mode.

The behavior of a given Group Policy extension is specific to each Group Policy extension and is specified in the documentation of that Group Policy extension. A failure in any Group Policy extension sequence does not cause the policy application sequence to fail. Failure simply means that Group Policy clients are not able to enforce settings that are associated with that specific Group Policy extension. For example, if the Group Policy: IP Security (IPSec) Protocol Extension (as specified in [MS-GPIPSEC]) sequence fails, the computer will not be configured according to the network administrator's IP security policy settings. This might mean that the computer cannot access some network resources that are secured through IP security. Other Group Policy extensions are not directly affected by the failure of the Group Policy: IP Security (IPSec) Protocol Extension. For example, if the Group Policy: IP Security (IPSec) Protocol Extension fails, the Group Policy: Scripts Extension Encoding (as specified in [MS-GPSCR]) protocol sequence MUST still be invoked by the client.

If the determined Link Speed (section 3.2.5.1.9) is below an implementation defined threshold, an implementation SHOULD NOT<21> invoke any Group Policy extension sequence that is bandwidth intensive.

If time elapsed (in minutes) since the invocation of a Group Policy extension is greater than the MaxNoGPOListChangesInterval value (if present and nonzero) in the Extension List (section 3.2.1.24), and the Filtered GPO list contains GPOs that are marked as containing that extension, then an implementation SHOULD invoke that Group Policy extension even when there are no changes to applicable GPOs.

An implementation-specific means SHOULD be provided to allow for the addition of Group Policy extensions.