2.1.3.1.2 Domain SOM Search and Response

SOM is associated with an Active Directory container, such as a domain, site, or OU, that holds user and computer accounts that are managed through Group Policy. The Group Policy client accesses the SOM container to obtain attribute information. To initiate this process, the Group Policy client sends an LDAP BindRequest, and the Group Policy server sends an LDAP BindResponse in reply. After the Group Policy client has successfully received a BindResponse from the Group Policy server, it sends an LDAP SearchRequest to the Group Policy server, with the LDAP information about its directory location. The Group Policy client then queries for the gpLink and gpOptions attributes that hold information about the GPOs in the SOM container for the configuration naming context (config NC), which stores configuration information in Active Directory, as described in [MS-ADTS] sections 3.1.1.1.5 and 6.1.1.1.2.

The Group Policy server processes the information that is provided as part of the request for the domain SOM and returns an object with gpLink and gpOptions attribute information to the Group Policy client along with the DN to which it applies.

The gpLink attribute retrieved from the domain container in Active Directory holds LDAP DNs for GPOs that are associated with domain-level SOM. This information enables the policy application process to determine GPO names, the policy file location on the Group Policy file share, and any extensions that are specified in the GPO extension lists, all of which apply to domain-level SOM. For information about the corresponding gpLink and gpOptions ADM elements, see [MS-GPOL] section 3.2.1.6.

The domain SOM data is added to an SOM list maintained by the Group Policy client. For information about the SOM list ADM element, see [MS-GPOL] section 3.2.1.6.