3.2.5.1 Policy Application

  • Article

Policy application is composed of the following parts:

  • DC Discovery and AD Connection establishment

  • DN Discovery

  • Domain SOM Search

  • Site Search

  • GPO Search

  • GPO Filter Evaluation

  • WMI Filter Evaluation

  • AD Connection termination

  • Link Speed Discovery

  • Extension Protocol Sequences

  • Policy Application Notification

The steps in sections 3.2.5.1.3 through 3.2.5.1.7 are performed while impersonating the policy target as specified in [MS-DTYP] section 2.7, Impersonation Abstract Interfaces. The successful completion of these steps ends with a Policy Application Notification. There is no Policy Application starting or failure notification.

The following initialization steps MUST be completed before proceeding with the tasks listed above.

  1. The GPO list, SOM list, GPLink list, SOM GPLink list, Enforced GPLink list, and Non-enforced GPLink list MUST be initialized to empty lists.

  2. Allow-Enforced-GPOs-Only MUST be initialized to FALSE.

Policy target impersonation proceeds as follows:

  1. For Computer Policy Application Mode, the Policy Source Mode MUST be set to Normal.

  2. The client application retrieves the primary token of the interactive user (the policy target) during user policy application or retrieves the machine token of the computer (the policy target) during computer policy application. It then passes the token to the Start Impersonation abstract interface as specified in [MS-DTYP] section 2.7.1.

  3. The client application establishes an LDAP connection to the directory server. An LDAP bind request ([RFC2251] section 4.2, Bind Operation) is sent to the directory server with the credentials of the policy target.

  4. The directory server verifies the credentials, as described in [MS-AUTHSOD] section 2.5.3.1.1, and sends an LDAP bind response, as specified in [RFC2251] section 4.2.3, Bind Response, to the client application.

  5. The client application requests an RPC binding handle to establish a connection with the directory server by using the Directory Replication Service (DRS) Remote Protocol, as defined in [MS-DRSR] section 4.1.3.

  6. The directory server processes the bind request and sends a response with an RPC binding handle.

  7. The client application sends a request for name translation to the server using the RPC binding handle, as specified in [MS-DRSR] section4.1.4, passing in DRS_MSG_CRACKREQ with the following settings:

    Setting

    Value

    formatOffered

    DS_STRING_SID_NAME

    formatDesired

    DS_DNS_DOMAIN_NAME

    CodePage

    0

    LocaleId

    0

    dwFlags

    0

    rpNames

    The string version of the user's SID obtained from the primary token at token.SIDS[UserIndex] (Tokens are defined in [MS-DTYP] section 2.5.2).

  8. The directory server processes the request and returns the translated name (the user's domain name) as specified in [MS-DRSR] section 4.1.4.3.

  9. The client application retrieves the policy target's domain name  in Unicode format from DRS_MESSAGE_CRACKREPLY, assigning it to the <Policy Target Domain Name> ADM element.

  10. The directory server processes the request and returns the translated name (the user's DN) as specified in [MS-DRSR] section 4.1.4.3.

  11. The client application requests to release the RPC binding handle it received in step 5, as specified in [MS-DRSR] section 4.1.25.

  12. The directory server processes the request as specified in [MS-DRSR] section 4.1.25.1.

  13. The client application ends impersonation by invoking the abstract interface EndImpersonation, as specified in [MS-DTYP] section 2.7.2.

Impersonate the policy target as defined in [MS-DTYP] section 2.7. Invoke the IDL_DRSCrackNames (Opnum 12) RPC method ([MS-DRSR] section 4.1.4), passing in DRS_MSG_CRACKREQ with the formatDesired field set to DS_DNS_DOMAIN_NAME.<16> Retrieve the policy target's domain name in Unicode format from DRS_MSG_CRACKREPLY, assigning it to abstract element Policy Target Domain Name. End impersonation of the policy target.

Determine the role of the machine that Group Policy application is running on by locally invoking DsRoleGetPrimaryDomainInformation (specified in [MS-DSSP] section 3.2.5.1), using the following parameters:

  • Set the hBinding parameter to NULL.

  • Set the InfoLevel parameter to DsRolePrimaryDomainInfoBasic.

The Machine Role ADM element is initialized to the value of the MachineRole field in the returned DomainInfo structure (as defined in [MS-DSSP] section 2.2.1). For User Policy Application Mode, if Machine Role is not equal to DsRole_RoleStandaloneWorkstation or DsRole_RoleStandaloneServer, and the DomainGuid field of the returned DomainInfo structure is not null, then loopback replace and loopback merge modes are allowed. Otherwise, the abstract element Policy Source Mode defaults to Normal mode.

For User Policy Application Mode on a machine that is a member of a domain with directory service support, the client enumerates all the domains in the same forest as the computer's domain by performing a local call consistent with the behavior as specified in the DsrEnumerateDomainTrusts method (as defined in [MS-NRPC] section 3.5.4.7.1) with the following parameters.

  • NULL for ServerName.

  • Value A for Flags.

If the method returns a non-zero error code, policy application MUST be terminated and an event SHOULD<17>  be logged using an implementation-specific mechanism. Otherwise, if the Policy Target Domain Name (section 3.2.1.16) is not in the list of DNS domains found, then the Policy Source Mode MUST be set to Loopback replace mode. If the Policy Target Domain Name is in the list, the Policy Source Mode MUST be initialized to the Default Policy Source Mode (section 3.2.1.2).

The priority list of GPOs applicable to a policy target MUST be computed as specified in the following subsections (3.2.5.1.x).

  1. If the Policy Source Mode is normal mode, the policy target and policy target domain MUST be used to compute the abstract element Filtered GPO list.

  2. If the Policy Source Mode is loopback replace mode, the computer account name and computer domain MUST be used to compute the Filtered GPO list. Invoke the IDL_DRSCrackNames (Opnum 12) RPC method ([MS-DRSR] section 4.1.4) with the formatDesired field set to DS_DNS_DOMAIN_NAME. Retrieve the computer's domain name and assign it to abstract element Policy Target Domain Name.

  3. If the Policy Source Mode is loopback merge mode:

    • Compute the initial GPO List using the policy target and policy target domain.

    • Compute a new GPO List using the computer account name and computer domain. In DC Discovery and AD Connection Establishment (section 3.2.5.1.1), the option LDAP_OPT_DNSDOMAIN_NAME is not set a second time if the domain controller is unchanged from the first bind.

    • Append the second GPO List to the initial GPO List to create the Filtered GPO list.

  4. For any other Policy Source Mode, assign an empty list to Filtered GPO list.