1.3.1 Background

The Group Policy: Core Protocol (as specified in [MS-GPOL]) allows clients to discover and retrieve policy settings created by administrators of a domain. These settings are persisted within Group Policy Objects (GPOs) that are assigned to Policy Target accounts in the Active Directory. Policy Target accounts are either computer accounts or user accounts in the Active Directory. Each client uses Lightweight Directory Access Protocol (LDAP) to determine what GPOs are applicable to it by consulting the Active Directory objects corresponding to both its computer account and the user accounts of any users logging on to the client computer.

On each client, each GPO is interpreted and acted upon by software components known as client plug-ins. The client plug-ins responsible for a given GPO are specified using an attribute on the GPO. This attribute specifies a list of globally unique identifier (GUID) lists. The first GUID of each GUID list is referred to as a client-side extension GUID (CSE GUID). Other GUIDs in the GUID list are referred to as tool extension GUIDs.

For each GPO that is applicable to a client, the client consults the CSE GUIDs listed in the GPO to determine which client plug-in handles the GPO. The client then invokes the client plug-in to handle the GPO.

A client plug-in uses the contents of the GPO to retrieve settings specific to its class in a manner specific to its class. After its class-specific settings are retrieved, the client plug-in uses those settings to perform class-specific processing.