2.2 Message Syntax

The Group Policy: Core Protocol is an amalgam of protocol conversations. For the purposes of this document, different phases of this conversation are described as messages. These messages are themselves bidirectional; that is, they can contain multiple pairs of both requests and responses.

There are two classes of protocol conversations. Each message can be categorized into one of the following two classes:

Policy application messages are exchanged during policy application after which a Group Policy extension typically takes action to apply administrative policy. Collectively, the following sequence of eight messages is referred to in this documentation as a policy application message:

  1. Distinguished Name (DN) Discovery

  2. Domain Scope of Management (SOM) Search

  3. Site Search

  4. Group Policy Object (GPO) Search

  5. WMI Filter Search

  6. Link Speed Determination

Administrative messages allow an administrator to view and update policies in a domain. They are only used by an administrative plug-in, never by a client plug-in. Administrative messages consist of the following:

Note All usage of file access and LDAP in the following message syntaxes include SPNEGO messages in the appropriate part of the protocol sequences. For computer policy mode, they MUST include Kerberos authentication.

The authentication requirements mean that for user policy mode, if the client needs the settings for a policy target, the client MUST be able to authenticate all LDAP and file operations against the Group Policy server as the policy target account. Thus all LDAP and file operations that can be authenticated include authentication traffic that authenticates the policy target against the Group Policy server.

Note All references in this document to object distinguished names (DN) and attribute names through LDAP correspond exactly to objects and attributes that are stored on the DC LDAP server, according to the Active Directory schema, as specified in [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].

The Group Policy: Core Protocol provides a Group Policy extension mechanism that allows other protocols to insert themselves into this protocol's sequences; each Group Policy extension has its own document (for example, [MS-GPREG] and [MS-GPSCR]). Note that the Group Policy: Core Protocol does not require any of these Group Policy extensions; for example, vendors can use this protocol with only their own Group Policy extensions.