3.1.5.2 Creating a Wireless or Wired Policy Object on Active Directory

When the administrative-side plug-in attempts to create a wireless or wired GPO for a GPO, the following protocol sequence MUST be generated.

An LDAP BindRequest from the administrative-side plug-in to the Group Policy server and an LDAP BindResponse in reply MUST be generated. The parameters to the BindRequest MUST be identical to those specified in section 3.1.5.1.

  1. The administrative-side plug-in MUST search under the ScopedGPOPath for the existence of the container object named "Microsoft" by sending an LDAP Search message with the parameters shown in the following table.

     Parameter

    Value

    baseObject

    It MUST be Scoped GPO DN.

    Scope

    This MUST be set to search all entries in the first level below the base entry, excluding the base entry.

    derefAliases

    This MUST be set to 0 (neverDerefAliases) to dereference in searching.

    sizeLimit

    This MUST be set to 0 (which specifies no limit).

    timeLimit

    This MUST be set to 0 (which specifies no limit).

    typesOnly

    This MUST be set to FALSE according to the LDAP definition of FALSE.

    Filter

    The LDAP filter (objectClass= Container) MUST be used.

    attributes

    This field MUST specify the attribute's "commonName".

  2. If the LDAP search returns nothing, or the attributes returned in the LDAP searchResponse do not contain commonName with the value equal to "Microsoft", it MUST create a container Active Directory object by sending an LDAP Add request message with the parameters shown in the following table.

    Parameter

    Value

    Entry

    MUST be "CN=Microsoft, LDAP DN".

    attributes

    MUST specify the attribute's "objectClass" in an attributeList, as specified in [RFC2251].

    The attribute's member is a sequence of attribute name and value pairs. The following table specifies these pairs and their meanings.

    Attribute name

    Value

    objectClass

    This MUST be the directory string value "container".

  3. The administrative-side plug-in MUST search under the ScopedGPOPath\Microsoft for the existence of a container object named "Windows" by sending an LDAP Search message with the parameters shown in the following table.

    Parameter

     Value

    baseObject

    It MUST be CN=Microsoft, LDAP DN.

    Scope

    This MUST be set to 1. LDAP Search Request searches all entries in the first level below the base entry, excluding the base entry.

    derefAliases

    This MUST be set to 0 (neverDerefAliases) to dereference in searching.

    sizeLimit

    This MUST be set to 0 (which specifies no limit).

    timeLimit

    This MUST be set to 0 (which specifies no limit).

    typesOnly

    This MUST be set to FALSE according to the LDAP protocol's definition of FALSE.

    Filter

    The LDAP filter (objectClass= Container) MUST be used.

    attributes

    This field MUST specify the attribute's "commonName".

    If the resultCode field of the addResponse message is non-zero, the add operation failed. Regardless of the outcome of this step, this protocol sequence MUST proceed to step 9 (LDAP UnbindRequest).

  4. If the LDAP Search returns nothing, or the commonName attribute returned in the LDAP searchResponse does not contain Windows, it SHOULD create a container Active Directory object by sending an LDAP Add request message with the parameters shown in the following table.

    Parameter

    Value

    Entry

    MUST be CN=Windows, CN=Microsoft, Scoped GPO DN.

    attributes

    This field MUST specify the attribute's "objectClass" in an attributeList, as specified in [RFC2251].

    The attribute's member is itself a sequence of attribute name and value pairs. The following table specifies these pairs and their meanings.

    Attribute name

    Value

    objectClass

    This MUST be the directory string value "container".

    If the resultCode field of the addResponse message is non-zero, the add operation failed. In this case, this protocol sequence MUST proceed directly to step 9 (LDAP UnbindRequest).

  5. The administrative-side plug-in MUST search under the ScopedGPOPath for the existence of a container by sending an LDAP Search message with the parameters shown in the following table.

    Parameter

    Value

    baseObject

    It MUST be CN=Windows, CN=Microsoft, Scoped GPO DN.

    Scope

    This MUST be set to search all entries in the first level below the base entry, excluding the base entry.

    derefAliases

    This MUST be set to 0 (neverDerefAliases) to dereference in searching.

    sizeLimit

    This MUST be set to 0 (which specifies no limit).

    timeLimit

    This MUST be set to 0 (which specifies no limit).

    typesOnly

    This MUST be set to FALSE according to the LDAP protocol's definition of FALSE.

    Filter

    The LDAP filter (objectClass= Container) MUST be used.

    attributes

    This field MUST specify the attribute's "commonName".

  6. If the LDAP Search returns nothing, or the attributes returned in the LDAP searchResponse do not contain the following values for commonName:

    • For BLOB-based wireless policy: "Wireless".

    • For XML-based wireless policy: "IEEE80211".

    • For wired Group Policy: "IEEE8023".

    It MUST then create a container Active Directory object by sending an LDAP Add request message with the parameters shown in the following table.

    Parameter

    Value

    Entry

    BLOB-based wireless policy: MUST be "CN=Wireless, CN=Windows, CN=Microsoft, Scoped GPO DN"

    XML-based wireless policy: MUST be "CN= IEEE80211, CN=Windows, CN=Microsoft, Scoped GPO DN"

    Wired Group Policy: MUST be "CN= IEEE8023, CN=Windows, CN=Microsoft, Scoped GPO DN"

    attributes

    This field MUST specify the attribute's "objectClass" in an attributeList, as specified in [RFC2251].

    The attribute's member is itself a sequence of attribute name and value pairs. The following table specifies these pairs and their meanings.

    Attribute name

     Value

    objectClass

    This MUST be the directory string value "container".

    If the resultCode field of the addResponse message is non-zero, the add operation failed. In this case, this protocol sequence MUST proceed directly to step 9 (LDAP UnbindRequest).

  7. The administrative-side plug-in MUST create an object in the Active Directory that contains the wired or wireless policy settings. It MUST send an LDAP addRequest, as specified in [RFC2251].

    Parameter

    Value

    Entry

    For BLOB-based wireless policy:

    It MUST be "CN=Wireless, CN=Windows, CN=Microsoft, Scoped GPO DN".

    For XML-based wireless policy:

    It MUST be "CN=IEEE80211, CN=Windows, CN=Microsoft, Scoped GPO DN".

    For wired policy:

    It MUST be "CN=IEEE8023, CN=Windows, CN=Microsoft, Scoped GPO DN".

    attributes

    This field MUST specify the following attributes:

    For BLOB-based wireless policy:

    msieee80211-ID MUST be a unique identifier to uniquely identify a BLOB-based wireless Group Policy.

    msieee80211-Data MUST be a data BLOB according to a well-defined format that describes the different settings in the policy. For more information about interpreting this data, see section 3.1.5.1.

    description MUST be a user-defined description for the policy.

    whenChanged MUST be time stamp of the policy creation time by the administrative-side plug-in. The final timestamp value is created by the server.

    For XML-based wireless policy:

    ms-net-ieee-80211-GP-PolicyGUID MUST be a unique identifier to identify the policy object.

    ms-net-ieee-80211-GP-PolicyData MUST be an XML string according to a well-defined schema. For more information, see section 2.2.

    description: A description for the policy.

    whenChanged MUST be a time stamp of the policy creation time by the administrative-side plug-in. The final timestamp value is created by the server.

    For wired Group Policy:

    ms-net-ieee-8023-GP-PolicyGUID MUST be a unique identifier to identify the policy object.

    ms-net-ieee-8023-GP-PolicyData: MUST be an XML string according to a well-defined schema. For more information, see section 2.2.

    description: A description for the policy.

    whenChanged MUST be a time stamp of the policy creation time by the administrative-side plug-in. The final timestamp value is created by the server.

    Additionally, the attributes in the following table MUST also be supplied in the attributeList.

    Attribute Name

    Value

    objectClass

    For BLOB-based wireless policy:

    This MUST be the directory string value "msieee80211-Policy".

    For XML-based wireless policy:

    This MUST be the directory string value "ms-net-ieee-80211-GroupPolicy".

    For wired policy:

    This MUST be the directory string value "ms-net-ieee-8023-GroupPolicy".

    cn

    This field MUST be the expected name of the policy represented as directory string.

    This message creates an Active Directory object of the corresponding policy. If the resultCode field of the addResponse message is non-zero, the add operation failed. In this case, this protocol sequence MUST proceed to step 9 (LDAP UnbindRequest).

  8. The administrative tool MUST invoke the Group Policy Extension Update task defined in [MS-GPOL] section 3.3.4.4.

  9. An LDAP UnbindRequest is be made by the plug-in that corresponds to the previous LDAP BindRequest to close the connection, unless the plug-in will reuse the ADConnection Handle (section 3.1.1.1) for future requests.

Show: