3.3.5.1 GPO Creation

  • Article

Creation of a GPO requires the creation of a groupPolicyContainer Active Directory object on the Group Policy server and a corresponding directory on the Group Policy server SYSVOL share. The creation of the Active Directory portion of the GPO MUST be accomplished through an LDAP addRequest message (as defined in the specification of the GPO Creation Message, section 2.2.8.1) from the client to the Group Policy server. Prior to the creation of the Active Directory portion of the GPO, the parent Active Directory policies container is created through an LDAP addRequest message.

  1. Create Policies container as shown in an existing message specified in section 2.2.8.1.4. If the container exists, the "object already exists" error MUST be ignored. Other than the "object already exists" error, if the resultCode field ([RFC2251] section 4.1.10) of the addResponse message is nonzero, this protocol sequence MUST be terminated.

  2. Attempt to retrieve the GPO container as shown in a new message specified in section 2.2.8.1.1.

  3. If the object does not exist, create GPO container as shown in an existing message specified in section 2.2.8.1.5. If the resultCode field of the addResponse message is nonzero, this protocol sequence MUST be terminated.

    The result of a groupPolicyContainer addRequest is an addResponse message in reply, as defined in [RFC2251] section 4.7. The resultCode field value determines a failure or success for the message. Success is indicated when the value of the addResponse message's resultCode is 0. Any other resultCode value indicates a failure.

The result of the GPO Security Descriptor SearchRequest (section 2.2.8.1.8) is an LDAP searchResponse that contains one searchResultEntry, as specified in [RFC2251] section 4.5.2. The searchResultEntry includes an attributes field that contains the value of the ntSecurityDescriptor attribute of the newly created GPO.

After the groupPolicyContainer object is created, create the machine and user container objects:

  1. Attempt to retrieve the machine container as shown in a message, as specified in section 2.2.8.1.3.

  2. If the object does not exist, create machine container as shown in a message, as specified in section 2.2.8.1.7. If the resultCode field of the addResponse message is nonzero, this protocol sequence MUST be terminated.

  3. Attempt to retrieve the user container as shown in a message, as specified in section 2.2.8.1.2.

  4. If the object does not exist, create user container as shown in a message, as specified in section 2.2.8.1.6. If the resultCode field of the addResponse message is nonzero, this protocol sequence MUST be terminated.

The following messages make up the remainder of the GPO Creation messages:

  1. File Status request for the directory GPO Path. If the GPO Path exists, the sequence MUST be terminated.

  2. Create Directory request for the directory GPO Path.

  3. Modify the security descriptor on the directory to the owner, primary group, and DACL as specified in the ntSecurityDescriptor GPO attribute using an implementation-specific method.<24>

  4. Create File request for the file GPO path\gpt.ini.

  5. Write File request to write the contents as defined in section 2.2.4 with the required section, "General"; the key, "Version"; and the value, 0 (integer).

  6. Create Directory request for the directory user scoped GPO path.

  7. Create Directory request for the directory computer-scoped GPO path.

Any failures from the file operations mean that the overall GPO Creation Message (section 2.2.8.1) is invalid, and the sequence previously mentioned MUST be terminated.