2.1.3.2.1.2 Creating the GPO File System Components

To create the file system components of the GPO, it is necessary to create an associated set of directories on the Group Policy file share, to which the GPO will point, for storing and locating user and computer policy files, in addition to GPO version and GPT information.

After the preceding LDAP messages are successfully processed, the required set of directories on the Group Policy file share are created with the following operations. These processes utilize the Group Policy Object (GPO) path to create a User subdirectory and a Machine subdirectory. The GPO path is a UncPath of the form: "\\<dns domain name>\<GP FS-name>\<dns domain name>\policies\<gpo guid>", where <dns domain name> is the DNS domain name, and <gpo guid> is a Group Policy Object (GPO) GUID.

The following steps create the GPO path directory and gpt.ini file on the Group Policy file share via the file and directory operations of a file access protocol:

1. Send a File Status request for the GPO path by using SPNEGO (as described in [MS-SPNG]) for authentication.

2. Send a Create Directory request to create a new directory named by the GPO GUID of the GPO DN by using SPNEGO for authentication, as described in [MS-SPNG].

3. Send a Close request by using SPNEGO for authentication, as described in [MS-SPNG].

4. Send an Open request for the GPO path by using SPNEGO for authentication, as described in [MS-SPNG].

5. Send a Create File request to create a file named gpt.ini by using SPNEGO for authentication, as described in [MS-SPNG].

6. Send a Write File request to write contents to the gpt.ini file (as described in [MS-GPOL] section 2.2.4), that contains the required section named "General"; the key "Version" under the General section; and the value of the key "Version" set to "0" for the first version. The Write File request uses SPNEGO for authentication, as described in [MS-SPNG].

   Sample content for a gpt.ini file is described in [MS-GPOL] section 4.10.

7. Send a Close request by using SPNEGO for authentication, as described in [MS-SPNG].

The following steps are used to create directories named with the user-scoped GPO path and the computer-scoped GPO path via the directory operations of a remote file access protocol. All of the following requests are sent by using SPNEGO for authentication, as described in [MS-SPNG].

1. Send an Open request for the GPO path.

2. Send a Create Directory request for the directory that is named with the user-scoped GPO path

3. Send a Close request.

4. Send an Open request for the GPO path.

5. Send a Create Directory request for the directory that is named with the computer-scoped GPO path.

6. Send a Close request.

Any failures from these file access protocol operations means that the overall message that creates the GPO is invalid, and as a result, the protocol sequence is terminated.