1.1.6 Group Policy Administration

Group Policy administration consists of creating new GPOs, deleting GPOs, and editing existing policy settings, as described in section 2.1.3.2. In policy administration mode, the Group Policy administrator uses the Administrative tool to locate the Group Policy server and interact with the same Active Directory objects as occurs during policy application by the Group Policy client. However, the Administrative tool does not directly apply policy settings to the Group Policy client. Instead, it only enables the Group Policy administrator to create, update, or delete policy settings, and then update the Group Policy server with those configurations via LDAP. Thereafter, following a Group Policy trigger, the Group Policy client accesses those updated or new objects and associated settings during the policy application process.

Policy administration also applies to modifying and authoring Group Policy extension settings, in addition to authoring Administrative template settings:

Modifying extension settings: GPOs that contain classes of settings for a specific Administrative tool extension are identified by an Administrative tool extension GUID, which is used to invoke the extension protocol that can retrieve the associated settings from a GPO for updating. The retrieval process is facilitated by the Administrative tool, which invokes LDAP and a file access protocol to access the settings. After extension settings are edited, the Administrative tool sends an LDAP modifyRequest to update the logical component of a GPO and a file access open/write request to update the Group Policy file share location where the extension policy files reside.

Authoring extension settings: When authoring new extension settings for a new GPO, the Group Policy administrator first creates the new GPO by following the processes described in section 2.1.3.2.1. Thereafter, the Group Policy administrator can use the Administrative tool to author settings for an Administrative tool extension. When this occurs, the Administrative tool sends an LDAP addRequest to Active Directory to write the Administrative tool extension GUID and client-side extension GUID (CSE GUID) to the Extension lists of the GPO. These attributes enable the Group Policy client to determine which Group Policy extensions settings to apply to the Group Policy client during the policy application process.

Configuring administrative template settings: Policy administration includes the configuration of Administrative template settings that are accessible from a management tool such as the GPMC. The Administrative template policy configurations generate registry settings that are stored in the file registry.pol, which is located on the Group Policy file share. During policy application, this file is read by the Group Policy: Registry Extension Encoding protocol [MS-GPREG], and its settings are applied to the Group Policy client registry.