Retrieving GPO Attributes

By using information obtained from the initial queries, the Group Policy client uses another set of queries to assemble the logical GPO from its component parts that exist in Active Directory and on the Group Policy file share. These queries utilize LDAP to return GPO attributes that are associated with the policy target accounts, as follows:

Extension list: Provides a list of GUIDs, contained within a GPO, that identify classes of settings (associated with extension protocols) to be applied to the Group Policy client.

Filtering: Enables specified policy target accounts to be excluded from association with a GPO.

GPO path directories: Provides the location of extension policy files and the GPO version information file (gpt.ini) stored on the Group Policy file share.

GPO security descriptor: Determines whether a GPO is allowed or denied, based on an access control entry (ACE) right that applies to the Active Directory security group in which the policy target account is a member.

Precedence: Enables resolution of conflicts between settings of different GPOs.

Version: Specifies the version of a GPO, for use in determining whether a policy target requires updating.

By using the GPO path directory information, the core Group Policy engine on the Group Policy client invokes a file access protocol to query the Group Policy file share to locate the file that contains the GPO version information and the directories that contains the extension policy files.

The Group Policy client uses all of the previous information to compute a list of the GPOs that apply to it, along with the GUIDs that identify the extensions whose settings are to be applied in the next and final steps of policy application.