1.3.4 Policy Administration

In policy administration mode, an administrative tool locates the Group Policy server, as described in section 1.3.3.1, and operates on the same Active Directory objects as policy application. Instead of applying policy settings locally, policy administration allows an administrator to create, update, and delete policy settings, and then updates the Group Policy server by using the LDAP.

Just as policy application supports Group Policy extension plug-ins on the client, to consume settings of a given mode, policy administration supports Group Policy extension plug-ins to the administrative tool for authoring Group Policy extension-specific settings. GPOs with settings for a particular Group Policy extension are identified with a tool extension GUID to enable administrative tools to identify a plug-in that is capable of administering the settings. Such Group Policy extensions (for example, as specified in [MS-GPREG]) typically use LDAP to store settings in Active Directory, or they store settings in files.