1.3.3.1 Server Discovery and Group Policy Object Association

Policy application starts with a discovery step that is based on locating a domain controller (DC) as specified in section 3.2.5.1.1 in order to identify a DC. The client initiates this step. After a domain controller is located, the Group Policy client performs two sets of queries on the directory of the Group Policy server by using the Lightweight Directory Access Protocol (LDAP).

The purpose of the first set of queries is to determine what sets of behavior specifications, called Group Policy Objects (GPOs), have been assigned to the policy target account (that is, the GPOs that an administrator has configured as being applicable to the policy target account). Because domain accounts are stored in Active Directory, information about the GPOs that are associated with those accounts is also stored there.

Domain accounts are stored as objects in Active Directory in a hierarchy of organizational unit containers that is rooted in a container for the domain itself. Each of these containers can also specify a set of GPOs, and this association means that the set of GPOs applies to all accounts in the same container. Thus, the first set of queries performs a search on the hierarchy of the policy target account in order to identify the associated set of GPOs.