1.1.4 Group Policy Extensions

  • 아티클

Group Policy functionality can be enhanced through the implementation of Group Policy extensions. Group Policy extensions consist of client-side extensions (CSEs) and Administrative tool extensions. Most Group Policy extensions have these two extension implementation pairs; a CSE that applies policy settings, and an associated administrative-side extension that plugs into the Administrative tool to define policy settings. Group Policy extensions are invoked by the Administrative tool when creating or updating policy settings. Group Policy extensions are also invoked by the core Group Policy engine when applying policy on a policy target such as a Group Policy client.

A few Group Policy extensions have only an administrative-side, as shown in the diagram of section 2.1.2.2 and as described in section 2.2. In most cases, these Group Policy extensions depend on another CSE to perform client-side functions. For Group Policy extensions that implement both a client-side and administrative-side, the Extension list that is stored in a GPO specifies a list of GUID pairs. The first GUID of each pair is the CSE GUID, and the second GUID of each pair is an Administrative tool extension GUID. Extension lists are maintained by the gPCMachineExtensionNames and gPCUserExtensionNames attributes of a GPO. The gPCMachineExtensionNames attribute contains Group Policy extension GUID pairs that apply to computer policy settings, and the gPCUserExtensionNames  attribute contains Group Policy extension GUID pairs that apply to user policy settings.

CSEs and Administrative tool extensions function in the following manner:

CSEs: Enable the application of explicit functionality to various subsystems on a Group Policy client. This is accomplished by implementing application-specific policy settings, such as the client security policies specified in [MS-GPSB], on Group Policy client computers.

The CSEs that apply to a set of policy targets are designated by the Extension list of a GPO. Each CSE in the GPO Extension list is represented as a GUID that is associated with a CSE protocol, sometimes referred to as a client-side plug-in, residing on the Group Policy client computer. The GUID enables the core Group Policy engine on the Group Policy client to locate and invoke the CSE protocol, which in turn applies policy settings to the policy target. These settings are all defined by the GPO, which includes the extension policy files that reside on the Group Policy file share.

CSE protocols depend on the execution of the core Group Policy engine on the Group Policy client for the following:

  • To identify GPOs for a CSE to query to obtain the stored settings for that extension.

  • To provide the message sequences for retrieving the CSE settings that are stored in the logical part of a GPO.

  • To invoke a file access protocol to retrieve extension-related policy settings in the extension policy files on the Group Policy file share.

Administrative tool extensions: Facilitate authoring and modification of specific administrative settings that are related to extended functionality, such as the security-based settings specified in [MS-GPIPSEC].

The Administrative tool extensions that apply to policy targets are designated by the Extension list of a GPO. Each Administrative tool extension in the GPO Extension list is represented as a GUID that is associated with an administrative-side extension protocol, sometimes referred to as an administrative plug-in. The plug-in resides on the computer that hosts the Administrative tool. This GUID enables the Administrative tool to locate the extension for administering the GPO settings that are related to that particular extension. Settings for such extensions, for example, those specified in [MS-GPSB], are typically stored in Active Directory via the Lightweight Directory Access Protocol (LDAP) [RFC2251]] and in the Group Policy file share via a file access protocol.

Administrative tool extension protocols depend on the Administrative tool for the following:

  • To identify GPOs that the administrative-side extension can query to obtain the stored settings for that extension.

  • To provide the message sequences for updating the administrative-side extension settings that are stored in the logical part of a GPO.

  • To invoke a file access protocol to retrieve or store extension-related policy settings in the extension policy files on the Group Policy file share.

Policy settings for a given class of extension functionality are communicated by a CSE protocol itself and not directly by the core Group Policy engine. The behavior of a given protocol extension is specified in the documentation for that extension. For example, the behavior of the Group Policy: IP Security (IPsec) Protocol is documented in [MS-GPIPSEC].

The extension protocols that are native to Group Policy are specified in section 2.2. However, vendors can extend the functionality of Group Policy by implementing custom Group Policy extensions, as described in [MS-GPOL] section 1.8.